2.3 Azure ExpressRoute

📘Microsoft Azure Networking Solutions (AZ-700)

1️⃣ Azure Private Peering

What Is Azure Private Peering?

Azure Private Peering allows you to connect your on-premises network directly to your Azure virtual networks (VNets) over ExpressRoute.

It is used for private Azure resources.

This traffic does NOT go over the public internet.

What Services Use Azure Private Peering?

You use Private Peering to access:

Azure Virtual Machines (VMs)
Azure Virtual Network (VNet)
Azure Kubernetes Service (AKS) with private IP
Internal Load Balancers
Private Endpoints
Azure SQL Database (when using Private Endpoint)
Azure Storage (via Private Endpoint)
Any service deployed inside a VNet

In simple terms:

👉 If the service is deployed inside a VNet, you use Private Peering.

Key Technical Details (Exam Important)

1. IP Address Requirements

You must use private IP addresses
No overlapping IP ranges between:
- On-premises network
- Azure VNet
RFC1918 private address space is typically used.

2. BGP Configuration

ExpressRoute uses BGP (Border Gateway Protocol)
You must configure:
- ASN (Autonomous System Number)
- Primary and Secondary subnets for BGP
Microsoft provides two IPs (for high availability)

3. High Availability

Each ExpressRoute circuit has:

Two Microsoft Enterprise Edge (MSEE) routers
Primary and secondary connections
Active-active design

Private Peering automatically provides redundancy.

4. Routing Behavior

Azure advertises VNet prefixes to on-premises.
On-premises advertises its routes to Azure.
Route filtering and route summarization are recommended for scalability.

When to Choose Azure Private Peering

Choose Private Peering when:

You want private connectivity to Azure workloads.
You are extending your internal data center network to Azure.
You need secure hybrid connectivity.
You are using Private Endpoints.
You want traffic to stay fully private.

2️⃣ Microsoft Peering

What Is Microsoft Peering?

Microsoft Peering allows you to connect to Microsoft public services over ExpressRoute.

These services are not deployed inside your VNet.

They are Microsoft SaaS or PaaS services that normally use public endpoints.

What Services Use Microsoft Peering?

Examples include:

Microsoft 365
Azure Storage (public endpoint)
Azure SQL Database (public endpoint)
Dynamics 365
Azure DevOps

If the service has a public IP address and is not inside your VNet, it uses Microsoft Peering.

Important Clarification (Very Important for Exam)

Even though the services use public IP addresses, the traffic:

Does NOT go through the public internet.
Travels over the ExpressRoute private connection.
Is still secure and private.

This is a common exam trick.

Key Technical Details (Exam Important)

1. Public IP Requirement

You must own public IP addresses
These must be registered to your organization
NAT (Network Address Translation) is required

2. Route Filtering

To access Microsoft services, you must:

Create a Route Filter
Select the Microsoft service communities
Associate the route filter with the ExpressRoute circuit

Without route filters, Microsoft services will not advertise routes.

3. Microsoft 365 Special Note (Exam Focus)

Microsoft recommends:

Using internet connectivity for Microsoft 365 in most cases.
ExpressRoute for Microsoft 365 requires special approval.

Exam questions often test this recommendation.

When to Choose Microsoft Peering

Choose Microsoft Peering when:

You need dedicated connectivity to Microsoft SaaS services.
You want predictable performance to Microsoft public services.
Your organization has strict compliance or regulatory requirements.
You want traffic to Microsoft cloud services to avoid internet routing.

3️⃣ Using Both Private and Microsoft Peering

You can enable both on the same ExpressRoute circuit.

This is common in enterprise environments.

When Should You Use Both?

Use both when:

You need connectivity to Azure VNets (Private Peering).
You also need connectivity to Microsoft SaaS services (Microsoft Peering).

For example:

Hybrid application running in Azure VNet.
Users accessing Microsoft 365 through dedicated connection.
Data synchronization between Azure VMs and public Azure services.

4️⃣ Side-by-Side Comparison (Very Important for Exam)

Feature	Azure Private Peering	Microsoft Peering
Connects to	Azure VNets	Microsoft public services
IP Type	Private IP	Public IP
Internet Used?	No	No
NAT Required?	No	Yes
Route Filter Required?	No	Yes
Used for Microsoft 365?	No	Yes (approval required)
Used for Private Endpoint?	Yes	No

5️⃣ Common Exam Scenarios

Scenario 1:

You must connect on-premises servers to Azure virtual machines.
✔ Answer: Azure Private Peering

Scenario 2:

You must access Microsoft 365 over ExpressRoute.
✔ Answer: Microsoft Peering

Scenario 3:

You need private connectivity to Azure VMs and also access Azure DevOps over ExpressRoute.
✔ Answer: Both

Scenario 4:

You are using Private Endpoint for Azure Storage.
✔ Answer: Azure Private Peering

6️⃣ Important Differences Students Often Confuse

❌ Wrong Assumption:

“Microsoft Peering uses the internet.”

✔ Correct:
It uses public IP addresses but traffic stays on Microsoft’s private backbone.

❌ Wrong Assumption:

“Private Peering can access Microsoft 365.”

✔ Correct:
Private Peering only accesses VNets.

❌ Wrong Assumption:

“NAT is optional for Microsoft Peering.”

✔ Correct:
NAT is required.

7️⃣ Design Decision Strategy for Exam

When answering AZ-700 questions:

Identify the service being accessed.
Ask:
- Is it deployed inside a VNet?
  - YES → Private Peering
- Is it a Microsoft SaaS/public service?
  - YES → Microsoft Peering
If both are required → choose both.

8️⃣ Memory Trick for Exam

Private Peering = Private Azure resources
Microsoft Peering = Microsoft public services

Final Exam Tips

✔ Private Peering is used most often for hybrid workloads.
✔ Microsoft Peering requires NAT and route filters.
✔ Microsoft 365 over ExpressRoute requires approval.
✔ You can enable both on the same circuit.
✔ No internet traffic flows in either case.