2.3 Azure ExpressRoute
📘Microsoft Azure Networking Solutions (AZ-700)
1. What Is Microsoft Peering?
Microsoft peering is one of the routing options available in Azure ExpressRoute.
It allows your on-premises network to privately connect to:
- Microsoft 365 services (such as Exchange Online, SharePoint Online, Teams)
- Azure PaaS services (like Azure Storage, Azure SQL Database)
- Other Microsoft public services that use public IP addresses
👉 Important: Microsoft peering is used to access Microsoft public services over a private connection, instead of using the public internet.
2. ExpressRoute Peering Types (Exam Comparison)
In ExpressRoute, there are three main peering types:
- Azure Private Peering
- Microsoft Peering
- Azure Public Peering (retired – not used anymore)
For the AZ-700 exam, clearly understand:
| Peering Type | Used For | IP Type |
|---|---|---|
| Private Peering | Azure Virtual Networks (IaaS) | Private IP |
| Microsoft Peering | Microsoft public services | Public IP |
Microsoft peering uses public IP addresses, but traffic still travels through the private ExpressRoute circuit, not the internet.
This is a very important exam point.
3. Why Use Microsoft Peering?
Organizations use Microsoft peering when:
- They want secure, private access to Microsoft 365
- They want predictable latency and performance
- They do not want traffic to go over the public internet
- They require compliance and security controls
Example in an IT environment:
A company has its users on-premises and wants:
- Private connectivity to Exchange Online
- Secure data upload to Azure Storage
- Direct access to Azure SQL Database over ExpressRoute
In this case, Microsoft peering is required.
4. How Microsoft Peering Works
Microsoft peering uses:
- BGP (Border Gateway Protocol)
- Public IP address space
- Route filtering
- VLAN tagging
Let’s break this down clearly.
5. IP Address Requirements (Very Important for Exam)
Microsoft peering requires:
1️⃣ Public IP Addresses
You must use:
- Public IPv4 addresses
- Owned by your organization
- Registered with a public registry
- Valid and verifiable
You cannot use:
- Private IP addresses
- Fake public IPs
Microsoft verifies ownership of public IP ranges.
2️⃣ NAT Requirement (Mandatory)
Even if your internal network uses private IP addresses (like 10.x.x.x), you must:
- Perform Source NAT (SNAT) to a public IP before sending traffic to Microsoft
This is mandatory for Microsoft peering.
Why?
Because Microsoft services expect public IP addresses.
This is a common exam question:
Microsoft peering requires NAT to public IP addresses.
6. BGP Configuration
Microsoft peering uses:
- eBGP (external BGP)
- Autonomous System Number (ASN)
Requirements:
- You need a public ASN (or private ASN with validation)
- You configure BGP on your edge router
- You exchange routes with Microsoft
You must configure:
- Primary and secondary BGP sessions
- Two IP subnets (/30 or /31)
- VLAN ID
Redundancy is always required in ExpressRoute.
7. Route Filtering (Very Important)
By default, Microsoft does NOT advertise all Microsoft service routes.
You must:
- Create a Route Filter
- Select BGP Communities
- Attach the route filter to Microsoft peering
Why Route Filters?
Because Microsoft offers many services.
You must choose which services you want access to.
Example service categories:
- Microsoft 365
- Azure PaaS
- Dynamics 365
You only receive routes for selected services.
Exam point:
Microsoft peering requires a route filter to receive routes.
Without a route filter:
- No routes are received.
8. Microsoft 365 and Microsoft Peering
Accessing Microsoft 365 over ExpressRoute requires:
- Microsoft peering
- Route filter
- Approval from Microsoft
Not all Microsoft 365 services support ExpressRoute access.
Important:
Microsoft recommends internet connectivity for many Microsoft 365 services.
Exam question tip:
If a scenario says:
- “Private connectivity to Microsoft 365”
The answer is: - Microsoft peering
9. Service Provider vs ExpressRoute Direct
Microsoft peering works with:
- Service provider ExpressRoute
- ExpressRoute Direct
ExpressRoute Direct provides:
- Dedicated 10 Gbps or 100 Gbps ports
- Direct connection to Microsoft edge
Microsoft peering configuration principles remain the same.
10. Security Considerations
Microsoft peering:
- Uses public IP addresses
- Requires NAT
- Uses BGP authentication (optional MD5)
- Supports Microsoft 365 route control
Security best practices:
- Use route filters
- Advertise only required prefixes
- Monitor BGP routes
- Use firewalls for traffic inspection
11. High Availability Requirements
ExpressRoute circuits always require:
- Dual connections
- Primary and secondary links
- Redundant routers
Microsoft peering must also be configured on both connections.
Failing to configure redundancy may cause connectivity loss.
12. Step-by-Step Configuration Overview (High-Level)
For exam knowledge, understand the logical steps:
- Create ExpressRoute circuit
- Provision circuit with service provider
- Configure Microsoft peering
- Provide:
- Public IP prefixes
- ASN
- VLAN ID
- Configure BGP on on-prem router
- Create Route Filter
- Attach Route Filter to Microsoft peering
- Validate route advertisement
You should understand this order conceptually.
13. Common Exam Scenarios
Scenario 1
Company wants private access to Azure VMs.
Answer → Azure Private Peering.
Scenario 2
Company wants private access to Microsoft 365.
Answer → Microsoft Peering.
Scenario 3
Company wants to use private IP addresses only.
Answer → Not possible with Microsoft peering (requires public IP + NAT).
Scenario 4
Routes are not received after configuring Microsoft peering.
Answer → Route filter not configured.
14. Limitations
- Requires public IP ownership
- Requires NAT
- Requires route filter
- Not all Microsoft services support ExpressRoute
- More complex than private peering
15. Key Differences: Private vs Microsoft Peering
| Feature | Private Peering | Microsoft Peering |
|---|---|---|
| IP Type | Private IP | Public IP |
| NAT Required | No | Yes |
| Route Filter Required | No | Yes |
| Used For | Azure VNet | Microsoft Public Services |
| Microsoft 365 | No | Yes |
Memorize this comparison for the exam.
16. Important Exam Keywords
If you see these words in the question:
- Microsoft 365
- Office 365
- Exchange Online
- SharePoint Online
- Public services
- Public IP requirement
- Route filter
- NAT requirement
The topic is most likely Microsoft peering.
17. Summary (Quick Revision)
Microsoft peering in Azure ExpressRoute:
- Connects to Microsoft public services
- Uses public IP addresses
- Requires NAT
- Uses BGP
- Requires route filter
- Supports Microsoft 365
- Requires IP ownership verification
- Needs redundant configuration
Final Exam Advice
For AZ-700:
You must clearly understand:
- When to choose Microsoft peering
- Public IP + NAT requirement
- Route filter requirement
- BGP configuration basics
- Difference from private peering
If you master these points, you will confidently answer Microsoft peering questions in the AZ-700 exam.
