2.3 Azure ExpressRoute

📘Microsoft Azure Networking Solutions (AZ-700)

---

1. Introduction

In this section, you will learn how to connect an Azure Virtual Network (VNet) to an ExpressRoute circuit.

• An Azure Virtual Network (VNet) is a private network in Microsoft Azure.
• An Azure ExpressRoute circuit provides a private, dedicated connection between your on-premises network and Microsoft Azure.

Connecting a VNet to an ExpressRoute circuit allows private communication between:

• On-premises servers
• Azure virtual machines
• Azure services (depending on configuration)

This connection does not use the public internet.

For the AZ-700 exam, you must clearly understand:

• Required components
• Configuration steps
• Gateway requirements
• Route exchange
• Limitations
• Design considerations

---

2. Required Components

Before connecting a VNet to ExpressRoute, you must have the following:

2.1 ExpressRoute Circuit

An ExpressRoute circuit must already be:

• Created in Azure
• Provisioned by the connectivity provider
• In Provisioned state
• Have at least one private peering configured (for VNet connectivity)

Important:

• To connect VNets, you must configure Private Peering.
• Microsoft Peering is not used for VNet connectivity.

---

2.2 Virtual Network (VNet)

The VNet:

• Must be created in Azure
• Must contain a special subnet called GatewaySubnet

The GatewaySubnet:

• Is dedicated for the virtual network gateway
• Must be named exactly: GatewaySubnet
• Should be sized properly (recommended /27 or larger)

---

2.3 Virtual Network Gateway

To connect the VNet to ExpressRoute, you must deploy:

• An ExpressRoute virtual network gateway

This is a specific type of Azure resource.

Gateway type:

• Must be ExpressRoute
• VPN gateways cannot be used for ExpressRoute connections

Gateway SKU examples:

• Standard
• HighPerformance
• UltraPerformance
• ErGw1AZ, ErGw2AZ, ErGw3AZ (zone-redundant SKUs)

For AZ-700:

• Know that ExpressRoute gateways are different from VPN gateways.
• Gateway SKU affects performance and scale.

---

3. High-Level Architecture

The connection works like this:

1. On-premises router connects to ExpressRoute circuit.
2. ExpressRoute circuit connects to Microsoft edge routers.
3. Azure VNet gateway connects to ExpressRoute circuit.
4. Traffic flows privately between:
   • On-premises network
   • Azure VNet resources

Routing between networks is done using BGP (Border Gateway Protocol).

---

4. Steps to Connect a VNet to an ExpressRoute Circuit

For the exam, you must know the correct order.

---

Step 1: Create ExpressRoute Circuit

Create the ExpressRoute circuit in Azure:

• Choose region
• Choose SKU (Standard or Premium)
• Choose bandwidth
• Choose provider

After that:

• Provide the Service Key to the provider
• Wait for provisioning

---

Step 2: Configure Private Peering

Private Peering allows:

• Private IP communication between on-premises and Azure VNets

You must configure:

• VLAN ID
• Peer ASN
• Primary and secondary subnets
• BGP settings

Without Private Peering, VNet connectivity will not work.

---

Step 3: Create Virtual Network Gateway

Inside the VNet:

1. Create GatewaySubnet
2. Deploy ExpressRoute virtual network gateway
3. Select:
   • Gateway type: ExpressRoute
   • SKU
   • Region must match VNet region

Important exam point:

• The VNet and gateway must be in the same region.
• Gateway deployment takes 30–45 minutes.

---

Step 4: Create Connection Between VNet and ExpressRoute Circuit

After the gateway is deployed:

1. Go to the VNet gateway
2. Select Connections
3. Create new connection
4. Choose:
   • Connection type: ExpressRoute
   • Select ExpressRoute circuit

This links:

• The VNet gateway
• The ExpressRoute circuit

Now the VNet is connected.

---

5. Authorization Key (Important for Cross-Subscription)

If:

• The ExpressRoute circuit and VNet are in different subscriptions

Then you must use:

Authorization key

Process:

1. Circuit owner creates authorization.
2. Authorization key is shared.
3. VNet owner uses the key to connect the gateway.

Exam tip:

• Cross-subscription connection requires authorization.
• Same subscription does not require authorization key.

---

6. Routing and BGP Behavior

ExpressRoute uses BGP for dynamic route exchange.

What happens automatically:

• On-premises routes are advertised to Azure.
• Azure VNet address space is advertised to on-premises.
• Routes are learned dynamically.

Important exam concepts:

• Azure automatically injects VNet routes into ExpressRoute.
• Route summarization may be required on-premises.
• You can use:
  • Route filters
  • BGP communities

---

7. Gateway SKUs and Performance

Gateway SKU determines:

• Throughput
• Maximum number of VNet connections
• Maximum number of routes

Example:

Lower SKUs:

• Lower bandwidth
• Fewer routes supported

Higher SKUs:

• Higher throughput
• Support more routes
• Better for large enterprise networks

For AZ-700:

• Understand scaling limits.
• Know that incorrect SKU can cause routing limits or performance issues.

---

8. Multiple VNets and ExpressRoute

You can connect:

• Multiple VNets to one ExpressRoute circuit

Requirements:

• Each VNet must have its own ExpressRoute gateway.
• Premium SKU allows global connectivity.

---

9. ExpressRoute and VNet Peering

Important design concept:

If:

• VNet A is connected to ExpressRoute
• VNet B is peered with VNet A

Then:

• You can enable gateway transit
• VNet B can use the ExpressRoute gateway in VNet A

This avoids deploying multiple gateways.

Exam focus:

• Understand gateway transit.
• Understand that peering must allow gateway transit and use remote gateway.

---

10. High Availability and Redundancy

ExpressRoute provides redundancy at multiple levels:

• Dual physical connections from provider
• Primary and secondary BGP sessions
• Redundant Azure gateways (active-active)

Zone-redundant gateways (ErGw1AZ etc.) provide:

• Availability zone resilience

For disaster recovery:

• Use multiple circuits
• Use Global Reach
• Use cross-region VNet design

---

11. Limitations and Important Exam Points

You must remember:

1. VNet must have GatewaySubnet.
2. Gateway type must be ExpressRoute.
3. Private peering is required.
4. Authorization key required for cross-subscription.
5. Gateway deployment takes time.
6. SKU affects route limits.
7. VNet and gateway must be in same region.
8. Circuit and VNet can be in different regions (with Premium).
9. Basic SKU has limitations.

---

12. Monitoring and Troubleshooting

You can monitor using:

• Azure portal
• Connection status
• BGP status
• Metrics
• Network Watcher

Common issues:

• Gateway not deployed
• Private peering not configured
• ASN mismatch
• BGP not established
• Route not advertised
• GatewaySubnet too small

---

13. IT Environment Example

In an enterprise IT environment:

• A company has on-premises Active Directory servers.
• They deploy virtual machines in Azure for application hosting.
• They connect their data center to Azure using ExpressRoute.
• Their Azure VNet is connected to the ExpressRoute circuit.
• Domain controllers communicate privately.
• Applications access databases securely over private IP addresses.
• No traffic goes over the public internet.

This provides:

• Higher security
• Lower latency
• Predictable performance
• Compliance support

---

14. Summary for AZ-700 Exam

To pass this section, you must know:

• What an ExpressRoute circuit is
• What a Virtual Network Gateway is
• Difference between VPN gateway and ExpressRoute gateway
• Private Peering requirement
• GatewaySubnet requirement
• Authorization key usage
• BGP routing behavior
• SKU selection impact
• Gateway transit with VNet peering
• Redundancy options

If you understand how:

1. ExpressRoute circuit
2. Private peering
3. ExpressRoute gateway
4. Connection object

Work together — you will be fully prepared for this topic in the AZ-700 exam.