2.3 Azure ExpressRoute
📘Microsoft Azure Networking Solutions (AZ-700)
1. What is Azure ExpressRoute Private Peering?
Before understanding private peering, you must first understand ExpressRoute.
Azure ExpressRoute is a service that allows you to create a private, dedicated connection between your on-premises network (such as a corporate data center) and Microsoft Azure.
It does NOT use the public internet.
Inside ExpressRoute, there are different types of peering. For the AZ-700 exam, you must clearly understand:
- Private Peering (very important)
- Microsoft Peering (separate concept)
- Public Peering (deprecated)
This section focuses only on:
✅ Azure Private Peering
2. What is Azure Private Peering?
Azure Private Peering allows your on-premises network to connect directly to:
- Azure Virtual Networks (VNets)
- Azure Virtual Machines
- Azure Private Endpoints
- Azure IaaS and PaaS services (when using Private Link)
It provides Layer 3 connectivity using private IP addresses.
That means:
- You use private IP ranges
- No public IP is required
- Traffic stays within Microsoft’s private backbone network
3. When Is Private Peering Used in Real IT Environments?
Private peering is used when an organization wants:
- Secure communication between on-premises servers and Azure VMs
- Hybrid cloud architecture
- Disaster recovery in Azure
- Data replication to Azure storage
- Application migration to Azure
Example (IT scenario):
- A company has an on-premises SQL Server.
- They deploy application servers in Azure.
- They use ExpressRoute private peering to securely connect both environments.
No internet exposure.
4. How Azure Private Peering Works
Private peering works using:
- BGP (Border Gateway Protocol)
- VLAN tagging
- Private IP addressing
Key Components:
- ExpressRoute Circuit
- ExpressRoute Gateway (in Azure VNet)
- BGP session between:
- Customer edge router
- Microsoft edge router (MSEE)
Traffic flow:
On-premises Network
→ Customer Edge Router
→ Service Provider
→ Microsoft Edge Router
→ ExpressRoute Gateway
→ Azure VNet
5. IP Addressing Requirements (Very Important for Exam)
Private peering requires:
1️⃣ Private IP address ranges
You must use:
- RFC1918 private IP ranges:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
Your Azure VNet address space must NOT overlap with your on-premises network.
Overlapping IP = routing failure ❗ (Common exam trap)
2️⃣ Subnet Requirements
You must create a:
Gateway Subnet inside your VNet.
Requirements:
- Must be named:
GatewaySubnet - Minimum size: /27 (recommended)
- Used only for the ExpressRoute gateway
3️⃣ BGP Requirements
Private peering requires:
- A /30 subnet (IPv4) for primary link
- A /30 subnet for secondary link
- ASN (Autonomous System Number)
- BGP session between both sides
Microsoft uses ASN: 12076
You can use:
- Public ASN
- Private ASN (64512–65534)
6. Steps to Configure Azure Private Peering
For the AZ-700 exam, you must understand the configuration sequence.
Step 1: Create ExpressRoute Circuit
In Azure:
- Choose:
- Subscription
- Resource group
- Region
- Bandwidth (50 Mbps to 100 Gbps)
- SKU (Standard or Premium)
After creation:
- You receive a Service Key
- Provide this to your connectivity provider
Step 2: Configure Private Peering on the Circuit
Inside the ExpressRoute circuit:
Go to:
- Peerings
- Add Private Peering
You must configure:
- VLAN ID
- Peer ASN
- Primary subnet (/30)
- Secondary subnet (/30)
Example:
- Primary: 10.0.0.0/30
- Secondary: 10.0.0.4/30
Step 3: Create ExpressRoute Gateway in VNet
Inside Azure:
- Create Virtual Network
- Create GatewaySubnet (/27 or larger)
- Deploy Virtual Network Gateway
- Gateway type: ExpressRoute
- SKU: Standard, HighPerformance, UltraPerformance, etc.
Important:
- VPN gateway cannot be used for ExpressRoute
- Must choose ExpressRoute gateway type
Step 4: Link VNet to ExpressRoute Circuit
Create a connection:
- Go to Virtual Network Gateway
- Add Connection
- Select ExpressRoute
- Choose the circuit
Now traffic can flow between:
On-premises ↔ Azure VNet
7. ExpressRoute Gateway SKUs (Exam Important)
Common SKUs:
| SKU | Use Case |
|---|---|
| Standard | Basic workloads |
| HighPerformance | Higher throughput |
| UltraPerformance | Very high bandwidth |
| ErGw3AZ | Zone-redundant |
You must choose SKU based on:
- Throughput requirements
- Availability needs
- Number of VNets
8. FastPath (Related Concept)
When using:
- HighPerformance or UltraPerformance gateway
You can enable:
FastPath
FastPath:
- Bypasses the gateway VM
- Reduces latency
- Improves performance
Important:
FastPath only works for private peering.
9. Route Propagation (Very Important)
Private peering uses BGP to:
- Advertise on-prem routes to Azure
- Advertise Azure VNet routes to on-prem
You can control routing using:
- UDR (User Defined Routes)
- Route filtering
- BGP communities
Exam question tip:
Azure automatically advertises VNet address space via BGP.
10. ExpressRoute Premium Add-On
You need Premium if:
- Connecting to VNets in different geopolitical regions
- Need more route limits
- Larger routing table
Private peering works with:
- Standard
- Premium
But cross-region connectivity requires Premium.
11. High Availability Design
Private peering supports:
- Dual connections (primary and secondary)
- Redundant circuits
- Multiple peering locations
- Active-active gateways
Best practice:
Always configure redundancy.
12. Security Benefits
Private peering provides:
- No internet exposure
- Private IP routing
- Dedicated bandwidth
- SLA-backed connectivity
- Traffic isolation
Still recommended:
- Use NSGs
- Use Azure Firewall
- Use encryption if required (ExpressRoute traffic is not encrypted by default)
Exam trap:
ExpressRoute is private but NOT encrypted automatically.
13. Monitoring and Troubleshooting
You should know:
- Connection status
- BGP status
- Route tables
- Effective routes in VMs
Common issues:
| Problem | Cause |
|---|---|
| No connectivity | Missing VNet link |
| BGP down | ASN mismatch |
| Routing issue | Overlapping IP |
| Slow performance | Wrong gateway SKU |
14. Important Exam Points to Remember
✅ Private peering connects to VNets
✅ Uses private IP addresses
✅ Requires BGP
✅ Requires GatewaySubnet
✅ No internet involved
✅ Non-overlapping IP spaces required
✅ ExpressRoute gateway required
✅ Traffic not encrypted by default
✅ FastPath only for private peering
✅ Premium required for cross-region
15. Private Peering vs VPN (Exam Comparison)
| Feature | ExpressRoute Private Peering | VPN Gateway |
|---|---|---|
| Uses Internet | No | Yes |
| Encryption | Not by default | Yes |
| SLA | Yes | Lower |
| Bandwidth | Up to 100 Gbps | Lower |
| Cost | Higher | Lower |
16. Summary
Azure Private Peering in Azure ExpressRoute allows secure, private connectivity between your on-premises network and Azure Virtual Networks.
It requires:
- ExpressRoute circuit
- BGP configuration
- GatewaySubnet
- ExpressRoute gateway
- Non-overlapping IP ranges
It is designed for:
- Enterprise hybrid cloud
- Large data transfers
- Disaster recovery
- Secure application hosting
For the AZ-700 exam, focus heavily on:
- Configuration steps
- IP addressing requirements
- BGP settings
- Gateway requirements
- Premium add-on scenarios
- FastPath behavior
- High availability design
