Design ExpressRoute for cross-region connectivity, redundancy, and disaster recovery

2.3 Azure ExpressRoute

📘Microsoft Azure Networking Solutions (AZ-700)

1. Introduction to Azure ExpressRoute

Azure ExpressRoute is a private, dedicated connection between your on-premises network (such as a corporate data center) and Microsoft’s cloud services in Azure.

Unlike VPN over the public internet:

  • ExpressRoute does not use the public internet
  • It provides private connectivity
  • It offers higher reliability
  • It supports higher bandwidth
  • It provides lower and more predictable latency

For the AZ-700 exam, you must understand how to design ExpressRoute for:

  • Cross-region connectivity
  • Redundancy (high availability)
  • Disaster recovery (DR)

2. ExpressRoute Components You Must Know

Before designing solutions, you must clearly understand these components:

2.1 ExpressRoute Circuit

An ExpressRoute circuit is a logical connection between:

  • Your on-premises network
  • Microsoft’s edge routers

Key characteristics:

  • Created in a specific peering location
  • Has a bandwidth (50 Mbps to 100 Gbps depending on SKU)
  • Includes two redundant connections (primary and secondary)

Important: A circuit is not tied to a single VNet. Multiple VNets can connect to it.

2.2 ExpressRoute Gateway

An ExpressRoute gateway is deployed inside an Azure Virtual Network (VNet).

It allows:

  • The VNet to communicate through the ExpressRoute circuit
  • Routing between on-premises and Azure resources

There are different gateway SKUs:

  • Standard
  • HighPerformance
  • UltraPerformance
  • ErGw1AZ, ErGw2AZ, ErGw3AZ (zone-redundant)

For cross-region and DR design, gateway selection is critical.

2.3 ExpressRoute Peering Types

There are three peering types:

  1. Private Peering
    • For VNet connectivity
    • Most commonly used
    • Required for cross-region and DR scenarios
  2. Microsoft Peering
    • For Microsoft public services (like Microsoft 365)
  3. Public Peering (deprecated)

For AZ-700, focus mainly on Private Peering.

3. Designing ExpressRoute for Cross-Region Connectivity

3.1 What Is Cross-Region Connectivity?

Cross-region connectivity means:

  • Connecting VNets in multiple Azure regions
  • Accessing Azure services in different regions
  • Supporting workloads distributed across regions

Example in IT terms:

  • Application servers in one Azure region
  • Database servers in another Azure region
  • On-premises access to both regions

3.2 Methods for Cross-Region Connectivity

Option 1: Single ExpressRoute Circuit + ExpressRoute Global Reach

ExpressRoute Global Reach allows you to:

  • Connect multiple on-premises sites together
  • Through Microsoft’s global backbone

However, for Azure region connectivity:

You can connect multiple VNets in different regions to the same ExpressRoute circuit.

Important exam points:

  • One circuit can connect to multiple VNets (within limits).
  • VNets can be in different Azure regions.
  • They must be within the same geopolitical region unless you use Premium SKU.

3.3 ExpressRoute Premium Add-On

The Premium add-on is required when:

  • You connect VNets across different geopolitical regions
  • You exceed default VNet connection limits
  • You need global connectivity

For AZ-700:

Remember:

  • Standard SKU → Limited to a geopolitical region.
  • Premium SKU → Global connectivity.

3.4 Design Considerations for Cross-Region

When designing:

  1. Decide if one circuit is enough.
  2. Determine if Premium is required.
  3. Consider bandwidth requirements.
  4. Check gateway SKU compatibility.
  5. Consider latency between regions.

Exam tip:
If the question mentions “multiple regions worldwide” → likely needs Premium.

4. Designing ExpressRoute for Redundancy (High Availability)

High availability ensures:

  • No single point of failure
  • Continuous connectivity even if one component fails

4.1 Built-In Redundancy in ExpressRoute

Every ExpressRoute circuit:

  • Has two physical connections
  • Uses two Microsoft edge routers
  • Provides automatic failover

This is default and automatic.

4.2 Zone-Redundant Gateways

You can deploy:

  • ErGw1AZ
  • ErGw2AZ
  • ErGw3AZ

These are zone-redundant gateways.

They are deployed across:

  • Multiple Availability Zones in a region

This protects against:

  • Data center-level failures

For AZ-700:

If the requirement mentions:

  • Protection against zone failure → Choose AZ SKU.

4.3 Multiple Circuits for Higher Redundancy

For higher availability, design:

  • Two ExpressRoute circuits
  • Possibly in different peering locations
  • Connected to different service providers

This protects against:

  • Provider failure
  • Location-level failure

Exam scenario example:

If the requirement says:

  • Survive entire peering location outage → Use multiple circuits.

4.4 Active-Active Design

You can:

  • Connect a VNet to two ExpressRoute circuits
  • Use BGP for dynamic routing

This enables:

  • Load sharing
  • Automatic failover

BGP (Border Gateway Protocol) is used to exchange routing information dynamically.

Key exam point:
ExpressRoute uses BGP for route advertisement.

5. Designing ExpressRoute for Disaster Recovery (DR)

Disaster Recovery means:

  • Workloads run in a secondary region
  • If primary region fails, traffic moves to secondary

5.1 Multi-Region DR Architecture

Common design:

  • Primary VNet in Region A
  • Secondary VNet in Region B
  • Both connected to ExpressRoute

Options:

Option 1: Single Circuit + Premium

  • Connect both VNets
  • Use global VNet peering between regions
  • On-prem can reach both regions

Option 2: Separate Circuits Per Region

  • Circuit 1 → Region A
  • Circuit 2 → Region B

This provides stronger isolation and redundancy.

Exam tip:
If maximum resiliency is required → Use separate circuits.

5.2 Routing for DR

In DR design:

  • BGP controls route preference
  • You can influence traffic path using:
    • AS Path prepending
    • Local preference

Failover can be:

  • Automatic (BGP detects failure)
  • Manual (administrative control)

5.3 Combining ExpressRoute and VPN for Backup

You can design:

  • ExpressRoute as primary
  • Site-to-Site VPN as backup

Azure supports:

  • Active-Active gateway
  • ExpressRoute + VPN coexistence

If ExpressRoute fails:

  • VPN automatically becomes active

Exam scenario:
If question says “backup over internet” → Use VPN as secondary.

6. Important Design Patterns for AZ-700

6.1 Hub-and-Spoke with ExpressRoute

  • ExpressRoute gateway deployed in Hub VNet
  • Spoke VNets connected via VNet peering
  • On-prem connects to Hub
  • Hub routes to spokes

This reduces:

  • Cost
  • Number of gateways

6.2 ExpressRoute with Azure Virtual WAN

Azure Virtual WAN supports:

  • ExpressRoute integration
  • Multi-region connectivity
  • Centralized routing

Used for:

  • Large enterprises
  • Many branch offices
  • Global connectivity

Exam tip:
If question mentions simplified global network architecture → Virtual WAN may be correct.

7. Bandwidth and Performance Design

When designing:

  • Choose correct bandwidth (50 Mbps–100 Gbps)
  • Consider:
    • Application traffic
    • Backup traffic
    • Replication traffic

DR replication between regions may require high bandwidth.

Latency considerations:

  • Cross-region latency affects performance.
  • Choose closest peering location to your on-premises site.

8. Security Considerations

ExpressRoute:

  • Is private but not encrypted by default.

You may:

  • Add IPsec over ExpressRoute
  • Use Azure Private Link
  • Use Network Security Groups (NSGs)

For highly sensitive data:

  • Encryption may be required.

9. Key Exam Points Summary (Very Important)

For AZ-700, remember:

  1. ExpressRoute circuit includes dual redundancy.
  2. Premium add-on required for global connectivity.
  3. Use AZ gateways for zone-level resiliency.
  4. Use multiple circuits for maximum redundancy.
  5. BGP handles routing and failover.
  6. ExpressRoute + VPN coexistence is supported.
  7. Hub-and-spoke is common design pattern.
  8. Virtual WAN integrates with ExpressRoute.
  9. DR across regions may require Premium SKU.
  10. ExpressRoute is private but not encrypted by default.

10. How to Approach Exam Questions

When you see a question:

Step 1: Identify requirement:

  • Cross-region?
  • Global?
  • Zone failure protection?
  • Provider failure?
  • DR failover?
  • Backup over internet?

Step 2: Choose design:

  • Single circuit?
  • Multiple circuits?
  • Premium?
  • AZ gateway?
  • VPN backup?

Step 3: Check cost vs resiliency requirement.

Final Understanding

Designing ExpressRoute for cross-region connectivity, redundancy, and disaster recovery means:

  • Connecting multiple Azure regions securely
  • Ensuring no single point of failure
  • Providing automatic failover
  • Supporting global connectivity when required
  • Planning bandwidth and routing correctly

If you fully understand:

  • Circuits
  • Gateways
  • Premium add-on
  • BGP routing
  • Redundancy patterns
  • DR architecture

You are well-prepared for this section of the AZ-700 exam.

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by