2.3 Azure ExpressRoute
📘Microsoft Azure Networking Solutions (AZ-700)
When working with Azure ExpressRoute, one of the most important skills for the AZ-700 exam is knowing how to troubleshoot connectivity problems.
ExpressRoute provides a private, dedicated connection between your on-premises network and Microsoft Azure. Because it is a private connection (not over the public internet), troubleshooting is different from VPN troubleshooting.
In this section, you will learn:
- Common ExpressRoute connectivity issues
- How to diagnose circuit problems
- How to troubleshoot BGP issues
- How to troubleshoot VNet connection issues
- Tools used for monitoring and diagnostics
- Step-by-step troubleshooting methodology
Everything is explained in simple English so that even beginners can understand.
1. Understand the ExpressRoute Components
Before troubleshooting, you must clearly understand the components involved.
An ExpressRoute setup includes:
- ExpressRoute Circuit
- Service Provider or ExpressRoute Direct
- Peering (Private or Microsoft)
- BGP configuration
- ExpressRoute Gateway in Azure
- Virtual Network (VNet)
- On-premises router
If connectivity fails, the issue can occur at any of these layers.
2. Common ExpressRoute Connectivity Issues
For the AZ-700 exam, you must know the most common problems:
1. Circuit Not Provisioned Properly
- Circuit shows as “Not Provisioned”
- Service provider not completed configuration
2. BGP Session Down
- BGP peering not established
- ASN mismatch
- Wrong IP configuration
- Incorrect MD5 key
3. Incorrect Route Advertisement
- Routes not being advertised
- Incorrect route filtering
- Default route missing
- Overlapping address spaces
4. ExpressRoute Gateway Issues
- Gateway not deployed
- Wrong gateway SKU
- Gateway provisioning failed
5. VNet Not Connected
- VNet not linked to circuit
- Authorization key missing
- Wrong subscription
6. Routing Conflicts
- UDR (User Defined Routes) conflict
- Azure Firewall route override
- Network Virtual Appliance (NVA) misconfiguration
7. Asymmetric Routing
Traffic goes to Azure but return path is different.
3. Step-by-Step Troubleshooting Method
For the exam, follow this structured troubleshooting approach:
Step 1: Check Circuit Status
Go to the Azure portal:
ExpressRoute Circuit → Overview
Verify:
- Circuit status = Enabled
- Provider status = Provisioned
- Peering status = Enabled
If provider status is not provisioned:
- Contact service provider.
Step 2: Check Peering Configuration
Check if:
- Azure private peering is configured correctly.
- VLAN ID matches provider configuration.
- Primary and secondary peer subnets are correct.
- ASN values are correct.
Common exam trap:
- Private ASN used incorrectly.
- Microsoft ASN is wrong.
Step 3: Verify BGP Status
Check BGP session:
- Is BGP connected?
- Are routes being learned?
If BGP is down, check:
- ASN mismatch
- Wrong peer IP
- Incorrect subnet mask
- MD5 key mismatch
- Firewall blocking TCP port 179
BGP uses TCP port 179.
If port 179 is blocked, BGP will not establish.
Step 4: Verify Route Advertisement
Check:
- Are routes being received from on-premises?
- Are Azure routes advertised back?
You can check this under:
ExpressRoute Circuit → Peering → Route tables
Common problems:
- Overlapping IP ranges
- Default route (0.0.0.0/0) not advertised
- Route filtering enabled incorrectly
Step 5: Check ExpressRoute Gateway
Go to:
Virtual Network → Gateway
Verify:
- Gateway status = Succeeded
- Gateway type = ExpressRoute
- Correct SKU selected
Common issue:
Using VPN Gateway instead of ExpressRoute Gateway.
ExpressRoute requires a Virtual Network Gateway (ExpressRoute type).
Step 6: Verify VNet Connection
Go to:
ExpressRoute Circuit → Connections
Check:
- Is the VNet connected?
- Is connection status “Connected”?
- Is authorization key valid?
Common mistake:
Trying to connect VNet in different subscription without authorization key.
Step 7: Check Network Security
Check:
- Network Security Groups (NSG)
- Azure Firewall rules
- User Defined Routes (UDR)
Example IT issue:
An enterprise connects their data center to Azure using ExpressRoute. BGP is up, but VMs cannot reach on-premises servers. The issue is:
- A UDR forcing traffic to an NVA.
- The NVA is not configured properly.
4. Monitoring and Diagnostic Tools
For the AZ-700 exam, you must know which tools help in troubleshooting.
1. Azure Portal Monitoring
You can monitor:
- Circuit state
- BGP session state
- Bytes in/out
- Route count
2. Azure Monitor
Use:
- Metrics
- Logs
- Alerts
You can create alerts for:
- BGP down
- Circuit down
- High bandwidth usage
3. Network Watcher
Network Watcher helps diagnose network issues.
Features:
- Connection troubleshoot
- IP flow verify
- Effective routes
- Next hop
- Packet capture
Very important for the exam.
Example:
If VM cannot reach on-premises server:
- Use Connection Troubleshoot.
- Check Effective Routes.
- Verify Next Hop.
4. ExpressRoute Diagnostics
In Azure Portal:
ExpressRoute → Diagnose and Solve Problems
This tool automatically checks:
- Circuit status
- BGP status
- Configuration issues
Exam tip:
Know that Azure provides built-in diagnostics.
5. Troubleshooting Scenarios for Exam
You may get scenario-based questions.
Scenario 1: BGP Not Establishing
Possible causes:
- ASN mismatch
- Wrong peer IP
- VLAN mismatch
- TCP 179 blocked
Solution:
Fix configuration on both Azure and on-prem router.
Scenario 2: No Route to Azure VM
Possible causes:
- Route not advertised
- UDR overriding route
- Incorrect gateway SKU
Solution:
Check route table and gateway.
Scenario 3: Circuit Up but No Traffic
Possible causes:
- Peering not configured
- VNet not connected
- NSG blocking traffic
Scenario 4: Overlapping IP Address Space
Azure will not advertise routes if:
- On-prem IP range overlaps with VNet IP range.
Solution:
Change address space.
Scenario 5: Asymmetric Routing
Traffic goes from on-prem to Azure via ExpressRoute, but returns via VPN or internet.
This causes connection failure.
Solution:
Ensure proper route advertisement and no conflicting routes.
6. High Availability and Redundancy Issues
ExpressRoute circuits use:
- Primary link
- Secondary link
If primary fails:
- Secondary should take over automatically.
If failover not happening:
- Check BGP configuration
- Check provider side redundancy
- Check routing preferences
7. Important Exam Concepts to Remember
For AZ-700, remember:
- ExpressRoute uses private connectivity.
- BGP is mandatory.
- TCP port 179 must be open.
- Both primary and secondary BGP sessions should be up.
- Gateway must be ExpressRoute type.
- Overlapping IP addresses cause routing problems.
- UDR and NSG can break connectivity.
- Route filters affect Microsoft peering.
- Authorization key required for cross-subscription VNet connection.
8. Quick Troubleshooting Checklist (Exam Friendly)
When ExpressRoute is not working, check in this order:
- Circuit provisioned?
- Peering enabled?
- BGP up?
- Routes advertised?
- Gateway deployed?
- VNet connected?
- NSG/UDR issues?
- Overlapping IP ranges?
- Asymmetric routing?
9. Summary
To pass this section of AZ-700, you must:
- Understand every ExpressRoute component.
- Know how BGP works in ExpressRoute.
- Identify common connectivity failures.
- Use Azure tools like Network Watcher and Azure Monitor.
- Follow structured troubleshooting steps.
- Recognize scenario-based exam traps.
If you understand:
- Circuit
- Peering
- BGP
- Gateway
- Routes
- Monitoring tools
Then you can confidently diagnose and resolve ExpressRoute connectivity issues in the AZ-700 exam.
