Category: Education

Notes from MS Learn AZ-700 Module 3: Design and Implement Azure ExpressRoute – Unit 9: Improve Data Path Performance Between Networks with ExpressRoute FastPath

FastPath is intended to improve path performance between on-prem and virtual network. Enabling has FastPath send traffic straight to VMs bypassing the gateway

• Circuits
  • FastPath is available on all ExpressRoute Circuits

• Gateways
  • FastPath still needs Virtual Network Gateway to exchange route between virtual and on-prem networks

• Gateway requirements for ExpressRoute FastPath
  • Configuration – Virtual Network Gateway must be
    • Ultra-Performance
    • ErGw3AZ
      • If planned use for IPv6 private peering must be this SKU only available for ExpressRoute Direct circuits
  • Limitations
    • Does not support
      • UDR on gateway subnet: UDR has 0 impact on traffic FastPath sends from on-prem to VMs in a VNet
      • Private link: If connecting private endpoint in VNet to on-prem it goes through virtual network gateway

• Configure ExpressRoute FastPath
  • Requirements/Worekflow
    • Active ExpressRoute Circuit required
    • Follow instruction for ExpressRoute circuit and have provider enable
    • Make sure Azure private peering configured for circuit
    • Make sure Azure private peering configured and successful BGP between network and MS
    • Make sure VNet and Virtual Network Gateway fully provisioned using GatewayType ‘ExpressRoute’
    • Possible to link up to 10 VNets on standard SKU. All VNets in same geopolitical region when using standard
    • Single VNet links up to 16 ExpressRoute Circuits
    • If ExpressRoute premium, can link VNets outside of geopolitical region of circuit.
      • Allows for more than 10 VNets based on chosen bandwidtch
    • To create from ExpressRoute Circuit to target ExpressRoute Virtual Network Gateway
      • Address spaces advertised from local/peered VNet must be = or < 200
      • Once success can add up to 1000 address spaces

Notes from MS Learn AZ-700 Module 3: Design and Implement Azure ExpressRoute – Unit 8: Connect Geographically Dispersed Networks with ExpressRoute Global Reach

• Use cross-region connectivity to link multiple ExpressRoute Locations
  • Various ways to design/implement ExpressRoute based on org requirements
  • ExpressRoute connections allow access to
    • Microsoft Azure Services
    • Microsoft 365 Services
  • Connecity to all regions in geopolitical region
    • Connect MS in one peering location and access regions in same geopolitical region
  • Global connectivity with ExpressRoute Premium
    • Enable premium to extend across geopolitical boundaries
  • Local connectivity with ExpressRoute Local
    • Transfer data costly using Local SKU
      • Bring data to ExpressRoute near Azure region desired
      • Data transfer included in ExpressRoute port charge
  • Across on-prem connectivity using Global Reach
    • Enable ExpressRoute Global Reach to exchange across on-prem sites via connecting ExpressRoute Circuits
    • Connect private DCs together through two ExpressRoute Circuits
    • Cross DC traffic uses MS network
  • Rich partner connection ecosystem
    • Refer to ExpressRoute partners and peering locations
  • Connectivity to national clouds
    • MS operates isolate clouds for special geopolitical regions and customer segments
  • ExpressRoute Direct
    • Provides opp to connect direct to MS Global Network using peering locations.
    • Offers dual 100Gbps connectivity in active/active
    • Is private/resilient connection of on-prem to MS Cloud
    • Can access services e.g. Azure and MS 365 from corp DC

Notes from MS Learn AZ-700 Module 3: Design and Implement Azure ExpressRoute – Unit 7: Connect an ExpressRoute Circuit to a Virtual Network

ExpressRoute circuits are logical connections between on-prem (or colo) and MS Cloud Services through a provider. Possible to order multiple ExpressRoute circuits with each in the same or difference regions connecting to on-prem via different providers. They don’t map to physical entities. Use a standard GUID: services key (s-key)

• Connect a virtual network to an ExpressRoute circuit
  • Must have active ExpressRoute Circuit
  • Verify Azure private peering configured on circuit
  • Verify Azure private peering establishes BGP between network and MS
  • Verify VNet and Virtual Network Gateway created and fully provisioned (virtual network gateway for ExpressRoute is GatewayType ‘ExpressRoute’
  • Up to 10 VNets linked on standard ExpressRoute circuit
    • All in same geopolitical region when using standard ExpressRoute
  • VNet link to max of 16 ExpressRoute circuits
    • Same subscription, different subscription, or combo
  • If ExpressRoute premium add-on
    • Can link VNet outside of geopolitical region of ExpressRoute circuit
    • Allows more than 10 VNets to ExpressRoute circuit based on bandwidth selected
  • Creating connection to ExpressRoute Circuit target ExpressRoute Virtual Network Gateway address spaces advertised from local to peer VNets = or < 200. Once successfully create can add other addr space up to 1000 to local or peered VNets

• Add a VPN to an ExpressRoute Deployment
  • For secure encrypted connection between on-prem and Azure VNets over ExpressRoute private connection. Use MS peering for Site-toSite Ipsec/IKE VPN between on-prem and Azure VNets. Create secure tunnel over ExpressRoute for confidentiality, anti-replay, authenticity, integrity.
  • When Site-to-Site over MS peering – charges for VPN gateway and egress
  • Can enable HA/Redundancy over multiple tunnels via the 2 MSEE-PE pairs of circuit and enable load balancing
  • Tunnels over MS Peering terminate either VPN Gateway or NVA through Azure Marketplace
    • Can exchange routes statically or dynamically over tunnels
    • Use BGP (difference then BGP session for MS peering) used
  • For on-prem side, MS peering typically terminate on DMZ and private peering terminates on core.
    • Two zones segregated using FW
    • If MS peering exclusively filter through public IP’s of interest
  • Steps
    • Configure MS peering for ExpressRoute Circuit
    • Advertise select Azure regional public prefixes to on-prem over MS peering
    • Configure VPN gateway to establish Ipsec tunnels
    • Configure on-prem VPN device
    • Create Site-to-Site Ipsec/IKE connection
    • Optionally: Config FW/Filtering on on-prem device
    • Test/Validate Ipsec communication over circuit

Notes from MS Learn AZ-700 Module 3: Design and Implement Azure ExpressRoute – Unit 6: Configure Peering for an ExpressRoute Deployment

• Create Peering Configuration
  • Configure private or microsoft peering for ExpressRoute circuit
    • Configure in any order
    • Complete one at a time
  • Must have active ExpressRoute circuit
    • Must be in provisioned and enabled state
  • If using shared key/MD5 hash use on both sides
    • Max 25 alphanumeric
    • Special Characters not supported

• Choose between private, microsoft, or both for peering options. (Table below from MS Learn)
  • 
  • Enable one or more routing domains as part of ExpressRoute Circuit
  • All routing domains can be put on same VPN if combining into single routing domain is desired
  • Recommended config: private peering connected directly to network core, MS peering connected to DMZ
  • Each peering require individuals BGP sessions (one pair per peer type)
    • BGP session pairs offer HA link
  • If L2 connectivity provider you own configuring and managing routing
  • Note: IPv6 is in public preview: follow MS IPv6 for Azure VNet for guidelines

• Configure Private Peering
  • Azure services – VMs and cloud services in a VNet – can be connected through private peering
  • Private peering domain is trusted extension of core network into Azure
  • Can create bi-directional connection between core and Azure VNets
  • Allows connection to VMs and cloud services over private Ips
  • Connect one or more VNets to private peering domain. Limits found at Azure Subscription and Service Limits, Quotas, and Constraints

• Configure Microsoft Peering
  • Connection to MS Online Services (MS 365, Azure PaaS) through MS peering
  • Offers bidirectional connectivity between WAN and MS cloud services
  • Must connect MS Cloud Services ONLY over public IP’s you or your provider own

• Configure route filters for MS Peering
  • Route filters used to consume subset of services via MS peering
  • MS 365 such as Exchange online, sharepoint online, skype for business accessible via MS peering
  • By default all services advertised via BGP session on ExpressRoute circuit
  • BGP community is attached to each prefix for indentification
  • Possible to limit prefixes added to route table
    • Filter unwanted prefixes using route filters on communities
    • Define route filters and apply to ExpressRoute Circuit
      • New resource letting you select list of services
      • ExpressRoute routers only send list of prefixes belonging to identified services in filter
  • When MS Peering on ExpressRoute circuit BGP comes up
    • By default no routes advertised to your network until route filter associated
  • Route filter identifies services you want through ExpressRoute MS Peering
    • An allow list of BGP communities
    • Once created and applied matching community routes get advertised to you
  • To attach route filter, authorization for MS 365 services via ExpressRoute required

Notes from MS Learn AZ-700 Module 3: Design and Implement Azure ExpressRoute – Unit 5: Exercise – Provision an ExpressRoute Circuit

Tasks (taken from MS Learn: Items without “Task” in front of them are personal additions)

• Task 1: Create and provision an ExpressRoute circuit
  • Search and click ExpressRoute Circuits in Azure Portal
  • Click Create
    • Click Create New under the Resource group dropdown
      • Enter a name and click OK
    • Select a region from the dropdown
    • Provide a name under the Instance details section
    • Click Next : Configuration >
    • Under Configuration Tab
      • Pick a Provider from the dropdown
      • Pick a Peering location from the dropdown
      • Pick a bandwidth from the dropdown
      • Click Review + create
      • Once validated click create
• Task 2: Retrieve your Service key
  • Search and select ExpressRoute Circuits in Azure portal
  • Click the newly created circuit
  • Note down the Service key as the provider will need it (copy button next to key)
• Task 3: Deprovisioning an ExpressRoute circuit
  • Service provider will deprovision circuit upon request
  • Navigate to the ExpressRoute Circuit in Azure Portal
  • Verify Provider status as not provisioned
  • Click Delete – Deleted will stop billing
  • Confirm Yes

Notes from MS Learn AZ-700 Module 3: Design and Implement Azure ExpressRoute – Unit 4: Exercise – Configure an ExpressRoute Gateway

Tasks (taken from MS Learn: Items without “Task” in front of them are personal additions)

• Task 1: Create the virtual network and gateway subnet
  • Navigate to Virtual Networks in Azure Portal
  • Click Create
    • Select Create new under Resource group dropdown
      • Enter name
      • Select OK
    • Enter Name under Instance Details
    • Select Next : IP Addresses >
      • Delete existing default address space (trash can icon next to addr range
      • Add new addr range
      • Select Add subnet
        • In right panel add subnet name
        • In right panel add subnet addr range
        • In right panel click Add
    • Select Review + create
    • Once validated select Create
• Task 2: Create the virtual network gateway
  • Search and Click Virtual Network Gateways in Azure Portal
  • Click Create
    • Enter Name under Instance details
    • Select ExpressRoute for Gateway type under Instance Details
    • Select VNet from dropdown under Instance details
    • Enter Public Ip address name under Public IP address section
    • Click Review + create
    • Once validated click Create
    • Once complete click Go to resource

Notes from MS Learn AZ-700 Module 3: Design and Implement Azure ExpressRoute – Unit 3: Design an ExpressRoute Deployment

ExpressRoute used to connect on-prem with Azure. Plan decisions prior to deployment of an ExpressRoute Circuit

• ExpressRoute Circuit SKUs
  • Three SKUs have different charges
    • Local SKU
      • Automatically charged Unlimited Data Plan
    • Standard SKU
      • Select Between Metered or Unlimited Data Plan
        • Ingress are free except when using Global Reach
    • Premium SKU
      • Select Between Metered or Unlimited Data Plan
        • Ingress are free except when using Global Reach
  • Use Azure Pricing Calculator to estimate costs

• Choose a Peering Location
  • Azure Region
    • Global DCs housing Azure computer/network/storage resources
    • Resource Location determins Azure DC or availability zone created in
  • ExpressRoute Location (Peering Location)
    • May be called Peering Location or Meet-me-location
    • Colo where MS Enterprise Edge (MSEE) devices live
    • Entry point to MS network – globally distributed allowing connectivity to MS network around the world
    • Where ExpressRoute partners and ExpressRoute Direct customers cross-connect to MS network
  • Azure regions to ExpressRoute location in geopolitical region
    • Check up to date link to these via Azure regions to ExpressRoute locations MS maintained page
  • ExpressRoute Connectivity Provider
    • Check MS maintained page Service providers by location
  • Connectivity through Exchange providers
    • If connectivity provider not listed in above, still able to create connection
    • Several providers already connected to Eth exchanges
  • Connectivity through satellite operators
    • Remote and no fiber
    • Want to explore other options
    • Other options
      • Other service providers
      • DC providers
      • National Research and Education Networks (NERN)
      • System integrators

• Choose the Right ExpressRoute Circuit and Billing Model
  • MS various Express Route options based on desired bandwidth. Evaluate current usage as a starting point
  • Deterring ExpressRoute based on requirements: keep in mind budge/SLAs
  • Choose appropriate SKU and if applicable Metered vs Unlimited within the SKU
  • Consider ExpressRoute Direct
    • Connects network to closet MS Edge which connects to MS Global Network
    • Usage of Global MS Network charged on top of ExpressRoute Direct
  • Express Route pricing for metered and unlimited bandwidth details
  • Available in range of bandwidths – check with provider for what they support

• Choose a billing model
  • Unlimited
    • Billing based monthly
    • All Inbound/Outbound included
  • Metered
    • Billing based on monthly fee. Inbound free, Outbound per GB
    • Rates vary by region
  • ExpressRoute Premium add-on
    • Additional Capabilities
      • Increased route limits for Azure public/private peering from 4k to 10k routes
      • Global connectivity for services. Circuit in any region (exclude national clouds) has access to resource in any other region
      • Increased VNet links per ExpressRoute circuit from 10 based on bandwidth

Notes from MS Learn AZ-700 Module 3: Design and Implement Azure ExpressRoute – Unit 2: Explore Azure ExpressRoute

ExpressRoute extends on-prem to Microsoft cloud via private connection with assistance of a provider. Creates connections to MS Cloud Services like Azure and MS 365. It can be any-to-any (IP VPN), point-to-point Ethernet, or virtual cross-connect through provider colo. Since no internet ExpressRoute connections are more reliable, faster, latency consistent, higher security.

• ExpressRoute Capabilities
  • Key benefits
    • L3 connection between on-prem and MS Cloud via provider
    • Can be any-to-any (IPVPN), Point-to-Point Ethernet, Virtual Cross-Connect through an Ethernet Exchange
    • Connection to MS Cloud Services over all regions in a geopolitical region
    • Global connectivity to MS across all regions (with ExpressRoute premium)
    • Built-in redundancy in every peering location
  • Used to create private connectivity between Azure DC/infrastructure on-prem or a colo
  • Increased reliability, speed, and lower latency since it doesn’t go over the internet

• Understand Use Cases for Azure ExpressRoute
  • Faster/Reliable connection to Azure
    • Not reliant on internet
    • Can be cheaper for on-prem or colo facility data transfer to Azure
  • Storage/Backup/Recovery
    • Gast Reliable connection to Azure
    • Bandwidths up to 100 Gbps
    • Great for periodic data migration/replication/DR/addition HA strategy
  • Extend DC Capabilities
    • Connect and add computer/storage capacity to existing DCs
    • High throughput and low latencies feel like natural extension
  • Predictable/reliable/high throughput connectivity
    • Build apps that span on-prem and Azure without compromising privacy/performance
    • Example run intranet app in Azure with auth against on-prem AD
    • Corp customers don’t have to route over public internet

• ExpressRoute Connectivity Models
  • Many models available for on-prem/colo to the cloud in Azure. Examples
    • Co-location at Cloud Exchange
      • Facility with cloud exchange virtual cross-connects to MS cloud from providers Ethernet exchange
      • Colo provider offer either L2 or managed L3 cross connection between infrastructure and MS Cloud
    • Point-to-Point Ethernet
      • Provider can offer L2 or L3 between on-prem and MS Cloud
    • Any-to-Any (IPVPN)
      • Provider offer any-to-any between branch offices and DCs
      • MS Cloud can be interconnected to your WAN to look as a branch office
      • WAN provider typically offer manage L3
    • Direct from ExpressRoute
      • Dual 100 GbPS or 10Gbps
      • Active/Active at scale

• Design Consideration for ExpressRoute Deployments
  • Choose model based on key considerations
    • ExpressRoute Direct
      • Connects direct to MS global network at peering location (distributed around world)
      • Dual 100 or 10 Gbps
      • Active/Active
      • Can work with any SP for ExpressRoute Direct
      • Features
        • Massive Data Ingest into services E.g. Storage and Cosmos DB
        • Physical isolation for regulated industries E.g. Bank, Gov, Retail
        • Granular control of circuit distribution per business unit
      • ExpressRoute Direct vs. Service Provider (Table from MS Learn)
        • 

• Design Redundancy for an ExpressRoute deployment
  • Two ways to plan redundancy
    • Configure ExpressRoute and Site-to-Site coexisting
      • Advantages
        • Secure failover path for ExpressRoute
        • Connect to sites not connected through ExpressRoute
        • Zero downtime when adding new gateway or gateway connection
      • Network Limits and limitations
        • Route-Based VPN gateways only
        • ASN of Azure VPN Gateway must be 65515
        • Gateway subnet must be /27 or shorter
        • Dual stack VNet not supported
    • Create zone redundant virtual network gateway in Azure Availability Zones
      • VPN and ExpressRoute gateways can be deployed in Availability Zones
      • This physically and logically separates gateways in a region
      • Protects on-prem to Azure from zone-level failures
      • Zone-redundant gateways
        • Automatically deploy virtual network gateways across availability zones by using zone-redudant virtual gateways.
        • These benefit from zone-resiliency for mission critical services in Azure
      • Zonal Gateways
        • Used to. Deploy gateway in specific zone
        • When deployed, all instance deployed in same Availability Zone
      • Gateway SKUs
        • SKUs similar to corresponding existing SKKUs for ExpressRoute and VPN Gateway
        • Exception: they are specific SKU’s identifiable by AZ in SKU name
      • Public IP SKUs
        • Both Zone-redundant and Zonal GW require Azure Public IP resource Standard

• Configure a Site-to-Site VPN as a Failover Path for ExpressRoute
  • Applies only to VNets linked to Azure private peering path
  • No VPN-based failover for services reachable through Azure MS Peering
  • ExpressRoute circuit always primary
  • Data through Site-to-Site VPN only if ExpressRoute circuit failure
  • Avoid asymmetrical routing, local config should also prefer ExpressRoute over Site-to-Site path
  • Set higher local pref to ExpressRoute received routes

Notes from MS Learn AZ-700 Module 2: Design and Implement Hybrid Networking – Unit 8: Create a Network Virtual Appliance (NVA) in a Virtual Hubct Devices to Networks with Point-to-Site VPN Connections

A benefit of Azure Virtual WAN is support for reliable connections from many different technologies. E.g.:

• ExpressRoute
• VPN Gateway
• Barracuda CloudGen WAN
• Cisco Cloud OnRamp for multicloud
• VMware SD-WAN

These are known as NVAs and are deployed directly into a Virtual WAN Hub with an externally facing public IP. This enables customers to connect branch Customer Premises Equipment (CPE) to the same brand NVA in the hub to maintain advantage of SD-WAN capabilities. Once VNets are connected to hub, NVA allows transitive connectivity throughout the Virtual WAN

• Manage an NVA in a Virtual Hub
  • NVA available in Azure Marketplace can be directly deployed into virtual hub only
  • Each is a Managed Application allowing Azure Virtual WAN to manage its configuration
  • Cannot be deployed within arbitrary VNets
  • Process for deployment
    • Choose NVA Offer
    • Azure Marketplace Managed App
      • Choose Deployment Settings
      • Choose Agg Capacity
    • NVA VM deployed in Virtual Hub
    • Subscription Resources
      • Managed Resource Group – Net Virtual Appliance ARM resource
      • Customer Resource Group – App Resource

• Deploy an NVA in your Virtual Hub
  • Deploying an NVA in your virtual hub you access Azure Marketplace through the portal and select the Manage Application for the NVA partner desired
  • Two Resource Groups are created in subscription when NVA created in Virtual WAN Hub
    • Customer Resource Group
      • Contains app placeholder for Managed Application. Partners can use RG to expose customer chosen properties
    • Managed Resource Group
      • Customers cannot configure/modify resources in this RG directly
  • NVA configured automatically during deployment. Once provisioned cannot access directly
  • Unlike Azure VPN Gateway, no need to create the following for branch site to NVA connectivity (in Virtual WAN Hub
    • Site resources
    • Site-to-Site connection resources
    • Point-to-Site connection resources
  • Hub-to-VNet connections still required for Virtual WAN Hub to VNet connectivity

• Create Network Virtual Appliance in Hub
  • Example based on Barracude CloudGen WAN Gateway (Other vendor products will vary)
    • Locate Virtual WAN Hub created in Azure Portal
    • Find NVA tile and click Create Link
    • Open NVA and choose Barracude CloudGen WAN
    • Click Create
    • Read terms and click Create
    • On Basics Page
      • Chose Subscription from dropdown
      • Chose Resource group from dropdown (one used to deploy Virtual WAN and Hub)
      • Chose Region from dropdown (same as hub)
      • Provide App Name
      • Enter Managed Resource Group
    • Select Next : CloudGen. WAN gateway > button
      • Select Virtual WAN Hub from dropdown
      • Select NVA Infrastructure Units from dropdown
      • Provide Token (required by Barracuda for auth/identification as valid registered user

• NVA Infrastructure Units
  • When NVA created in Virtual WAN Hub this must be chosen
  • Is an aggregate bandwidth capacity for the NVA in the Virtual WAN Hub
  • Similar to VPN Scale Unit when thinking about capacity and sizing
    • One NVA Infra Unit represents 500 Mbps of agg bandwidth for all connecting sites
    • Azure supports 1-80 NVA Infra Units for a given NVA virtual hub deployment
    • Partners may offer different NVA Infra Unit bundles as a subset of all supports NVA Infra Unit configs

Notes from MS Learn AZ-700 Module 2: Design and Implement Hybrid Networking – Unit 7: Create a Virtual WAN by Using the Azure Portal

Tasks (taken from MS Learn: Items without “Task” in front of them are personal additions)

• Task 1: Create a Virtual WAN.
  • Search and Select Virtual WANs in Azure Portal
  • Select Create
    • Choose Resource Group from dropdown
    • Choose Region from dropdown
    • Provide Virtual WAN Name
  • Chose Review + Create > Create after validation
• Task 2: Create a hub by using Azure portal.
  • Navigate to new Virtual WAN in Azure Portal
    • There is a “Go to resource” button on the deployment complete page of step above
  • Selects Hubs under Connectivity in left Panel
  • Select New Hub
    • Select Region from dropdown
    • Provide Name
    • Provide Private Address Space
    • Select Virtual Hub Capacity from dropdown
    • Select Next: Site to Site button at bottom of page
      • Under Site to site settings
        • Set “do you want to create a Site to Site (VPN gateway)? To Yes
        • Select Gateway scale units from dropdown
        • Select Review + Create > Create (once validation passes
• Task 3: Connect a VNet to the Virtual Hub.
  • Search and Select Virtual WANs in Azure Portal
  • Select the newly created Virtual Wan
  • Choose Virtual Network Connections under Connectivity in the left panel
  • Select Add Connection
    • Provide Connection Name
    • Select Hub from dropdown
    • Select Resource group from dropdown
    • Select Virtual network from dropdown
    • Toggle propagate to none to Yes
    • Select Route Table from dropdown
    • Select Create