Notes from MS Learn AZ-700 Module 3: Design and Implement Azure ExpressRoute – Unit 6: Configure Peering for an ExpressRoute Deployment
- Create Peering Configuration
- Configure private or microsoft peering for ExpressRoute circuit
- Configure in any order
- Complete one at a time
- Must have active ExpressRoute circuit
- Must be in provisioned and enabled state
- If using shared key/MD5 hash use on both sides
- Max 25 alphanumeric
- Special Characters not supported
- Configure private or microsoft peering for ExpressRoute circuit
- Choose between private, microsoft, or both for peering options. (Table below from MS Learn)
- Enable one or more routing domains as part of ExpressRoute Circuit
- All routing domains can be put on same VPN if combining into single routing domain is desired
- Recommended config: private peering connected directly to network core, MS peering connected to DMZ
- Each peering require individuals BGP sessions (one pair per peer type)
- BGP session pairs offer HA link
- If L2 connectivity provider you own configuring and managing routing
- Note: IPv6 is in public preview: follow MS IPv6 for Azure VNet for guidelines
- Configure Private Peering
- Azure services – VMs and cloud services in a VNet – can be connected through private peering
- Private peering domain is trusted extension of core network into Azure
- Can create bi-directional connection between core and Azure VNets
- Allows connection to VMs and cloud services over private Ips
- Connect one or more VNets to private peering domain. Limits found at Azure Subscription and Service Limits, Quotas, and Constraints
- Configure Microsoft Peering
- Connection to MS Online Services (MS 365, Azure PaaS) through MS peering
- Offers bidirectional connectivity between WAN and MS cloud services
- Must connect MS Cloud Services ONLY over public IP’s you or your provider own
- Configure route filters for MS Peering
- Route filters used to consume subset of services via MS peering
- MS 365 such as Exchange online, sharepoint online, skype for business accessible via MS peering
- By default all services advertised via BGP session on ExpressRoute circuit
- BGP community is attached to each prefix for indentification
- Possible to limit prefixes added to route table
- Filter unwanted prefixes using route filters on communities
- Define route filters and apply to ExpressRoute Circuit
- New resource letting you select list of services
- ExpressRoute routers only send list of prefixes belonging to identified services in filter
- When MS Peering on ExpressRoute circuit BGP comes up
- By default no routes advertised to your network until route filter associated
- Route filter identifies services you want through ExpressRoute MS Peering
- An allow list of BGP communities
- Once created and applied matching community routes get advertised to you
- To attach route filter, authorization for MS 365 services via ExpressRoute required