Microsoft AZ-700: Configure Peering for an ExpressRoute Deployment

Reading Time: 2 minutes

Notes from MS Learn AZ-700 Module 3: Design and Implement Azure ExpressRoute – Unit 6: Configure Peering for an ExpressRoute Deployment

  • Create Peering Configuration
    • Configure private or microsoft peering for ExpressRoute circuit
      • Configure in any order
      • Complete one at a time
    • Must have active ExpressRoute circuit
      • Must be in provisioned and enabled state
    • If using shared key/MD5 hash use on both sides
      • Max 25 alphanumeric
      • Special Characters not supported
  • Choose between private, microsoft, or both for peering options. (Table below from MS Learn)
    • Enable one or more routing domains as part of ExpressRoute Circuit
    • All routing domains can be put on same VPN if combining into single routing domain is desired
    • Recommended config: private peering connected directly to network core, MS peering connected to DMZ
    • Each peering require individuals BGP sessions (one pair per peer type)
      • BGP session pairs offer HA link
    • If L2 connectivity provider you own configuring and managing routing
    • Note: IPv6 is in public preview: follow MS IPv6 for Azure VNet for guidelines
  • Configure Private Peering
    • Azure services – VMs and cloud services in a VNet – can be connected through private peering
    • Private peering domain is trusted extension of core network into Azure
    • Can create bi-directional connection between core and Azure VNets
    • Allows connection to VMs and cloud services over private Ips
    • Connect one or more VNets to private peering domain. Limits found at Azure Subscription and Service Limits, Quotas, and Constraints
  • Configure Microsoft Peering
    • Connection to MS Online Services (MS 365, Azure PaaS) through MS peering
    • Offers bidirectional connectivity between WAN and MS cloud services
    • Must connect MS Cloud Services ONLY over public IP’s you or your provider own
  • Configure route filters for MS Peering
    • Route filters used to consume subset of services via MS peering
    • MS 365 such as Exchange online, sharepoint online, skype for business accessible via MS peering
    • By default all services advertised via BGP session on ExpressRoute circuit
    • BGP community is attached to each prefix for indentification
    • Possible to limit prefixes added to route table
      • Filter unwanted prefixes using route filters on communities
      • Define route filters and apply to ExpressRoute Circuit
        • New resource letting you select list of services
        • ExpressRoute routers only send list of prefixes belonging to identified services in filter
    • When MS Peering on ExpressRoute circuit BGP comes up
      • By default no routes advertised to your network until route filter associated
    • Route filter identifies services you want through ExpressRoute MS Peering
      • An allow list of BGP communities
      • Once created and applied matching community routes get advertised to you
    • To attach route filter, authorization for MS 365 services via ExpressRoute required
Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-configure-peering-for-an-expressroute-deployment/

Leave a Reply

Your email address will not be published.