Microsoft AZ-700: Connect an ExpressRoute Circuit to a Virtual Network

Reading Time: 2 minutes

Notes from MS Learn AZ-700 Module 3: Design and Implement Azure ExpressRoute – Unit 7: Connect an ExpressRoute Circuit to a Virtual Network

ExpressRoute circuits are logical connections between on-prem (or colo) and MS Cloud Services through a provider. Possible to order multiple ExpressRoute circuits with each in the same or difference regions connecting to on-prem via different providers. They don’t map to physical entities. Use a standard GUID: services key (s-key)

  • Connect a virtual network to an ExpressRoute circuit
    • Must have active ExpressRoute Circuit
    • Verify Azure private peering configured on circuit
    • Verify Azure private peering establishes BGP between network and MS
    • Verify VNet and Virtual Network Gateway created and fully provisioned (virtual network gateway for ExpressRoute is GatewayType ‘ExpressRoute’
    • Up to 10 VNets linked on standard ExpressRoute circuit
      • All in same geopolitical region when using standard ExpressRoute
    • VNet link to max of 16 ExpressRoute circuits
      • Same subscription, different subscription, or combo
    • If ExpressRoute premium add-on
      • Can link VNet outside of geopolitical region of ExpressRoute circuit
      • Allows more than 10 VNets to ExpressRoute circuit based on bandwidth selected
    • Creating connection to ExpressRoute Circuit target ExpressRoute Virtual Network Gateway address spaces advertised from local to peer VNets = or < 200. Once successfully create can add other addr space up to 1000 to local or peered VNets
  • Add a VPN to an ExpressRoute Deployment
    • For secure encrypted connection between on-prem and Azure VNets over ExpressRoute private connection. Use MS peering for Site-toSite Ipsec/IKE VPN between on-prem and Azure VNets. Create secure tunnel over ExpressRoute for confidentiality, anti-replay, authenticity, integrity.
    • When Site-to-Site over MS peering – charges for VPN gateway and egress
    • Can enable HA/Redundancy over multiple tunnels via the 2 MSEE-PE pairs of circuit and enable load balancing
    • Tunnels over MS Peering terminate either VPN Gateway or NVA through Azure Marketplace
      • Can exchange routes statically or dynamically over tunnels
      • Use BGP (difference then BGP session for MS peering) used
    • For on-prem side, MS peering typically terminate on DMZ and private peering terminates on core.
      • Two zones segregated using FW
      • If MS peering exclusively filter through public IP’s of interest
    • Steps
      • Configure MS peering for ExpressRoute Circuit
      • Advertise select Azure regional public prefixes to on-prem over MS peering
      • Configure VPN gateway to establish Ipsec tunnels
      • Configure on-prem VPN device
      • Create Site-to-Site Ipsec/IKE connection
      • Optionally: Config FW/Filtering on on-prem device
      • Test/Validate Ipsec communication over circuit
Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-connect-an-expressroute-circuit-to-a-virtual-network/

Leave a Reply

Your email address will not be published.