Notes from MS Learn AZ-700 Module 3: Design and Implement Azure ExpressRoute – Unit 7: Connect an ExpressRoute Circuit to a Virtual Network
ExpressRoute circuits are logical connections between on-prem (or colo) and MS Cloud Services through a provider. Possible to order multiple ExpressRoute circuits with each in the same or difference regions connecting to on-prem via different providers. They don’t map to physical entities. Use a standard GUID: services key (s-key)
- Connect a virtual network to an ExpressRoute circuit
- Must have active ExpressRoute Circuit
- Verify Azure private peering configured on circuit
- Verify Azure private peering establishes BGP between network and MS
- Verify VNet and Virtual Network Gateway created and fully provisioned (virtual network gateway for ExpressRoute is GatewayType ‘ExpressRoute’
- Up to 10 VNets linked on standard ExpressRoute circuit
- All in same geopolitical region when using standard ExpressRoute
- VNet link to max of 16 ExpressRoute circuits
- Same subscription, different subscription, or combo
- If ExpressRoute premium add-on
- Can link VNet outside of geopolitical region of ExpressRoute circuit
- Allows more than 10 VNets to ExpressRoute circuit based on bandwidth selected
- Creating connection to ExpressRoute Circuit target ExpressRoute Virtual Network Gateway address spaces advertised from local to peer VNets = or < 200. Once successfully create can add other addr space up to 1000 to local or peered VNets
- Add a VPN to an ExpressRoute Deployment
- For secure encrypted connection between on-prem and Azure VNets over ExpressRoute private connection. Use MS peering for Site-toSite Ipsec/IKE VPN between on-prem and Azure VNets. Create secure tunnel over ExpressRoute for confidentiality, anti-replay, authenticity, integrity.
- When Site-to-Site over MS peering – charges for VPN gateway and egress
- Can enable HA/Redundancy over multiple tunnels via the 2 MSEE-PE pairs of circuit and enable load balancing
- Tunnels over MS Peering terminate either VPN Gateway or NVA through Azure Marketplace
- Can exchange routes statically or dynamically over tunnels
- Use BGP (difference then BGP session for MS peering) used
- For on-prem side, MS peering typically terminate on DMZ and private peering terminates on core.
- Two zones segregated using FW
- If MS peering exclusively filter through public IP’s of interest
- Steps
- Configure MS peering for ExpressRoute Circuit
- Advertise select Azure regional public prefixes to on-prem over MS peering
- Configure VPN gateway to establish Ipsec tunnels
- Configure on-prem VPN device
- Create Site-to-Site Ipsec/IKE connection
- Optionally: Config FW/Filtering on on-prem device
- Test/Validate Ipsec communication over circuit