ExpressRoute overview

Azure ExpressRoute lets you seamlessly extend your on-premises networks into the Microsoft cloud. This connection between your organization and Azure is dedicated and private. Establishing an ExpressRoute connection enables you to connect to Microsoft cloud services like Azure, Office 365, and Dynamics 365. Security is enhanced, connections are more reliable, latency is minimal, and throughput is greatly increased.

Features and benefits of ExpressRoute

There are several benefits to using ExpressRoute as the connection service between Azure and on-premises networks.

Layer 3 connectivity

ExpressRoute provides Layer 3 (address-level) connectivity between your on-premises network and the Microsoft cloud through connectivity partners. These connections can be from a point-to-point, any-to-any network, or they can be virtual cross-connections through an exchange.

Built-in redundancy

Each connectivity provider uses redundant devices to ensure that connections established with Microsoft are highly available. You can configure multiple circuits to complement this feature. All redundant connections are configured with Layer 3 connectivity to meet SLAs.

Connectivity to Microsoft cloud services

ExpressRoute enables direct access to the following services in all regions:

• Microsoft Office 365
• Microsoft Dynamics 365
• Azure compute services, such as Azure Virtual Machines
• Azure cloud services, such as Azure Cosmos DB and Azure Storage

Office 365 was created to be accessed securely and reliably via the internet. Because of this, we recommend ExpressRoute for specific scenarios. The “Learn more” section at the end of this module includes a link about using ExpressRoute to access Office 365.

Across on-premises connectivity with ExpressRoute Global Reach

You can enable ExpressRoute Global Reach to exchange data across your on-premises sites by connecting your ExpressRoute circuits. For example, assume that you have a private datacenter in California connected to ExpressRoute in Silicon Valley. You have another private datacenter in Texas connected to ExpressRoute in Dallas. With ExpressRoute Global Reach, you can connect your private datacenters through two ExpressRoute circuits. Your cross-datacenter traffic will travel through the Microsoft network.

Dynamic routing

ExpressRoute uses the Border Gateway Protocol (BGP) routing protocol. BGP is used to exchange routes between on-premises networks and resources running in Azure. This protocol enables dynamic routing between your on-premises network and services running in the Microsoft cloud.

ExpressRoute connectivity models

ExpressRoute supports three models that you can use to connect your on-premises network to the Microsoft cloud:

• CloudExchange co-location
• Point-to-point Ethernet connection
• Any-to-any connection

Co-location at a cloud exchange

Co-located providers can normally offer both Layer 2 and Layer 3 connections between your infrastructure, which might be located in the co-location facility, and the Microsoft cloud. For example, if your datacenter is co-located at a cloud exchange such as an internet service provider (ISP), you can request a virtual cross-connection to the Microsoft cloud.

Point-to-point Ethernet connection

Point-to-point connections provide Layer 2 and Layer 3 connectivity between your on-premises site and Microsoft Azure. You can connect your offices or datacenters to Azure by using the point-to-point links. For example, if you have an on-premises datacenter, you can use a point-to-point Ethernet link to connect to Microsoft.

Any-to-any networks

With any-to-any connectivity, you can integrate your wide area network (WAN) with Microsoft Azure by providing connections to your offices and datacenters. Azure will integrate with your WAN connection to provide a seamless connection, just like you would have between your datacenter and any branch offices.

With any-to-any connections, all WAN providers offer Layer 3 connectivity. For example, if you already use Multiprotocol Label Switching (MPLS) to connect to your branch offices or other sites in your organization, an ExpressRoute connection to Microsoft will behave just like another location on your private WAN.

Security considerations

With ExpressRoute, your data doesn’t travel over the public internet, so it’s not exposed to the potential risks associated with internet communications. ExpressRoute is a private connection from your on-premises infrastructure to your Azure infrastructure. Even if you have an ExpressRoute connection, DNS queries, certificate revocation list checking, and Azure Content Delivery Network requests are still sent over the public internet.

Architecture of ExpressRoute

ExpressRoute is supported across all regions and locations. To implement ExpressRoute, you need to work with an ExpressRoute partner. The partner provides the edge service: an authorized and authenticated connection that operates through a partner-controlled router. The edge service is responsible for extending your network to the Microsoft cloud.

The partner sets up connections to an endpoint in an ExpressRoute location (implemented by a Microsoft edge router). These connections enable you to peer your on-premises networks with the virtual networks available through the endpoint. These connections are called circuits.

A circuit provides a physical connection for transmitting data through the ExpressRoute provider’s edge routers to the Microsoft edge routers. A circuit is established across a private wire rather than the public internet. Your on-premises network is connected to the ExpressRoute provider’s edge routers. The Microsoft edge routers provide the entry point to the Microsoft cloud.

Prerequisites for ExpressRoute

Before you can connect to Microsoft cloud services by using ExpressRoute, you need to have:

• An ExpressRoute connectivity partner or cloud exchange provider that can set up a connection from your on-premises networks to the Microsoft cloud.
• An Azure subscription that is registered with your chosen ExpressRoute connectivity partner.
• An active Microsoft Azure account that can be used to request an ExpressRoute circuit.
• An active Office 365 subscription, if you want to connect to the Microsoft cloud and access Office 365 services.

ExpressRoute works by peering your on-premises networks with networks running in the Microsoft cloud. Resources on your networks can communicate directly with resources hosted by Microsoft. To support these peerings, ExpressRoute has a number of network and routing requirements:

• Ensure that BGP sessions for routing domains have been configured. Depending on your partner, this might be their or your responsibility. Additionally, for each ExpressRoute circuit, Microsoft requires redundant BGP sessions between Microsoft’s routers and your peering routers.
• You or your providers need to translate the private IP addresses used on-premises to public IP addresses by using a NAT service. Microsoft will reject anything except public IP addresses through Microsoft peering.
• Reserve several blocks of IP addresses in your network for routing traffic to the Microsoft cloud. You configure these blocks as either a /29 subnet or two /30 subnets in your IP address space. One of these subnets is used to configure the primary circuit to the Microsoft cloud, and the other implements a secondary circuit. You use the first address in these subnets to communicate with services in the Microsoft cloud. Microsoft uses the second address to establish a BGP session.

ExpressRoute supports two peering schemes:

• Use private peering to connect to Azure IaaS and PaaS services deployed inside Azure virtual networks. The resources that you access must all be located in one or more Azure virtual networks with private IP addresses. You can’t access resources through their public IP address over a private peering.
• Use Microsoft peering to connect to Azure PaaS services, Office 365 services, and Dynamics 365.

 Note

You can also use the Azure portal to configure public peering. This form of peering enables you to connect to the public addresses exposed by Azure services. However, this peering is deprecated and is not available for new circuits. This module does not describe public peering.

Create an ExpressRoute circuit and peering

Establishing a connection to Azure through ExpressRoute is a multistep process. You can perform many of these steps either by using the Azure portal, or from the command line by using PowerShell or the Azure CLI. This section describes the process of using the Azure portal. For PowerShell and CLI instructions, see the “Learn more” section at the end of this module.

Create a circuit

When you’re using the Azure portal, select Create a resource > Networking > ExpressRoute. The Create ExpressRoute circuit page requires you to complete the following fields:

Property	Value
Circuit name	A meaningful name for your circuit, without any white space or special characters.
Provider	The ExpressRoute provider with which you’ve registered your subscription.
Peering location	A location enabled by the ExpressRoute provider in which to create your circuit.
Bandwidth	Select your bandwidth, from 50 Mbps up to 10 Gbps. Start with a low value. You can increase it later with no interruption to service. However, you can’t reduce the bandwidth if you set it too high initially.
SKU	Select Standard if you have up to 10 virtual networks and only need to connect to resources in the same geographical region. Otherwise, select Premium.
Billing model	Select Unlimited to pay a flat fee regardless of usage. Or select Metered to pay according to the volume of traffic that enters and exits the circuit.
Subscription	The subscription you’ve registered with your ExpressRoute provider.
Resource group	The Azure resource group in which to create the circuit.
Location	The Azure location in which to create the circuit.

Circuit creation can take several minutes. After the circuit has been provisioned, you can use the Azure portal to view the properties. You’ll see that Circuit status is enabled, meaning that the Microsoft side of the circuit is ready to accept connections. Provider status will be Not provisioned initially. This is because the provider hasn’t configured their side of the circuit for connecting to your network.

You send the provider the value in the Service key field to enable them to configure the connection. This can take several days. You can revisit this page to check the provider status.

Create a peering configuration

After the provider status is reported as Provisioned, you can configure the routing for the peerings. These steps apply only to circuits that are created with service providers who offer Layer 2 connectivity. For any circuits that operate at Layer 3, the provider might be able to configure the routing for you.

The ExpressRoute circuit page (shown earlier) lists each peering and its properties. You can select a peering to configure these properties.

Configure private peering

You use private peering to connect your network to your virtual networks running in Azure. To configure private peering, you must provide the following information:

• Peer ASN. The autonomous system number for your side of the peering. This ASN can be public or private, and 16 bits or 32 bits.
• Primary subnet. This is the address range of the primary /30 subnet that you created in your network. You’ll use the first IP address in this subnet for your router. Microsoft uses the second for its router.
• Secondary subnet. This is the address range of your secondary /30 subnet. This subnet provides a secondary link to Microsoft. The first two addresses are used to hold the IP address of your router and the Microsoft router.
• VLAN ID. This is the VLAN on which to establish the peering. The primary and secondary links will both use this VLAN ID.
• Shared key. This is an optional MD5 hash that’s used to encode messages passing over the circuit.

Configure Microsoft peering

You use Microsoft peering to connect to Office 365 and its associated services. To configure Microsoft peering, you provide a peer ASN, a primary subnet address range, a secondary subnet address range, a VLAN ID, and an optional shared key as described for a private peering. You must also provide the following information:

• Advertised public prefixes. This is a list of the address prefixes that you use over the BGP session. These prefixes must be registered to you, and must be prefixes for public address ranges.
• Customer ASN. This is optional. It’s the client-side autonomous system number to use if you are advertising prefixes that aren’t registered to the peer ASN.
• Routing registry name. This name identifies the registry in which the customer ASN and public prefixes are registered.

Connect a virtual network to an ExpressRoute circuit

After the ExpressRoute circuit has been established, Azure private peering is configured for your circuit, and the BGP session between your network and Microsoft is active, you can enable connectivity from your on-premises network to Azure.

Before you can connect to a private circuit, you must create an Azure virtual network gateway by using a subnet on one of your Azure virtual networks. The virtual network gateway provides the entry point to network traffic that enters from your on-premises network. It directs incoming traffic through the virtual network to your Azure resources.

You can configure network security groups and firewall rules to control the traffic that’s routed from your on-premises network. You can also block requests from unauthorized addresses in your on-premises network.

 Note

You must create the virtual network gateway by using the type ExpressRoute and not VPN.

Up to 10 virtual networks can be linked to an ExpressRoute circuit, but these virtual networks must be in the same geographical region as the ExpressRoute circuit. You can link a single virtual network to four ExpressRoute circuits if necessary. The ExpressRoute circuit can be in the same subscription to the virtual network, or in a different one.

If you’re using the Azure portal, you connect a peering to a virtual network gateway as follows:

1. On the ExpressRoute circuit page for your circuit, select Connections.
2. On the Connections page, select Add.
3. On the Add connection page, give your connection a name, and then select your virtual network gateway. When the operation has finished, your on-premises network will be connected through the virtual network gateway to your virtual network in Azure. The connection will be made across the ExpressRoute connection.

High availability and failover with ExpressRoute

In each ExpressRoute circuit, there are two connections from the connectivity provider to two different Microsoft edge routers. This configuration occurs automatically. It provides a degree of availability within a single location.

Consider setting up ExpressRoute circuits in different peering locations to provide high availability and help protect against a regional outage. For example, you might create circuits in the US East and US Central regions and connect these circuits to your virtual network. This way, if one ExpressRoute circuit goes down, you won’t lose connectivity to your resource and you can fail over the connection to another ExpressRoute circuit.

You can also have multiple circuits across different providers to ensure that your network stays available even if an outage affects all circuits from a single approved provider. You can set the Connection Weight property to prefer one circuit to another.

ExpressRoute Direct and FastPath

Microsoft also provides an ultra-high-speed option called ExpressRoute Direct. This service enables dual 100-Gbps connectivity. It’s suitable for scenarios that involve massive and frequent data ingestion. It’s also suitable for solutions that require extreme scalability, such as banking, government, and retail.

You enroll your subscription with Microsoft to activate ExpressRoute Direct. For more information, visit the ExpressRoute article in the “Learn more” section at the end of this module.

ExpressRoute Direct supports FastPath. When FastPath is enabled, it sends network traffic directly to a virtual machine that’s the intended destination. The traffic bypasses the virtual network gateway, improving the performance between Azure virtual networks and on-premises networks.

FastPath doesn’t support virtual network peering (where you have virtual networks connected together). It also doesn’t support user-defined routes on the gateway subnet.

When to use Azure ExpressRoute

Consider using the Azure ExpressRoute service in the following scenarios:

• Low-latency connectivity to services in the cloud. In these situations, eliminating or reducing the network overhead will have a significant impact on the performance of your applications.
• Accessing high-volume systems in the cloud that consume or produce massive volumes of data quickly. ExpressRoute can move data around rapidly, with high reliability.
• Consuming Microsoft Cloud Services, such as Office 365 and Dynamics 365. ExpressRoute is especially useful if your organization has a large number of users who need to access these services concurrently.
• Organizations that have migrated large-scale on-premises systems to Azure. Using ExpressRoute helps ensure that the results of the migrations are seamless for on-premises clients. They should notice no drop in performance. They might even experience some improvement if the previous on-premises systems were restricted by network bandwidth.
• Situations where data should not traverse the public internet for security reasons.
• Large datacenters, with a high number of users and systems accessing SaaS offerings.

Benefits of using ExpressRoute

ExpressRoute offers several advantages for building highly scalable, cloud-based solutions.

Predictable performance

Having a dedicated connection to the Microsoft cloud guarantees performance. There are no concerns over internet provider outages or spikes in internet traffic. With ExpressRoute, your providers are accountable to provide the necessary throughput and latency SLA.

Data privacy for your traffic

Traffic that’s sent over ExpressRoute connection is as secure as using MPLS WAN links. There’s no risk of internet monitoring or packet capture by malicious users.

High-throughput, low-latency connections

With ExpressRoute, you can obtain speeds of up to 10 Gbps when connecting to the Microsoft cloud. If you’re using ExpressRoute Direct, you can achieve up to 100 Gbps. Latency is minimal, so your systems are highly responsive.

Availability and connectivity

Microsoft guarantees a minimum of 99.95 percent availability for an ExpressRoute dedicated circuit.

With ExpressRoute enabled, you can connect to Microsoft through one of several peering connections and have access to regions within the same geopolitical region. For example, if you connect to Microsoft through ExpressRoute in France, you’ll have access to all Microsoft services hosted in Western Europe.

You can also enable ExpressRoute Premium, which provides cross-region accessibility. For example, if you access Microsoft through ExpressRoute in Germany, you’ll have access to all Microsoft cloud services in all regions globally.

You can also take advantage of a feature called ExpressRoute Global Reach. It allows you to exchange data across all of your on-premises datacenters by connecting all of your ExpressRoute circuits.

Alternatives to ExpressRoute

ExpressRoute is one of three solutions that you can use to connect your on-premises network to Azure. The others are a virtual network site-to-site connection and a virtual network point-to-site connection.

Site-to-site VPN

An Azure site-to-site VPN connection enables you to connect your on-premises network to Azure over an IPsec tunnel to build a hybrid network solution. You configure an on-premises VPN device with a public IP address. You connect this device to an Azure virtual network through an Azure virtual network gateway.

Point-to-site VPN

With point-to-site VPN, you can establish a secure connection to a network from individual computers located on-premises. This solution is useful for someone who wants to connect to Azure from remote locations such as a home or customer site. Point-to-site is useful if you have only a few clients that need to connect to a virtual network.

Azure ExpressRoute vs. site-to-site and point-to-site VPN connections

The following table shows a comparison between ExpressRoute, point-to-site, and site-to-site networks with Azure.

Connection	Azure services supported	Bandwidth	Protocols	Typical use case
Virtual network, point-to-site	Azure IaaS and PaaS services (through private endpoints)	Based on the gateway SKU	Active/passive	Dev, test, and lab environments for cloud services and virtual machines.
Virtual network, site-to-site	Azure IaaS and PaaS services (through private endpoints)	Typically < 1 Gbps aggregate	Active/passive	Dev, test, and lab environments. Small-scale production workloads and virtual machines.
ExpressRoute	Azure IaaS and PaaS services, Microsoft Office 365 services	50 Mbps up to 10 Gbps (100 Gbps for ExpressRoute Direct)	Active/active	Enterprise-class and mission-critical workloads. Big data solutions.

Learn more

For more information on ExpressRoute, see the following articles on Microsoft Docs:

• Azure ExpressRoute for Office 365
• ExpressRoute routing requirements
• ExpressRoute partners and peering locations
• Create and modify an ExpressRoute circuit using PowerShell
• Create and modify an ExpressRoute circuit using CLI
• About ExpressRoute Direct