Azure ExpressRoute Peering

This document provides a comprehensive guide to understanding and configuring peering for Azure ExpressRoute. ExpressRoute allows you to create private connections between Azure datacenters and your on-premises infrastructure, or between your colocation environment and Azure. Peering is a crucial step in establishing these connections.

Types of ExpressRoute Peering

ExpressRoute supports three main types of peering:

Microsoft Peering: Enables connectivity to Microsoft public services like Office 365, Dynamics 365, and Azure public cloud services.
Azure Private Peering: Enables connectivity to Azure resources deployed in your virtual networks (VNets).
Azure Public Peering: Deprecated. Use Microsoft Peering instead.

Microsoft Peering

Microsoft peering is designed for accessing Microsoft's cloud services. It uses the public IP address space.

Configuration Requirements for Microsoft Peering:

You must register for the Microsoft Peering service.
You need to provide your own public IP address space (AS number and IP prefixes). These must be registered to you by a RIR (Regional Internet Registry) or number resource organization (NRO).
BGP sessions are established using Microsoft's AS (65001).

For a detailed walkthrough on configuring Microsoft Peering, please refer to the Microsoft Peering Configuration Guide.

Azure Private Peering

Azure Private Peering is the recommended method for connecting to your Azure virtual networks. It uses private IP address space.

Configuration Requirements for Azure Private Peering:

You need to provide your own private AS number.
You must provide your own IP prefixes that will be advertised to Azure. These prefixes must be RFC 1918 private address space.
BGP sessions are established using your AS number and Microsoft's AS (12076).
You can peer with one or more VNets in a region.

Important: For Azure Private Peering, the IP prefixes you advertise must not overlap with any public IP addresses used by Microsoft services.

Peering State and Status

Once peering is configured, it goes through several states. The most common states are:

Provisioning: The peering is being set up.
Established: The BGP session is active, and connectivity is established.
Updating: Configuration changes are being applied.
Deleting: The peering is being removed.

You can monitor the state of your ExpressRoute peering through the Azure portal, Azure CLI, or PowerShell.

Verifying Peering Connectivity

After establishing the BGP session, you can verify connectivity:

Check the BGP status in the Azure portal for your ExpressRoute circuit.
Use network diagnostic tools like traceroute or ping from your on-premises environment to an IP address within your Azure VNet (for private peering) or to a Microsoft service endpoint (for Microsoft peering).
Ensure your network devices are correctly configured to route traffic for the advertised prefixes.

Best Practices

Use separate peering configurations for Microsoft and Azure Private Peering.
For high availability, configure redundant ExpressRoute circuits and peers.
Carefully plan your IP address space to avoid overlaps.
Keep your AS numbers and IP prefixes updated in your RIR registration.

Understanding and correctly configuring ExpressRoute peering is essential for building a robust and reliable hybrid cloud network. For more advanced configurations, including QoS and route filters, please consult the related documentation.