Configure Azure Peering for ExpressRoute

Understanding Azure Peering Types

Azure ExpressRoute supports two types of peering within Azure:

• Azure Private Peering: Enables connectivity to Azure Virtual Networks (VNets) using private IP address spaces.
• Azure Microsoft Peering: Enables connectivity to Microsoft public IP address spaces (e.g., Office 365, Dynamics 365).

Configuring Azure Private Peering

To configure Azure Private Peering, you need to define a BGP session between your network edge device and Azure's edge routers. This requires specifying your Autonomous System Number (ASN) and the BGP peer IP addresses.

Prerequisites:

• An active ExpressRoute circuit.
• Your on-premises ASN.
• A /30 or /31 IP address range for the link between your router and Azure's router. This range should not overlap with your on-premises network or VNet address spaces.

Steps:

1. Create the Peering Configuration: In the Azure portal, navigate to your ExpressRoute circuit. Select "Peerings" and then click "+ Add".
2. Select Peering Type: Choose "Azure Private".
3. Configure BGP Settings:
   • VLAN ID: Enter a unique VLAN ID (1-4094) for this peering.
   • Peer ASN: Enter your on-premises ASN.
   • BGP Peer IP Addresses: Provide an IP address from the /30 or /31 range for Azure, and another for your router. Azure will provide an IP address for its side.
4. Save the Configuration: Click "Add" to create the peering.

# Example CLI command to add Azure Private Peering (conceptual)
az network express-route peering create \
  --resource-group MyResourceGroup \
  --circuit-name MyExpressRouteCircuit \
  --peering-name AzurePrivatePeering \
  --peering-type AzurePrivatePeering \
  --vlan-id 100 \
  --peer-asn 65001 \
  --primary-peer-address-prefix 10.0.0.4/30 \
  --secondary-peer-address-prefix 10.0.0.8/30

Configuring Azure Microsoft Peering

Microsoft peering allows you to connect to Microsoft's public IP address prefixes, including those used by services like Office 365 and Dynamics 365. This peering type requires a different ASN and IP addressing scheme.

Prerequisites:

• An active ExpressRoute circuit.
• A globally unique public ASN (registered with a Regional Internet Registry - RIR).
• A /30 or /31 IP address range for the link between your router and Azure's router, which must be globally routable.
• Your Microsoft-provided ASN (typically 12076).

Steps:

1. Create the Peering Configuration: In the Azure portal, navigate to your ExpressRoute circuit. Select "Peerings" and then click "+ Add".
2. Select Peering Type: Choose "Azure Microsoft".
3. Configure BGP Settings:
   • VLAN ID: Enter a unique VLAN ID (1-4094) for this peering.
   • Peer ASN: Enter your globally registered public ASN.
   • BGP Peer IP Addresses: Provide an IP address from the /30 or /31 range for Azure, and another for your router. Azure will provide an IP address for its side. These must be globally routable addresses.
   • Microsoft Circuit: You will receive a Microsoft ASN and an IP address prefix from Microsoft. You'll use these to establish the BGP session with Microsoft's network.
4. Save the Configuration: Click "Add" to create the peering.

# Example PowerShell command to add Azure Microsoft Peering (conceptual)
New-AzExpressRouteCircuitPeeringConfig `
  -Name "MicrosoftPeering" `
  -ExpressRouteCircuit $circuit `
  -PeeringType MicrosoftPeering `
  -PeeredLocation "West US" `
  -PeerASN 65002 `
  -VlanId 200 `
  -MicrosoftPeeringConfig `
    -AdvertisedPublicPrefixes "203.0.113.0/24" `
    -CustomerASN 65001

Verifying Peering Status

After configuring your peering, it's essential to verify its status. You can do this through the Azure portal, Azure CLI, or Azure PowerShell. Look for the "Provisioned" status and successful BGP session establishment.

Troubleshooting BGP

• Ensure your router's BGP configuration matches the settings in Azure.
• Verify IP address reachability between your edge device and Azure's edge routers.
• Check for any firewall rules blocking BGP traffic (TCP port 179).