Configure ExpressRoute Private Peering

This document guides you through the process of configuring private peering for your Azure ExpressRoute circuit. Private peering allows you to establish a direct, private connection between your on-premises network and your Azure virtual networks (VNets).

Note: Private peering is the most common peering type for ExpressRoute, enabling connectivity to Azure resources within your VNets.

Prerequisites

An active Azure ExpressRoute circuit.
Your on-premises network must have a router capable of BGP peering.
A public ASN for your on-premises network. If you don't have one, you can use a private ASN (64512-65534).
A primary and secondary IP address for your BGP peering session (these must be public IP addresses).

Steps to Configure Private Peering

You can configure private peering using the Azure portal, Azure CLI, or PowerShell.

Using the Azure Portal

Navigate to your ExpressRoute circuit: Open the Azure portal and search for "ExpressRoute circuits". Select the circuit you want to configure.
Go to "Peerings": In the circuit's overview blade, select "Peerings" from the left-hand menu.
Add Private Peering: Click the "+ Add" button to add a new peering configuration.
Configure Peering Details:
- Peering Type: Select "Private".
- VLAN ID: Enter a unique VLAN ID (1-4094) for this peering. This VLAN ID must be unique across all peerings on the circuit.
- Azure Private Fiber: This option is typically managed by your connectivity provider.
- Peer ASN: Enter the ASN of your on-premises router.
- VLAN ID for Azure private IP address space: This is usually auto-populated.
- IPv4/IPv6 Address Space: Enter the primary and secondary /30 or /126 CIDR blocks for your BGP session. These must be public IP addresses that you own or have allocated.
Save Configuration: Click "Save" to apply the configuration.

Using Azure CLI

Replace the placeholders with your specific values.


az network express-route peering create --resource-group MyResourceGroup --circuit-name MyExpressRouteCircuit --name AzurePrivatePeering --peering-type AzurePrivatePeering --vlan-id 200 --peer-asn 65001 --ipv4-circuit-admin-address 10.1.1.4/30

Using Azure PowerShell

Replace the placeholders with your specific values.


$expressRouteCircuit = Get-AzExpressRouteCircuit -Name "MyExpressRouteCircuit" -ResourceGroupName "MyResourceGroup"
Add-AzExpressRouteCircuitPeeringConfig -Name "AzurePrivatePeering" -ExpressRouteCircuit $expressRouteCircuit -PeeringType "AzurePrivatePeering" -VlanId 200 -PeerAsn 65001 -IPv4CircuitAdminPeerPrefix "10.1.1.4/30"
Set-AzExpressRouteCircuit -ExpressRouteCircuit $expressRouteCircuit

Verifying Private Peering

After configuring private peering, it's essential to verify the BGP session and connectivity. You can use the following commands:

Azure CLI:

az network express-route peering list --resource-group MyResourceGroup --circuit-name MyExpressRouteCircuit --output table

Azure PowerShell:

Get-AzExpressRouteCircuitPeering -Name "AzurePrivatePeering" -ExpressRouteCircuit $expressRouteCircuit

On your on-premises router, check the BGP status to ensure the session is established. You should also verify that routes are being advertised and received correctly.

Important: Ensure that the IP addresses used for the BGP session are public and properly routed. Incorrect IP configuration can prevent BGP peering from establishing.