ExpressRoute Prerequisites
This document outlines the essential prerequisites and considerations before you can provision and configure Azure ExpressRoute circuits. Ensuring these requirements are met will streamline the setup process and prevent potential issues.
Network Connectivity
ExpressRoute allows you to create private connections between Azure datacenters and your on-premises infrastructure or co-location environment. This requires:
- Physical Connection: A physical circuit connecting your network to a supported ExpressRoute location. This can be achieved through a network service provider (NSP) or by connecting directly at an ExpressRoute colocation facility.
- VLAN Tagging: Your network equipment must support 802.1Q VLAN tagging. ExpressRoute circuits use VLANs to isolate different routing domains (e.g., private peering, Microsoft peering).
- IP Addressing: You must have a block of public IP addresses that you own and can advertise to Azure over ExpressRoute. These are used for your virtual machines and services within Azure. Private IP addresses can also be used for private peering.
Peering Requirements
ExpressRoute supports several peering types, each with specific requirements:
- Azure Public Peering: Allows access to public Azure services (e.g., Azure Storage, Azure SQL Database) through ExpressRoute. You'll need public IP addresses for your on-premises network.
- Azure Private Peering: Enables connectivity to Azure virtual networks (VNets) using private IP addresses. You need a virtual network gateway in your VNet configured for ExpressRoute.
- Microsoft Peering: Provides access to Microsoft 365 services (e.g., Office 365, Dynamics 365) and other Microsoft online services. Requires a specific AS path and community values.
Service Provider and Location
You must select a network service provider (NSP) that offers ExpressRoute services in your desired geographic region. Your NSP will help you establish the physical connection.
- Supported Providers: Consult the Azure ExpressRoute locations page for a list of supported NSPs and their coverage areas.
- Co-location Facilities: If you choose to connect directly, you'll need access to a supported colocation facility.
Azure Subscription and Permissions
You need an active Azure subscription and appropriate permissions to create and manage ExpressRoute circuits and related resources.
- Resource Group: ExpressRoute circuits are provisioned within resource groups in your Azure subscription.
- Permissions: Ensure your Azure Active Directory (Azure AD) user or service principal has the necessary roles (e.g., Network Contributor) to create and configure network resources.
Routing and BGP
ExpressRoute relies on Border Gateway Protocol (BGP) for route exchange between your on-premises network and Azure.
- Autonomous System (AS) Number: You will need to provide your own public or private AS number for BGP peering with Azure. For Microsoft peering, Microsoft will provide its AS numbers.
- BGP Session: You'll need to configure your edge router to establish BGP sessions with the Azure routers.
- Route Advertisements: Understand the routing policies and how routes will be advertised to and from Azure.
Security Considerations
While ExpressRoute provides a private connection, it's crucial to implement appropriate security measures.
- Firewalls: Deploy firewalls at your network edge to control traffic flowing over the ExpressRoute connection.
- Network Security Groups (NSGs): Utilize NSGs within your Azure VNets to filter traffic to and from your resources.
- Encryption: ExpressRoute itself does not encrypt traffic. If encryption is required, you must implement it at the application layer or using IPsec tunnels over the ExpressRoute connection.
By carefully reviewing and fulfilling these prerequisites, you can ensure a smooth and successful deployment of Azure ExpressRoute for your organization.