Configure ExpressRoute for Azure Virtual WAN

This article guides you through the steps to configure ExpressRoute connections for your Azure Virtual WAN hub. This enables you to extend your on-premises networks to Azure by establishing private, high-throughput connections.

Note: Ensure you have an existing ExpressRoute circuit and a Virtual WAN hub before proceeding. This article assumes you have met these prerequisites.

Prerequisites

An active Azure subscription.
A deployed Azure Virtual WAN resource.
A deployed Virtual WAN hub within your Virtual WAN.
An existing ExpressRoute circuit peered with your on-premises network.
Appropriate permissions to manage Azure networking resources.

Steps to Configure ExpressRoute for Virtual WAN

Step 1: Create an ExpressRoute Gateway in your Virtual WAN Hub

You need an ExpressRoute gateway within your Virtual WAN hub to terminate your ExpressRoute circuit. If you don't have one, create it through the Azure portal:

Navigate to your Virtual WAN resource in the Azure portal.
Select the desired hub.
Under "Connectivity," select "ExpressRoute gateways."
Click "Create ExpressRoute gateway."
Configure the gateway settings:
- Gateway type: Select ExpressRoute.
- Scale units: Choose the appropriate scale units (e.g., 1, 2, or 3). Higher scale units provide higher throughput.
- Name: Provide a name for your gateway (e.g., myVWANHubExpressRouteGateway).
- Virtual Network: This will be automatically populated with the hub's virtual network.
Click "Review + create," then "Create." Deployment can take 30-45 minutes.

Step 2: Associate your ExpressRoute Circuit with the Virtual WAN Hub

Once the ExpressRoute gateway is deployed, you can associate your existing ExpressRoute circuit with it.

In the Azure portal, navigate to your Virtual WAN resource.
Under "Connectivity," select "ExpressRoute."
Click "+ Add ExpressRoute circuit."
In the "Add ExpressRoute circuit" pane:
- Circuit: Select your existing ExpressRoute circuit from the dropdown. If your circuit doesn't appear, ensure it's in the same subscription and region, or that you have permissions to view it.
- Authorization key: You'll need the authorization key for your ExpressRoute circuit. You can obtain this from the peering service provider or by viewing the circuit details in the Azure portal under the ExpressRoute service.
Click "Add."

Step 3: Configure Routing for ExpressRoute and Virtual WAN

Routing is crucial for traffic to flow between your on-premises network, Virtual WAN, and other connected resources. Virtual WAN uses route tables to manage this. You'll typically want to propagate routes from your ExpressRoute circuit to your hub and advertise your hub's routes back to your on-premises network via ExpressRoute.

Understanding Route Propagation and Association

Route Tables: Each hub has a default route table. You can create custom route tables and associate connections (including ExpressRoute connections) to them.
Route Propagation: Routes from connected resources (like your ExpressRoute circuit) are propagated to a route table.
Route Association: A connection learns routes from an associated route table.

Common Routing Scenario:

For basic connectivity, you'll want to propagate routes from your ExpressRoute circuit to the hub's default route table and associate your ExpressRoute connection with this same table. This allows the hub to learn routes from your on-premises network and advertise its own routes back.

To configure this:

Navigate to your Virtual WAN hub.
Under "Connectivity," select "ExpressRoute."
Click on the ExpressRoute connection you just added.
In the connection details pane, configure the following:
- Route association: Select the route table you want the ExpressRoute connection to associate with (usually the Default route table).
- Route propagation: Select the route table to which routes from this ExpressRoute connection should be propagated (usually the Default route table).
Click "Save."

Tip: For more complex routing requirements, consider creating custom route tables and leveraging route distribution policies to control which routes are advertised and learned.

Verification

After configuration, verify connectivity by:

Checking the status of your ExpressRoute gateway and the connection in the Azure portal.
Testing network connectivity from an on-premises machine to an Azure VM in a connected VNet or vice versa.
Examining the effective routes on your hub and any connected VNets to ensure routes are being learned as expected.

Warning: Route propagation and association settings are critical. Incorrect configuration can lead to network connectivity issues. Always test thoroughly after making changes.

Next Steps

Once ExpressRoute is configured, you can explore further options such as:

Connecting other network types (e.g., VPN sites) to your Virtual WAN.
Implementing traffic filtering and inspection.
Utilizing advanced routing policies.