This blog post provides information about the Express Route service in Azure cloud network connectivity. A conversation with a friend inspired me to discuss the high availability and disaster recovery options for the Express Route service. In this series of posts, I will start with the basics of Express Route and then discuss the various options available for ensuring resilience in the service.
What is ExpressRoute?
Microsoft ExpressRoute circuits are a highly efficient and secure way of establishing private, dedicated connections between an organisation’s on-premises network and its Azure cloud environment. By bypassing the public internet, ExpressRoute circuits offer much higher reliability, faster speeds, consistent latencies, and better security than traditional connections. With ExpressRoute, you can connect to Microsoft cloud services such as Microsoft Azure and Microsoft 365 and establish network connectivity to Azure virtual networks through any-to-any (IP VPN) network, point-to-point Ethernet network, or virtual cross-connection via a connectivity provider at a colocation facility. Additionally, ExpressRoute connections offer more cost-effectiveness than typical connections over the internet, making them a preferred choice for many organisations.
ExpressRoute uses BGP, an industry-standard dynamic routing protocol, to exchange routes between your on-premises network, your instances in Azure cloud, and your Microsoft public address. A single ExpressRoute circuit comprises the following:
- Primary connection
- The primary private peering link allows access to IaaS and PaaS resources such as Azure VMs, virtual networks, and SQL databases.
- The Primary Microsoft peering link allows access to Microsoft 365, Dynamics 365, Power BI, Azure DevOps, and other products.
- Secondary connection
- A secondary private peering link allows access to IaaS and PaaS resources such as Azure VMs, virtual networks, and SQL databases.
- A secondary Microsoft peering link allows access to Microsoft 365, Dynamics 365, Power BI, Azure DevOps, etc.
ExpressRoute allows businesses to extend their on-premises network into the Microsoft Cloud through a private connection with the help of a connectivity provider. It typically involves three network zones: the customer network, provider network, and Microsoft datacenter.
The benefits of ExpressRoute over the other options for the network connectivity are below:
- Each express route circuit consists of two connections to two Microsoft Enterprise edge routers (MSEEs) from the connectivity provider at an express route location.
- Faster, more reliable and more secure than VPN solutions.
- Data is private and does not traverse the internet.
Different ExpressRoute connectivity models
ExpressRoute provides four distinct methods for establishing a connection between your on-premises network and the Microsoft cloud: CloudExchange Colocation, Point-to-point Ethernet Connection, Any-to-any (IPVPN) Connection, and ExpressRoute Direct. Your provider may offer additional connectivity models depending on your organisation’s needs and requirements. Microsoft recommends working closely with your connectivity provider to determine the most suitable model for your organisation. By doing so, you can ensure that you select the optimal connectivity method that meets your business needs and delivers the desired outcomes.
Connectivity Model | Description |
CloudExchange Colocation | This option helps if you’re in a facility with a cloud exchange. Using the colocation provider’s Ethernet exchange, you can ask them to set up virtual cross-connections to the Microsoft cloud. The colocation provider can provide two types of cross-connections: Layer 2 and managed Layer 3. These connections allow you to link your infrastructure in the colocation facility with the Microsoft cloud. |
Point-to-point Ethernet Connection | Point-to-point Ethernet links connect your on-premises data centres or offices to the Microsoft cloud. Ethernet providers offer managed Layer 2 or 3 connections to ensure secure and reliable communication between your site and the Microsoft cloud. |
Any-to-any (IPVPN) Connection | With this option, IPVPN providers, which usually use MPLS VPN, provide any-to-any connectivity between your branch offices and data centres. You can interconnect the Microsoft cloud to your WAN to make it appear like any other branch office. WAN providers generally offer managed Layer 3 connectivity. ExpressRoute features and capabilities remain the same across all the connectivity models mentioned above. |
ExpressRoute Direct | This option facilitates a direct connection to Microsoft’s global network at multiple strategic peering locations worldwide. ExpressRoute Direct provides dual 100-Gbps or 10-Gbps connectivity that supports Active/Active connectivity at scale. |
ExpressRoute SKU types
Owing to the numerous available options, selecting an appropriate SKU for an ER circuit can be daunting. It is crucial to choose the correct SKU, and this requires careful consideration of several factors. One must thoroughly understand the various options’ technical specifications and the specific requirements of their application. Despite the challenges, it is essential to undertake this process with diligence, as selecting the appropriate SKU is paramount to achieving optimal performance and functionality of the ER circuit. The table below describes the available ExpressRoute SKUs:
SKU | Description and Features |
Local | 1. Local ER circuits can be used for an ER peering location that can access only one or two Azure regions in or near the same metropolitan area. 2. The most significant benefit of the Local SKU is that customers can avoid paying egress charges, but only if they use ER circuits with speeds ranging from 50 Mbps to 500 Mbps. |
Standard | 1. ExpressRoute Standard allows connectivity within all the Microsoft Azure regions within the geopolitical boundaries. 2. For example, you have deployed and access to the Azure services in the Australian East region, the same way you access the Australia South East regions. |
Premium | 1. ExpressRoute Premium allows for connectivity across geopolitical boundaries, enabling you to connect to Microsoft Azure in all regions. Please note that national clouds are not included. 2. For example, you have deployed and access to the Azure services in the Australian East region, the same way you access the West US and West Europe regions. |
Metro (PREVIEW) | 1. Dual-homed connections (two different connections ) to two distinct ExpressRoute peering locations in the same city and Provide increased availability and resiliency for the ExpressRoute circuits. 2. Connect seamlessly from your on-premises environment to Azure resources using an ExpressRoute circuit. This can be done with the assistance of a connectivity provider or by using ExpressRoute Direct, which provides dual 10G or 100G ports. 3. Available at Azure cloud locations only in Amsterdam, Singapore and Zurich. |
The diagram below shows the connectivity scope of different ExpressRoute circuit SKUs.
Peering
- Azure private peering:
- This peering essentially extends your core network into Microsoft Azure and is considered trusted.
- Using private peering, you can set up bi-directional connectivity between your core network and Azure virtual networks (VNets), connecting you to virtual machines and cloud services directly via their private IP addresses.
- Virtual machines (IaaS) and cloud services (PaaS) can be deployed within a virtual network and connected through a private peering domain.
- Microsoft peering:
- This peering enables bidirectional connectivity between your WAN and Microsoft cloud services through the Microsoft peering routing domain.
- Use Microsoft Peering to connect to Microsoft online services (including Microsoft 365, Azure PaaS, and Microsoft PSTN).
Additional Features
ExpressRoute Global Reach is a powerful feature that enables you to establish a private network by interconnecting multiple ExpressRoute circuits. This feature ensures secure and reliable communication between your on-premises networks, data centres across regions, and Microsoft cloud services. With ExpressRoute Global Reach, you can extend your corporate network to the cloud and enjoy faster data transfer rates, lower latency, and improved security. By leveraging this feature, you can effortlessly integrate your on-premises infrastructure with the cloud, streamline your operations, and enhance your business agility.
To establish ExpressRoute Global Reach across different geopolitical regions, you must have circuits with Premium SKU.
In the below example, you can use ExpressRoute Global Reach to enable direct data exchange between your San Francisco office’s IP address (10.0.1.0/24) and your London office’s IP address (10.0.2.0/24) through Microsoft’s global network via existing ExpressRoute circuits.
ExpressRoute FastPath is a feature that enhances the performance of the data path between your on-premises and virtual networks. With FastPath enabled, network traffic is sent directly to virtual machines in the virtual network, bypassing the gateway to improve network performance. FastPath support is available for limited scenarios for 100/10Gbps ExpressRoute Direct connections, including Virtual Network Peering, User-Defined Routes (UDRs), and Private Endpoint/Private Link connectivity. Virtual Network Peering and UDR support are available globally across all Azure regions. At the same time, Private Endpoint/Private Link connectivity is available in limited Azure regions.
This blog post delves into the fundamental aspects of the ExpressRoute service, providing comprehensive details on its functionality and capabilities. In the upcoming blog, I will elaborate on the advanced features of ExpressRoute, such as high availability and disaster recovery scenarios, providing a thorough analysis of their benefits and practical applications.
Santhosh has over 15 years of experience in the IT organization. Working as a Cloud Infrastructure Architect and has a wide range of expertise in Microsoft technologies, with a specialization in public & private cloud services for enterprise customers. My varied background includes work in cloud computing, virtualization, storage, networks, automation and DevOps.