Azure ExpressRoute Configuration Guide
Enterprise Implementation with Azure Portal
Azure ExpressRoute provides a Private, dedicated Connection between an On-Premises Datacenter and Microsoft Azure. Unlike Site-to-Site VPN, ExpressRoute Traffic does not Traverse the Public Internet. Instead, connectivity is delivered through a Telecommunications Provider or through ExpressRoute Direct Ports in Microsoft Edge Facilities.
This Architecture is typically used for Enterprise Hybrid Environments that Require High Bandwidth, Predictable Latency, and Private Connectivity to Azure Services.
The following Guide explains a complete Enterprise Deployment including Architecture Planning, IP Design, Portal Configuration, BGP Routing Configuration, and Connectivity Validation.
Azure ExpressRoute SKUs and Parameters
Azure ExpressRoute includes two main categories of SKUs:
First Category: ExpressRoute Circuit SKUs
Second Category: ExpressRoute Virtual Network Gateway SKUs
Both affect Connectivity Scope, Routing Scale, throughput, and overall Hybrid Architecture Performance.
1. ExpressRoute Circuit SKU Tiers
|
SKU Tier |
Connectivity Scope |
Data Transfer Model |
Max VNet Connections |
Route Limits |
Typical Use Case |
|
Local |
Single Azure region near the peering location |
Unlimited only |
Limited |
Lower route scale |
Regional workloads with minimal cross region requirements |
|
Standard |
Multiple Azure regions within the same geopolitical region |
Metered or Unlimited |
Up to 10 VNets |
Standard route limits |
Most enterprise hybrid deployments |
|
Premium |
Global connectivity across all Azure regions |
Metered or Unlimited |
Up to 100 VNets |
Higher route limits |
Global enterprises and large scale hybrid environments |
2. ExpressRoute Circuit Bandwidth Options
Bandwidth determines the throughput capacity of the ExpressRoute circuit between the provider network and Microsoft edge routers.
|
Bandwidth Option |
Typical Scenario |
|
50 Mbps |
Small branch connectivity |
|
100 Mbps |
Small enterprise workloads |
|
200 Mbps |
Moderate hybrid workloads |
|
500 Mbps |
Medium enterprise environments |
|
1 Gbps |
Large enterprise hybrid connectivity |
|
2 Gbps |
High volume application traffic |
|
5 Gbps |
Large datacenter integration |
|
10 Gbps |
Large scale enterprise and multi application traffic |
Bandwidth options depend on the connectivity provider and peering location.
3. ExpressRoute Billing Models
|
Billing Model |
Description |
Best Use Case |
|
Metered Data |
Outbound traffic from Azure is charged based on usage |
Moderate data transfer workloads |
|
Unlimited Data |
Unlimited inbound and outbound data transfer |
High volume enterprise workloads |
4. ExpressRoute Peering Types
ExpressRoute supports different routing domains called peerings.
|
Peering Type |
Purpose |
Traffic Type |
|
Azure Private Peering |
Connects on premises networks to Azure VNets |
Private application traffic |
|
Microsoft Peering |
Access to Microsoft SaaS services |
Microsoft 365, Azure PaaS |
|
Azure Public Peering |
Deprecated |
Previously used for public Azure services |
Most deployments use Azure Private Peering.
5. ExpressRoute Virtual Network Gateway SKUs
The ExpressRoute gateway connects the Azure VNet to the ExpressRoute circuit. Gateway SKUs determine throughput and scale.
|
Gateway SKU |
Performance Level |
Throughput Capacity |
Typical Use Case |
|
Standard |
Entry level gateway |
Moderate throughput |
Small hybrid deployments |
|
HighPerformance |
Higher throughput than Standard |
Enterprise workloads |
Medium enterprise connectivity |
|
UltraPerformance |
Very high throughput |
Large scale datacenter connectivity |
High performance enterprise environments |
|
ErGw1AZ |
Zone Redundant Gateway |
Moderate Throughput |
Production environments requiring resiliency |
|
ErGw2AZ |
Higher Performance Zone Redundant Gateway |
Higher Throughput |
Medium to large enterprises |
|
ErGw3AZ |
Highest Performance Zone Redundant Gateway |
Maximum Throughput |
Large enterprise hybrid architectures |
AZ gateway SKUs support availability zones and provide higher resiliency.
6. ExpressRoute Key Configuration Parameters
During ExpressRoute configuration, several parameters must be defined.
|
Parameter |
Description |
|
Provider |
Connectivity partner providing the ExpressRoute circuit |
|
Peering Location |
Physical location where the circuit connects to Microsoft network |
|
Bandwidth |
Maximum throughput of the ExpressRoute circuit |
|
VLAN ID |
VLAN used for routing between the provider and Microsoft edge |
|
ASN |
Autonomous System Number used for BGP routing |
|
Primary Peering Subnet |
/30 subnet used for primary BGP session |
|
Secondary Peering Subnet |
/30 subnet used for redundant BGP session |
|
GatewaySubnet |
Dedicated subnet used by the ExpressRoute gateway |
|
Circuit Service Key |
Unique identifier used by the provider to provision the circuit |
7. Gateway Subnet Requirements
|
Requirement |
Value |
|
Minimum Size |
/27 |
|
Recommended Size |
/27 or larger |
|
Subnet Name |
GatewaySubnet |
|
Allowed Resources |
Only ExpressRoute or VPN Gateway |
This subnet is reserved exclusively for Azure gateway infrastructure.
8. Typical Enterprise ExpressRoute Architecture
|
Component |
Purpose |
|
ExpressRoute Circuit |
Dedicated private connection to Azure |
|
Connectivity Provider |
Physical network connection |
|
ExpressRoute Gateway |
Azure routing gateway |
|
Azure Virtual Network |
Cloud network for workloads |
|
BGP Routing |
Dynamic route exchange between networks |
|
On Premises Router |
Routes traffic to Azure through ExpressRoute |
9. Recommended Enterprise Configuration
|
Component |
Recommended Choice |
|
Circuit Tier |
Standard for most deployments |
|
Billing Model |
Unlimited for large traffic workloads |
|
Gateway SKU |
ErGw2AZ or ErGw3AZ |
|
Gateway Subnet Size |
/27 or /26 |
|
Redundancy |
Dual circuits in separate peering locations |
|
Routing Protocol |
BGP |
ExpressRoute Deployment Abbreviations
|
Abbreviation |
Full Term |
Description |
|
ER |
ExpressRoute |
Microsoft private connectivity service between on premises networks and Azure |
|
ERC |
ExpressRoute Circuit |
Logical connection between a provider network and Microsoft Azure |
|
ERG |
ExpressRoute Gateway |
Azure gateway used to route traffic between VNet and ExpressRoute |
|
ERGW |
ExpressRoute Gateway |
Same meaning as ERG, commonly used shorthand |
|
ER-VNG |
ExpressRoute Virtual Network Gateway |
Gateway deployed in Azure VNet for ExpressRoute connectivity |
|
ER-Direct |
ExpressRoute Direct |
Dedicated connection directly to Microsoft edge routers without provider |
|
ER Global Reach |
ExpressRoute Global Reach |
Feature allowing on premises sites connected via ExpressRoute to communicate with each other |
Networking Abbreviations
|
Abbreviation |
Full Term |
Description |
|
VNet |
Virtual Network |
Azure network containing subnets and workloads |
|
GW |
Gateway |
Network gateway resource used for routing traffic |
|
GWSubnet |
Gateway Subnet |
Reserved subnet used by VPN or ExpressRoute gateways |
|
NSG |
Network Security Group |
Azure firewall rules applied to subnets or NICs |
|
UDR |
User Defined Route |
Custom routing table used in Azure VNets |
|
NVA |
Network Virtual Appliance |
Third party virtual firewall or router in Azure |
|
LB |
Load Balancer |
Azure load balancing service |
|
ILB |
Internal Load Balancer |
Private load balancer inside a VNet |
|
PL |
Private Link |
Private access to Azure PaaS services |
Routing and Protocol Abbreviations
|
Abbreviation |
Full Term |
Description |
|
BGP |
Border Gateway Protocol |
Dynamic routing protocol used by ExpressRoute |
|
ASN |
Autonomous System Number |
Unique identifier used in BGP routing |
|
MD5 |
Message Digest Algorithm 5 |
Optional authentication for BGP sessions |
|
IPsec |
Internet Protocol Security |
Encryption protocol used in VPN connections |
|
VLAN |
Virtual Local Area Network |
Logical network used for peering configuration |
|
CIDR |
Classless Inter Domain Routing |
IP addressing format for networks |
Peering Abbreviations
|
Abbreviation |
Full Term |
Description |
|
PRV |
Private Peering |
Peering used to connect on premises networks to Azure VNets |
|
MSFT Peering |
Microsoft Peering |
Peering used for Microsoft services such as Microsoft 365 |
|
Pub Peering |
Public Peering |
Deprecated peering previously used for public Azure services |
Infrastructure Abbreviations
|
Abbreviation |
Full Term |
Description |
|
DC |
Data Center |
Physical location of servers and networking equipment |
|
POP |
Point of Presence |
Provider network access location |
|
IX |
Internet Exchange |
Location where networks interconnect |
|
MSEE |
Microsoft Enterprise Edge Router |
Microsoft router used in ExpressRoute edge locations |
|
CPE |
Customer Premises Equipment |
On premises router or firewall used to connect to ExpressRoute |
Azure Architecture Abbreviations
|
Abbreviation |
Full Term |
Description |
|
RG |
Resource Group |
Logical container for Azure resources |
|
NIC |
Network Interface Card |
Virtual network interface attached to Azure VM |
|
VM |
Virtual Machine |
Azure compute instance |
|
VNG |
Virtual Network Gateway |
Azure gateway used for VPN or ExpressRoute |
|
P2S |
Point to Site |
VPN connection from client to Azure |
|
S2S |
Site to Site |
VPN connection between networks |
Typical ExpressRoute Architecture Acronyms
|
Abbreviation |
Meaning |
|
ER Circuit |
ExpressRoute Circuit |
|
ER Gateway |
ExpressRoute Virtual Network Gateway |
|
ER Provider |
Connectivity Partner |
|
ER POP |
ExpressRoute Peering Location |
|
ER BGP |
BGP routing used by ExpressRoute |
Most Important Abbreviations in ExpressRoute Deployments
|
Abbreviation |
Meaning |
|
ER |
ExpressRoute |
|
ERC |
ExpressRoute Circuit |
|
ERGW |
ExpressRoute Gateway |
|
VNet |
Virtual Network |
|
GWSubnet |
Gateway Subnet |
|
BGP |
Border Gateway Protocol |
|
ASN |
Autonomous System Number |
|
VLAN |
Virtual LAN |
|
MSEE |
Microsoft Enterprise Edge Router |
|
CPE |
Customer Premises Equipment |
These abbreviations appear frequently in Azure networking architecture diagrams, deployment documentation, and hybrid connectivity designs involving ExpressRoute.
1. Architecture Overview
ExpressRoute connectivity consists of several Components that work together to create a Hybrid Network.
On Premises Network
This includes Routers, Firewalls, and Internal Networks located Inside the Organization’s Datacenter.
Connectivity Provider
A Telecommunications Partner that provides the Private Circuit between the On-Premises Network and the Microsoft Edge Network.
Expressroute Circuit
The Logical Connection created in Azure that represents the Dedicated Connection between the Provider Network and Microsoft Azure.
Expressroute Gateway
The Azure Gateway deployed inside the Azure Virtual Network to Route Traffic between the vNet and the ExpressRoute Circuit.
Azure Virtual Network
The Network containing Azure Workloads such as Virtual Machines, Databases, and Application Services.
Routing Protocol
ExpressRoute uses BGP for Dynamic Routing between the On-Premises Network and Azure.
2. Example Enterprise Network Design
Azure Virtual Network: 10.10.0.0/16
Application Subnet: 10.10.1.0/24
Database Subnet: 10.10.2.0/24
GatewaySubnet: 10.10.255.0/27
On-Premises Network: 192.168.0.0/16
Private Peering BGP ASN: 65010
Microsoft ASN: 12076
Primary Peering Subnet: 172.16.0.0/30
Secondary Peering Subnet: 172.16.0.4/30
3. Create Resource Group
Login to: Azure Portal.
Search for: Resource Groups (RG).
Select Create.
Enter the following Information.
Resource Group Name: RG-Network-Hybrid
Region: (Select the Azure Region where the vNet will exist)
Select Review and Create.
4. Create the Azure Virtual Network
Navigate to Virtual Networks.
Select Create.
Configure the following:
Name: vNet-Hybrid
Address Space: 10.10.0.0/16
Create Subnets:
Application Subnet: 10.10.1.0/24
Database Subnet: 10.10.2.0/24
GatewaySubnet: 10.10.255.0/27
The Subnet used by the ExpressRoute Gateway must be Named GatewaySubnet exactly.
The Recommended Minimum Size for GatewaySubnet in ExpressRoute Deployments is /27.
5. Create ExpressRoute Circuit
Navigate to ExpressRoute Circuits.
Select Create.
Configure the circuit options:
Name: ER-Circuit-Primary
Provider: (Select your Connectivity Provider)
Peering Location: (Choose the location provided by your connectivity partner)
Bandwidth: (Select required bandwidth such as 1 Gbps)
SKU Tier: (Standard or Premium)
Billing Model: MeteredData or UnlimitedData
Select Review and Create.
After the Circuit is created, Azure Generates a Service Key.
The Service Key must be provided to your Connectivity Provider so they can Provision the Circuit.
6. Provider Provisioning
The provider uses the Service Key to Activate the Circuit on their Side.
During provisioning the Circuit Status changes through Several States:
NotProvisioned, Provisioning, Provisioned
The Peering configuration can start ONLY after the Provider Marks the Circuit as Provisioned
7. Configure Azure Private Peering
Azure Private Peering allows On-Premises Networks to access Azure Virtual Networks.
Navigate to the ExpressRoute Circuit.
Open Peerings
Select Add
Configure Azure Private Peering:
Primary Subnet: 172.16.0.0/30
Secondary Subnet: 172.16.0.4/30
VLAN ID: Defined by Provider
Peer ASN: 65010
Shared Key: (Optional but Recommended)
Enable IPv6 (if required)
This configuration establishes BGP Sessions between Azure and the On Premises Router.
8. Configure On Premises Router
Configure: BGP and IP Addressing on the On-Premises Router.
Router ASN: 65010
Azure ASN: 12076
BGP Neighbor: Azure Edge Router
Advertise Internal Networks: 192.168.0.0/16
Ensure the Router Advertises Routes toward Azure and accepts Azure Network Prefixes.
9. Create ExpressRoute Virtual Network Gateway
Navigate to Virtual Network Gateway.
Select Create.
Configure the Gateway:
Name: ER-Gateway-Hub
Gateway Type: ExpressRoute
SKU: ErGw1AZ or ErGw2AZ depending on scale
Virtual network: vNet-Hybrid
Subnet: GatewaySubnet
Deployment of the ExpressRoute gateway typically takes between thirty and 45 minutes.
10. Create ExpressRoute Connection
Navigate to: Virtual Network Gateway
Open Connections
Select Add
Connection Type: ExpressRoute
Select the ExpressRoute Circuit
Enable Maximum Resiliency (if required)
Select Create.
This Step connects the Azure virtual network to the ExpressRoute circuit.
11. Validate BGP Status
Open the ExpressRoute Circuit
Check the following:
Circuit Provisioning State: Provisioned
Private Peering State: Enabled
BGP Session State: Connected
These States Confirm Routing is Operational.
12. Deploy Azure Test Virtual Machine
Deploy a Virtual Machine into the Application Subnet.
Example:
VM Name: VM-Hybrid-Test
Subnet: 10.10.1.0/24
Operating System: Windows Server
13. Test Hybrid Connectivity
Test communication between Azure and On-Premises Systems.
Recommended Testing:
RDP from On-Premises Network to Azure Virtual Machine, Ping , Drive Map, DB Connectivity Tests
Successful communication confirms that ExpressRoute Routing is functioning correctly.
14. ExpressRoute Security Best Practices
Use Private Peering Only for Azure Workloads.
Restrict Route Advertisements to necessary Network Prefixes.
Use Network Security Groups to control Traffic Inside Azure Virtual Networks.
Implement Azure Firewall or Network Virtual Appliances for Inspection and Segmentation.
Enable Monitoring through Azure Network Watcher and Azure Monitor.
Log Routing Events and Gateway Metrics.
15. High Availability Best Practices
Enterprise deployments typically Implement Redundancy.
Deploy Dual ExpressRoute Circuits in Separate Peering Locations.
Use Active/Active Routing through BGP.
Deploy Zone Redundant ExpressRoute Gateways.
Use Multiple on Premises Routers.
This Architecture prevents Connectivity Loss during Circuit Failures or Maintenance.
16. ExpressRoute vs VPN Considerations
ExpressRoute Advantages include.
Private Connectivity
Higher Bandwidth Options
Predictable Latency
Enterprise Reliability
Site to Site VPN Advantages include.
Lower Cost
Faster Deployment
No Provider Dependency
Many Enterprises deploy both Technologies Simultaneously for Redundancy.
ExpressRoute Serves as the Primary Hybrid Connection while VPN Provides Backup Connectivity.
17. Troubleshooting Checklist
If connectivity fails, verify the following:
Circuit Provisioning State is: Provisioned
BGP Session State is: Established
Gateway Subnet Size is: /27 or Larger
Gateway Type is ExpressRoute
On-Premises Router is Advertising Internal Networks.
Azure Route Tables are Correct
Network Security Groups are Not Blocking Traffic.
Once these items are confirmed, Hybrid Connectivity should Operate Normally.
ExpressRoute Enterprise Deployment Flow
Create Resource Group
Create Virtual Network
Create Gateway Subnet
Create Expressroute Circuit
Provide Service Key To Provider
Configure Private Peering
Configure On Premises Router
Deploy ExpressRoute Gateway
Create VNet Connection
Validate Routing
Test Application Connectivity
This Process Establishes Secure, High Performance Hybrid Connectivity between on Premises Infrastructure and Microsoft Azure.
0 comments