Skip to main content
Configuring Microsoft Peering This article explains how Microsoft Peering works and what you need to configure to enable it on an ExpressRoute circuit. Microsoft Peering provides a private, secure path from your on-premises network to Microsoft’s public services (for example, Microsoft 365 and Dynamics 365) and Azure public services (for example, Azure SQL Database and Cosmos DB) over an ExpressRoute circuit. Connectivity is established using BGP to exchange routes between your ASN and Microsoft’s ASN, so Microsoft can route traffic to the public prefixes you advertise without traversing the public internet.

Required configuration items — quick reference

ItemPurposeNotes
Two public IP subnetsBGP session endpoints for primary and secondary linksMust be publicly routable and owned by your org
VLAN IDSeparates traffic on the ExpressRoute linkProvided when configuring the peering on the ExpressRoute circuit
Autonomous System Number (ASN)Identifies your network in BGPUse your public ASN
Public IP prefixes to advertiseRoutes Microsoft should learn for return trafficMust be registered in a routing registry (IRR)
Routing registry nameWhere your prefixes are registeredExamples: ARIN, RIPE, APNIC
Detailed requirements
  • Two public IP subnets that you own and that are registered in an Internet Routing Registry (IRR). These subnets must be publicly routable (no RFC 1918 private ranges) and registered under your organization in an IRR.
    • One subnet is used for the primary link and the other for the secondary link (redundancy).
  • A VLAN ID for the ExpressRoute peering to separate traffic on the link.
  • Your Autonomous System Number (ASN) for BGP.
  • All public IP prefixes you plan to advertise to Microsoft (the prefixes you want Microsoft to route to you).
  • The routing registry where your prefixes are registered (for example, ARIN, RIPE, APNIC).
These settings are entered in the Azure portal as part of the ExpressRoute circuit configuration for Microsoft Peering. Microsoft validates ownership of the advertised prefixes against the specified routing registry; after validation succeeds, the peering can be established and BGP session negotiation will commence.
A split graphic: the left side shows stacked turquoise boxes listing “Owned and Registered Subnets,” “VLAN ID,” “Autonomous System Number (ASN),” “Advertised Prefixes,” and “Routing Registry Name.” The right side displays an Azure “Microsoft peering” configuration panel populated with ASN, IPv4 primary/secondary subnets, advertised prefixes, VLAN ID, customer ASN, and routing registry name.

How Microsoft Peering differs from Private Peering

  • Microsoft Peering
    • Provides access to Microsoft public services and Azure public endpoints over ExpressRoute.
    • Requires publicly routable prefixes that you advertise to Microsoft and IRR registration to verify ownership.
    • Uses public IP addressing for the BGP session endpoints.
  • Private Peering
    • Connects to Azure Virtual Networks (VNets) and private Azure services using private IP addressing.
    • Does not require public IP prefixes or IRR registration; it uses private address space.
    • Typically used for direct access to VNets, services hosted in those VNets, or private endpoints.
For quick comparison:
FeatureMicrosoft PeeringPrivate Peering
Target servicesMicrosoft public services, Azure public endpointsAzure VNets and private Azure services
IP addressing for BGPPublic IPsPrivate IPs
Prefix registration requiredYes — IRR registrationNo
Typical use caseAccess Microsoft 365, Dynamics 365, public Azure PaaSConnect to VNets, private workloads
Ensure the prefixes you plan to advertise are already registered in an Internet Routing Registry (IRR) under your organization and that you own the address space; Microsoft will verify ownership against the specified registry before completing the peering.
Do not use private (RFC 1918) address ranges for Microsoft Peering. Microsoft Peering requires publicly routable, registered prefixes and public IP subnets for the BGP session.

Next steps — configuration checklist

  1. Prepare and register the public prefixes in the appropriate routing registry (ARIN, RIPE, APNIC, etc.).
  2. Reserve two public subnets for the primary and secondary ExpressRoute links; confirm they are reachable and registered under your ASN.
  3. Gather your ASN, VLAN ID, and the routing registry name.
  4. In the Azure portal, configure the ExpressRoute circuit’s Microsoft Peering section:
    • Enter your ASN, VLAN ID, primary and secondary IPv4 subnets, and the advertised prefixes.
    • Specify the routing registry where the prefixes are registered.
  5. Wait for Microsoft to verify prefix ownership. After verification, Microsoft will provision the peering.
  6. Validate BGP session establishment and that routes are being exchanged correctly.
So let’s see how we can choose between private peering and Microsoft peering for different use cases and design requirements.

Watch Video