- How to configure private peering to connect on-premises networks to Azure VNets (the common configuration for private connectivity).
- When and how Microsoft peering is used to reach Microsoft SaaS (Microsoft 365, Dynamics 365) and Azure PaaS endpoints (Storage, SQL), and how that differs from private peering.
- How BGP route filtering works for Microsoft peering so you can control the Microsoft prefixes accepted into your environment.
ExpressRoute peering types control how routes and services are exchanged between your network and Azure/Microsoft — they are not the mechanism for connecting VNets to each other. For intra-Azure connectivity use VNet Peering, Virtual WAN, or VPN Gateway depending on the architecture.
Quick comparison
| Peering Type | Primary Purpose | Addressing | BGP Required | Typical Use |
|---|---|---|---|---|
| Private peering | Connect on-premises networks to Azure VNets and private endpoints | Private IP space (RFC1918 or other non-public ranges) | Yes — BGP establishes route exchange | IaaS VMs, private access to Azure services via private endpoints |
| Microsoft peering | Reach Microsoft public endpoints and certain SaaS/PaaS services over ExpressRoute | Public IP prefixes (customer-owned or Microsoft-provided, depending on service) | Yes — BGP for Microsoft public prefixes; supports route filtering | Microsoft 365, Dynamics 365, Azure public PaaS (Storage, SQL) when required over ExpressRoute |
Private peering (detailed)
Purpose- Private peering connects your on-premises network directly to Azure VNets and private endpoints over the ExpressRoute fabric, keeping traffic off the internet.
- Peering uses private IP addressing for the VLAN/subnet between your router and Microsoft’s router(s). These are point-to-point subnets and must not overlap other networks.
- BGP is mandatory. You and Microsoft will exchange ASNs and advertise prefixes so Azure can route to your on-premises networks and your on-premises routers can reach Azure prefixes.
- ASN: your ASN and Microsoft’s ASN (Microsoft publishes the ASN per region/seller).
- VLAN/subnet: point-to-point /30, /31 or /29 depending on architecture — plan to avoid overlaps.
- Advertised prefixes: only advertise the prefixes you intend to reach from Azure.
Microsoft peering (detailed)
Purpose- Microsoft peering provides access to Microsoft public endpoints (like Microsoft 365) and some Azure PaaS services over ExpressRoute without traversing the public internet.
- Microsoft peering requires public IP prefixes. You can either:
- Advertise public prefixes you own (recommended for many scenarios), or
- Use Microsoft-provided public prefixes where supported (check service-specific docs).
- BGP is used to advertise and receive Microsoft public prefixes. You must accept the prefixes you need and can filter out the rest.
- Apply route filters to control which Microsoft prefixes are accepted over Microsoft peering. This reduces route table size and limits exposure to only the services you require.
- Filtering helps in multi-region deployments and when you want to avoid accepting global prefixes that are not relevant to your traffic pattern.
- Microsoft peering replaced the older “public peering” terminology. Confirm which services require Microsoft peering and whether private peering / private endpoints may meet your needs instead.
BGP route filtering for Microsoft peering
Why filter- Microsoft publishes a large number of public prefixes. Accepting all of them can increase route churn and route table size.
- Filtering restricts accepted Microsoft prefixes to only those services and regions you need, improving stability and security.
- Use Azure route filters on the ExpressRoute circuit for Microsoft peering. Filters can be applied by service tag or individual prefixes as appropriate.
- Coordinate filter changes with Microsoft and your network team during maintenance windows to avoid disruption.
Operational considerations
- BGP is mandatory for ExpressRoute peerings — ensure you configure stable session parameters (hold timers, multihop if needed, MD5 where supported).
- Redundancy: ExpressRoute provides redundant Microsoft routers and typically two physical connections. Peer to both sides and plan for failover.
- IP planning: peering VLANs are point-to-point — avoid overlapping assignments with on-premises or Azure address spaces.
- Security: advertise only intended prefixes and use route filters for Microsoft peering to limit accepted prefixes.
- Monitoring: use Azure Monitor, Network Watcher, and your router monitoring tools to detect BGP flaps and traffic anomalies.
If you only require private IP access to Azure (IaaS VMs or private endpoints) and do not need Microsoft public services via ExpressRoute, configure only private peering. Advertise only the prefixes you intend to use and keep Microsoft peering filtered or disabled to reduce exposure.
Summary — what you’ll be able to do after this lesson
- Distinguish private peering vs Microsoft peering and choose the right peering type for your use case.
- Design IP addressing and BGP sessions for ExpressRoute peerings.
- Configure and apply route filters for Microsoft peering to limit accepted prefixes.
- Implement operational best practices for redundancy, BGP stability, and security.