Skip to main content
Route filters act as a whitelist for the BGP community values that Microsoft advertises over Microsoft Peering on an ExpressRoute circuit. They control which Microsoft public services (for example, Microsoft 365 services like SharePoint Online or Exchange Online, Dynamics 365, or specific Azure regions) will advertise their public IP prefixes to your on-premises network. Without a route filter attached to your circuit, you will not receive these public service routes — route filters are required for Microsoft Peering to expose SaaS or public Azure service prefixes.

How route filters work

  • Each route filter contains one or more rules. Each rule corresponds to a Microsoft-managed BGP community that represents a set of public IP prefixes for a particular service (for example, SharePoint Online) or Azure region.
  • When a route filter is attached to an ExpressRoute circuit’s Microsoft Peering, only the communities listed in the attached filter are advertised to your on-premises routers.
  • Route filters apply only to Microsoft Peering (public/SaaS services). They do not affect private peering, which carries your private Azure Virtual Network prefixes.

Configure a route filter (step-by-step)

  1. Create the route filter resource:
    • In the Azure portal create a new resource: choose the subscription, resource group, and a name for the route filter.
    • Important: the route filter’s region must match the region of your ExpressRoute circuit.
  2. Add route filter rules:
    • For each service or region you want to receive routes for, add a rule that selects the corresponding Microsoft BGP community.
    • Each rule represents a set of Microsoft-managed public IP prefixes identified by community values.
  3. Attach the route filter to your ExpressRoute circuit:
    • Attach the completed route filter to the ExpressRoute circuit that is using Microsoft Peering.
    • After attaching, only the whitelisted services will advertise their BGP routes to your on-premises network.
A screenshot of the Azure portal's "Create route filter" page for ExpressRoute, showing subscription, resource group, name and region fields with a "Review + create" button. A "Manage rule" sidebar is open on the right listing selectable allowed service communities.
Route filters only apply to Microsoft Peering (public/SaaS services). They are not used for private peering, which carries your private Azure Virtual Network prefixes.

Why use route filters

Route filters provide granular control and help maintain predictable routing by preventing unnecessary service prefixes from being advertised to your on-premises routers.
BenefitWhat it doesExample
Restrict advertised servicesOnly receives prefixes for services you explicitly allowReceive SharePoint Online prefixes but not Dynamics 365
Reduce routing table sizeKeeps on-premises routing tables smaller and simplerAvoid thousands of unused prefixes from regions or services you don’t use
Improve security & manageabilityLimits exposure to only required public service prefixesEasier troubleshooting and policy enforcement

Best practices

  • Start with the minimum set of services you require, then expand the filter as needs change.
  • Keep a documented list of which communities you’ve allowed and why.
  • Ensure the route filter region matches the ExpressRoute circuit region before attaching.
  • Periodically review route filters to remove unnecessary rules and reduce routing complexity.

Additional information and references

Always review and update your route filters as your service usage evolves to maintain an efficient and secure connectivity posture.

Watch Video