Note: This lesson does not include a live ExpressRoute deployment. Many ExpressRoute tasks (physical provisioning, circuit handoffs, and carrier coordination) cannot be demonstrated inside a sandbox environment.
- Understand ExpressRoute fundamentals: private connectivity over Microsoft’s backbone, predictable performance, and SLA-backed availability.
- Identify when ExpressRoute is preferred over internet-based VPNs — typically for workloads requiring higher security, reliability, and regulatory compliance.
- Learn primary connection models (Private Peering and Microsoft Peering), what each delivers, and how they affect routing and design.
- Plan deployment details: bandwidth sizing, redundancy patterns, high availability, and coordination with a network service provider.
- BFD (Bidirectional Forwarding Detection) — reduces detection time for link or path failures to speed up routing failover (for example, when used with BGP).
- Encryption on the access circuit — technologies such as MACsec can provide hop-by-hop confidentiality for the physical access link even though the ExpressRoute circuit is private.
| Connection model | Primary purpose | Typical use cases | Routes advertised |
|---|---|---|---|
| Private Peering | Connect your on-premises network to Azure Virtual Networks | Lift-and-shift VMs, private services in VNets, cross-prem VNet connectivity | Customer routes (VCN subnets) and Azure VNet prefixes |
| Microsoft Peering | Access Microsoft public services over private network paths | Office 365, Azure PaaS endpoints, SaaS that uses Microsoft public prefixes | Microsoft public prefixes (e.g., Azure PaaS, O365) |
| ExpressRoute Direct | High-capacity, dedicated physical ports (single tenant) | Very high bandwidth needs, direct Microsoft peering at scale | As above, at higher capacity (10Gbps–100Gbps ports) |
| ExpressRoute Global Reach | Connect multiple on-prem sites via Microsoft backbone | Cross-site private interconnectivity across regions | Your private site-to-site routes propagated across ExpressRoute |
- Bandwidth and sizing: Align circuit capacity to application throughput and growth. Consider headroom for bursts and failover scenarios.
- Redundancy and HA: Deploy redundant circuits in different Microsoft peering locations or with multiple service providers when possible. Use BGP path attributes and diverse routing to avoid single points of failure.
- Provider coordination: Provisioning requires the service provider to hand off circuits at an ExpressRoute location (co-location/edge). Lead time and operational support are key planning factors.
- Security and compliance: While circuits are private, consider additional safeguards (MACsec for physical link encryption, IPsec on top of BGP where appropriate, and strict routing/ACL policies).
- Private peering typically connects on-premises routers to Azure VNets for private application traffic.
- Microsoft peering enables private access to Microsoft public services (reducing traversal over the public internet).
- ExpressRoute Direct and Global Reach are options for high-throughput and cross-site connectivity over Microsoft’s global network, useful for multi-region enterprises and data replication scenarios.
- Azure ExpressRoute overview
- ExpressRoute routing and peering
- ExpressRoute Direct and Global Reach
- BFD (Bidirectional Forwarding Detection) theory and deployment