Azure ExpressRoute: connecting to Azure effortlessly
In the rapidly evolving digital landscape, seamless and secure cloud connectivity is a cornerstone for enterprises aiming to leverage the full spectrum of cloud services. Azure ExpressRoute stands out as a pivotal service offered by Microsoft Azure, enabling private connections between Azure data centers and infrastructure on-premises or in a colocation environment.
What is Azure ExpressRoute?
Azure ExpressRoute is a service that bypasses the public internet, providing a private, dedicated network connection between your on-premises infrastructure and Microsoft Azure. This direct connection aims to enhance reliability, speed, and security for your cloud-based applications and data.
What are the Main Benefits of Expressroute?
ExpressRoute offers a plethora of advantages, crucial for any organization looking to boost their cloud capabilities:
Global Connectivity: It enables organizations to connect to Microsoft cloud services from anywhere in the world.
Layer 3 Connectivity: Utilizing BGP, it establishes dynamic routing between your local network, Azure, and Microsoft public addresses.
Enhanced Reliability and Security: Avoiding the public internet significantly increases the reliability of connections and enhances security and privacy.
What are the Characteristics of Azure ExpressRoute?
Layer 3 Connectivity: Leveraging BGP for routing, ensuring robust and dynamic network communication.
Built-in Redundancy: Each connection is backed by dual connections to Microsoft Enterprise edge routers, enhancing reliability.
Diverse Microsoft Cloud Services Access: Users gain access to a wide range of Microsoft services, including Azure, Microsoft 365, and Dynamics 365.
Global and Local Connectivity Options: Supports connectivity across geopolitical regions and offers localized connections for optimized performance.
ExpressRoute connectivity models
Users can create a connection between the on-premise network and Microsoft Cloud through a point-to-point Ethernet, cloud-based co-location, and universal connection (IPVPN) connection. Connectivity companies may offer one or more connectivity models.
Point-to-point Ethernet connections
Ethernet links are used in point-to-point connections. On-Premises and Azure can be linked using Point-to-point Ethernet providers. The relationships can either be layer 2 or managed layer three connections.
Universal Networks (IPVPN)
The extended network can be integrated into Microsoft Cloud using IPSec VPN providers. The providers above connect data centers and branch offices. To appear like any other branch, Microsoft Cloud can be interconnected to WAN whose providers provide mainly managed layer three connectivity.
Connectivity providers use ExpressRoute circuits that allow a connection between local infrastructure and Microsoft. For all connectivity models, ExpressRoute capabilities and features are the same.
ExpressRoute Circuits
A logical connection between Microsoft cloud services and local infrastructure via a connection provider is referred to as the ExpressRoute circuit. ExpressRoute circuits can be ordered in bulk and they can be purchased across regions. The connection between the ExpressRoute circuits and your data centers is through connectivity providers.
Notably, ExpressRoute circuits are never mapped to physical entities. Instead, they are identified using a standard GUID, known as a service key (S-key). S-key constitutes the only information shared amongst the user, connectivity provider, and Microsoft. It is not for security reasons that the s-key is secret. Between an ExpressRoute circuit and the service key, there exists a one-to-one mapping.
Peering ExpressRoute
Azure public, Azure private, and Microsoft are the associated routing/peering domains in the ExpressRoute circuit. For high availability, each peering is configured identically on a pair of routers (in active-active or load-sharing configuration). To represent IP addressing schemes, Azure services are classified as Public Azure and Private Azure.
Azure private certification
The private domain connects Azure Computer Services, i.e., virtual machines (IaaS) and cloud services (PaaS) that are deployed within a virtual network. In Microsoft Azure, the connection is deemed as a trusted extension of a core network. A configuration can be done to establish bidirectional connectivity between the core network and Azure virtual networks. The above registration allows for the connectivity of virtual machines and cloud services on private IP addresses directly.
Microsoft ExpressRoute Scenarios
Since Office 365 is meant to be reliably and securely accessible over the Internet, it is recommendable that ExpressRoute should be used in particular scenarios.
Microsoft trust allows for Connectivity to Microsoft online services, i.e., Office 365, Dynamics 365, and Azure PaaS services. The Microsoft Trust Routing Domain enables two-way connectivity between WAN and Microsoft cloud services. However, the connection must be through public IP addresses that are owned by either the user or the connectivity provider. All the defined rules must be respected.
Azure public peering (deprecated for new circuits)
Some services must be offered in public IP addresses, e.g., Azure Storage, SQL databases, and Websites. Connectivity to services hosted on public IP addresses, including the virtual IP addresses of cloud services, can be done privately via the public trust routing domain. Connection to public trust domain to user DMZ can be established and connected to all Azure services on the public IP addresses from user WAN without having to communicate via the Internet.
Often, connectivity is initiated from user WAN to Microsoft Azure Services. The above routing domain does not allow for connectivity to the user network. The user can sign in to all Azure services after the publication registration has been enabled. The user is not allowed to select the services for which routes are published.
Aviatrix Enhances ExpressRoute Deployments
Aviatrix, with its advanced cloud network platform, complements Azure ExpressRoute by offering enhanced visibility, control, and security features. It addresses common challenges associated with cloud connectivity, such as complex configurations and management of cloud networking components. Aviatrix’s solutions ensure that organizations can fully leverage ExpressRoute’s benefits while maintaining a robust, secure, and efficient cloud network infrastructure.
FAQs about Azure ExpressRoute
What is Azure ExpressRoute?
Azure ExpressRoute is a private, dedicated connection that links your on-premises network (or colocation environment) directly to Microsoft’s cloud without sending traffic over the public internet.
Why use ExpressRoute instead of a VPN over the internet?
ExpressRoute is designed for more consistent performance and reliability, and it reduces exposure to public-internet variability by keeping traffic on a private path. VPNs are often faster to stand up, but they typically ride the public internet.
What are the main benefits of ExpressRoute?
Common benefits include global connectivity to Microsoft cloud services, dynamic Layer 3 routing using BGP, and improved privacy/reliability by avoiding the public internet.
How does routing work with ExpressRoute?
ExpressRoute uses BGP (Border Gateway Protocol) to exchange routes between your network, Azure, and Microsoft services, supporting dynamic routing rather than static, manually maintained paths.
What “connectivity models” are available for ExpressRoute?
ExpressRoute can be delivered through provider options such as point-to-point Ethernet, cloud exchange/colocation, or “any-to-any” style WAN integration (often described as IPVPN/universal connectivity). Availability varies by connectivity provider.
What is an ExpressRoute circuit?
An ExpressRoute circuit is the logical connection you order through a connectivity provider to link your on-prem environment to Microsoft’s cloud. Think of it as the service construct that your provider and Microsoft use to deliver the private connection.
What is the ExpressRoute “service key” (S-key) and why does it matter?
Each circuit is identified by a GUID called a service key (S-key). It’s the common identifier shared between you, the connectivity provider, and Microsoft to provision and manage the circuit.
How does ExpressRoute achieve high availability?
ExpressRoute is built with redundancy in mind connections are backed by dual links to Microsoft edge routers, and peering is typically configured across paired routers for resilience.
What are the peering (routing) domains in ExpressRoute?
ExpressRoute commonly involves routing domains for Azure private connectivity (for VNets/workloads) and Microsoft connectivity (for services like Microsoft 365/Dynamics 365), with specifics depending on what you’re connecting and how your circuit is configured.
What is Azure private peering used for?
Azure private connectivity is used to reach workloads inside Azure virtual networks (like VMs and many PaaS services reachable privately), effectively extending your internal network into Azure.
Is Azure public peering still a thing?
Azure public peering is noted as deprecated for new circuits, so for new deployments, plan with the current Microsoft guidance and supported options for reaching public Azure services.
When does ExpressRoute make sense for Microsoft 365 (Office 365)?
Microsoft generally expects Microsoft 365 to be reliably reachable over the internet, so ExpressRoute is typically reserved for specific scenarios where private connectivity is justified and aligned with Microsoft’s requirements.
How does Aviatrix complement ExpressRoute?
Aviatrix can enhance ExpressRoute deployments by adding more centralized visibility, operational control, and security-focused networking capabilities, helping teams manage complexity as environments scale.
