Design and implement Azure ExpressRoute Flashcards
Azure ExpressRoute
ExpressRoute extends on-premises networks into the Microsoft cloud over a private connection with the help of a connectivity provider. Since ExpressRoute connections don’t go over the public Internet, this approach allows ExpressRoute connections to offer more reliability, faster speeds, consistent latencies, and higher security.
Some key benefits of ExpressRoute are:
* Layer 3 connectivity between an on-premises network and the Microsoft Cloud through a connectivity provider
* Connectivity can be from an any-to-any (IPVPN) network, a point-to-point Ethernet connection, or through a virtual cross-connection via an Ethernet exchange
* Connectivity to Microsoft cloud services across all regions in the geopolitical region
* Global connectivity to Microsoft services across all regions with the ExpressRoute premium add-on
* Built-in redundancy in every peering location for higher reliability
Use Cases for Azure ExpressRoute
Faster and Reliable connection to Azure services - Organizations using Azure services look for reliable connections to Azure services and data centers. Can also give significant cost benefits
Storage, backup, and Recovery - ExpressRoute is excellent for scenarios such as periodic data migration, replication for business continuity, disaster recovery, and other high-availability strategies.
Extends Data center capabilities - ExpressRoute can be used to connect and add compute and storage capacity to your existing data centers.
Predictable, reliable, and high-throughput connections - With predictable, reliable, and high-throughput connections offered by ExpressRoute, enterprises can build applications that span on-premises infrastructure and Azure without compromising privacy or performance.
ExpressRoute - Connectivity Models
CloudExchange Colocation - In a facility with a cloud exchange, virtual cross-connections to the Microsoft cloud are provided through the colocation provider’s Ethernet exchange. Colocation providers can offer either Layer 2 cross-connections, or managed Layer 3 cross-connections between your infrastructure in the colocation facility and the Microsoft cloud.
Point-to-point Ethernet connections - Point-to-point Ethernet providers can offer Layer 2 connections, or managed Layer 3 connections between your site and the Microsoft cloud.
Any-to-any (IPVPN) networks - IPVPN providers offer any-to-any connectivity between your branch offices and datacenters. The Microsoft cloud can be interconnected to your WAN to make it look just like any other branch office. WAN providers typically offer managed Layer 3 connectivity.
Direct from ExpressRoute sites - ExpressRoute Direct provides dual 100 Gbps or 10-Gbps connectivity, which supports Active/Active connectivity at scale.
Design considerations for ExpressRoute deployments
-
ExpressRoute Direct - ExpressRoute Direct connects directly into Microsoft’s global network at peering locations strategically distributed around the world. ExpressRoute Direct provides dual 100 Gbps or 10-Gbps connectivity, which supports Active/Active connectivity at scale.
* Massive Data Ingestion into services like Storage and Cosmos DB
* Physical isolation for industries that are regulated and require dedicated and isolated connectivity like: Banking, Government, and Retail
* Granular control of circuit distribution based on business unit
Design redundancy for an ExpressRoute deployment
There are two ways in which redundancy can be planned for an ExpressRoute deployment.
1. Configure ExpressRoute and site to site coexisting connections
Configuring Site-to-Site VPN and ExpressRoute coexisting connections has several advantages:
* A Site-to-Site VPN is a secure failover path for ExpressRoute.
* Site-to-Site VPNs to connect to sites that aren’t connected through ExpressRoute.
* No downtime occurs when adding a new gateway or gateway connection.
Network Limits and limitations
* Only route-based VPN gateways are supported.
* The ASN of Azure VPN Gateway must be set to 65515.
* The gateway subnet must be /27 or a shorter prefix.
* Coexistence in a dual stack VNet isn’t supported.
2. Create a zone redundant virtual network gateway in Azure availability zones
You can deploy VPN and ExpressRoute gateways in Azure Availability Zones. Deploying gateways in Azure Availability Zones physically and logically separates gateways within a region, while protecting your on-premises network connectivity to Azure from zone-level failures.
- Zone-redundant gateways - To automatically deploy your virtual network gateways across availability zones, you can use zone-redundant virtual network gateways.
- Zonal gateways - When you deploy a zonal gateway, all instances of the gateway are deployed in the same Availability Zone.
- Gateway SKUs - Zone-redundant and zonal gateways are available as gateway SKUs. These SKUs are like the corresponding existing SKUs for ExpressRoute and VPN Gateway, except that they’re specific to zone-redundant and zonal gateways. You can identify these SKUs by the “AZ” in the SKU name.
- Public IP SKUs - Zone-redundant gateways and zonal gateways both rely on the Azure public IP resource Standard SKU. The configuration of the Azure public IP resource determines whether the gateway that you deploy is zone-redundant, or zonal.
Design an ExpressRoute deployment
1. ExpressRoute circuit SKUs
Azure ExpressRoute has three different circuit SKUs:
* Local SKU - With Local SKU, you’re automatically charged with an Unlimited data plan.
* Standard and Premium SKU - You can select between a Metered or an Unlimited data plan. All ingress data are free of charge except when using the Global Reach add-on.
2. Choose a peering location
* Azure regions - The resource location determines which Azure datacenter (or availability zone) the resource is created in.
* ExpressRoute locations (Peering locations) - ExpressRoute locations are colocation facilities where Microsoft Enterprise Edge (MSEE) devices are located. ExpressRoute locations are the entry point to Microsoft’s network – and are globally distributed, providing customers the opportunity to connect to Microsoft’s network around the world.
- Azure regions to ExpressRoute locations within a geopolitical region.
- ExpressRoute connectivity providers
- Connectivity through Exchange providers
- Connectivity through satellite operators
Choose the right ExpressRoute circuit and billing model
When you deploy ExpressRoute, you must choose between the Local, Standard, and Premium SKUs. The Standard and Premium SKU are available in a metered version, where you pay per used GB and an unlimited option.
The other option is the ExpressRoute Direct, connecting your network to the closest Microsoft Edge node which then connects to the Microsoft Global Network, to connect to other customers offices or factories and any Azure Region. The usage of the Microsoft Global Network is charged on top of the ExpressRoute Direct.
Choose a billing model
- Unlimited data. Billing is based on a monthly fee; all inbound and outbound data transfer is included free of charge.
- Metered data. Billing is based on a monthly fee; all inbound data transfer is free of charge. Outbound data transfer is charged per GB of data transfer. Data transfer rates vary by region.
- ExpressRoute premium add-on. ExpressRoute premium is an add-on to the ExpressRoute circuit. The ExpressRoute premium add-on provides the following capabilities:
–Increased route limits for Azure public and Azure private peering from 4,000 routes to 10,000 routes.
–Global connectivity for services. An ExpressRoute circuit created in any region (excluding national clouds) has access to resources across every other region in the world.
–Increased number of virtual network links per ExpressRoute circuit from 10 to a larger limit
Configure peering for an ExpressRoute deployment
An ExpressRoute circuit has two peering options associated with it: Azure private, and Microsoft. Each peering is configured identically on a pair of routers (in active-active or load sharing configuration) for high availability. Azure services are categorized as Azure public and Azure private to represent the IP addressing schemes.
Create Peering configuration
* You can configure private peering and Microsoft peering for an ExpressRoute circuit. Peering can be configured in any order you choose. However, you must make sure that you complete the configuration of each peering one at a time.
* You must have an active ExpressRoute circuit. To configure peerings, the ExpressRoute circuit must be in a provisioned and enabled state.
* If you plan to use a shared key/MD5 hash, be sure to use the key on both sides of the tunnel. The limit is a maximum of 25 alphanumeric characters. Special characters aren’t supported.
Configure private peering - Azure compute services, namely virtual machines, and cloud services, that are deployed within a virtual network can be connected through the private peering domain. The private peering domain is a trusted extension of your core network into Microsoft Azure. You can set up bi-directional connectivity between your core network and Azure virtual networks (VNets). This peering lets you connect to virtual machines and cloud services directly on their private IP addresses.
**Configure Microsoft peering - ** Connectivity to Microsoft online services (Microsoft 365 and Azure PaaS services) occurs through Microsoft peering. You can enable bidirectional connectivity between your WAN and Microsoft cloud services through the Microsoft peering routing domain. You must connect to Microsoft cloud services only over public IP addresses owned by you or your connectivity provider and you must adhere to all the defined rules.
- Configure route filters for Microsoft Peering - Route filters are a way to consume a subset of supported services through Microsoft peering. Microsoft 365 services such as Exchange Online, SharePoint Online, and Skype for Business, are accessible through the Microsoft peering. When Microsoft peering gets configured in an ExpressRoute circuit, all prefixes related to these services gets advertised through the BGP sessions that are established.
The large number of prefixes significantly increases the size of the route tables maintained by routers within your network. If you plan to consume only a subset of services offered through Microsoft peering, you can reduce the size of your route tables
- Define route filters and apply them to your ExpressRoute circuit. A route filter is a new resource that lets you select the list of services you plan to consume through Microsoft peering.
Connect an ExpressRoute circuit to a virtual network
An ExpressRoute circuit represents a logical connection between your on-premises infrastructure and Microsoft cloud services through a connectivity provider. You can order multiple ExpressRoute circuits. Each circuit can be in the same or different regions and can be connected to your premises through different connectivity providers.
Connect a virtual network to an ExpressRoute circuit
* You must have an active ExpressRoute circuit.
* Ensure that you have Azure private peering configured for your circuit.
* Ensure that Azure private peering gets configured and establishes BGP peering between your network and Microsoft for end-to-end connectivity.
* Ensure that you have a virtual network and a virtual network gateway created and fully provisioned. A virtual network gateway for ExpressRoute uses the GatewayType ‘ExpressRoute’, not VPN.
* You can link up to 10 virtual networks to a standard ExpressRoute circuit. All virtual networks must be in the same geopolitical region when using a standard ExpressRoute circuit.
* A single virtual network can be linked to up to 16 ExpressRoute circuits.
* If you enable the ExpressRoute premium add-on, you can link virtual networks outside of the geopolitical region of the ExpressRoute circuit.
* To create the connection from the ExpressRoute circuit to the target ExpressRoute virtual network gateway, the number of address spaces advertised from the local or peered virtual networks needs to be equal to or less than 200.
Add a VPN to an ExpressRoute deployment
This section helps you configure secure encrypted connectivity between your on-premises network and your Azure virtual networks (VNets) over an ExpressRoute private connection. You can use Microsoft peering to establish a site-to-site IPsec/IKE VPN tunnel between your selected on-premises networks and Azure VNets.
- When you set up site-to-site VPN over Microsoft peering, you are charged for the VPN gateway and VPN egress.
- For the on-premises side, typically Microsoft peering is terminated on the DMZ and private peering is terminated on the core network zone. The two zones would be segregated using firewalls. If you are configuring Microsoft peering exclusively for enabling secure tunneling over ExpressRoute, remember to filter through only the public IPs of interest that are getting advertised via Microsoft peering.
Steps
* Configure Microsoft peering for your ExpressRoute circuit.
* Advertise selected Azure regional public prefixes to your on-premises network via Microsoft peering.
* Configure a VPN gateway and establish IPsec tunnels
* Configure the on-premises VPN device.
* Create the site-to-site IPsec/IKE connection.
* (Optional) Configure firewalls/filtering on the on-premises VPN device.
* Test and validate the IPsec communication over the ExpressRoute circuit.
Connect geographically dispersed networks with ExpressRoute Global Reach
ExpressRoute connections enable access to the following services:
* Microsoft Azure services
* Microsoft 365 services
Connectivity to all regions within a geopolitical region - You can connect to Microsoft in one of the peering locations and access regions within the geopolitical region. For example, if you connect to Microsoft in Amsterdam through ExpressRoute, you have access to all Microsoft cloud services hosted in Northern and Western Europe.
Global connectivity with ExpressRoute Premium - You can enable ExpressRoute Premium to extend connectivity across geopolitical boundaries. For example, if you connect to Microsoft in Amsterdam through ExpressRoute, you have access to all Microsoft cloud services hosted in all regions across the world.
Local connectivity with ExpressRoute Local - You can transfer data cost-effectively by enabling the Local SKU. With Local SKU, you can bring your data to an ExpressRoute location near the Azure region you want. With Local, Data transfer is included in the ExpressRoute port charge.
Across on-premises connectivity with ExpressRoute Global Reach - You can enable ExpressRoute Global Reach to exchange data across your on-premises sites by connecting your ExpressRoute circuits.
ExpressRoute Direct - Provides customers the opportunity to connect directly into Microsoft’s global network at peering locations strategically distributed across the world.
ExpressRoute Global Reach is designed to complement your service provider’s WAN implementation and connect your branch offices across the world.
How can a network engineer for a company with offices in London and Tokyo configure communications between the two offices?
-Use a local service provider in London and a different local service provider in Tokyo. GlobalReach connects the branches using ExpressRoute and the Microsoft global network.
Improve data path performance between networks with ExpressRoute FastPath
FastPath is designed to improve the data path performance between your on-premises network and your virtual network. When enabled, FastPath sends network traffic directly to virtual machines in the virtual network, bypassing the gateway.
- FastPath is available on all ExpressRoute circuits.
- FastPath still requires a virtual network gateway to be created to exchange routes between virtual network and on-premises network.
Gateway requirements for ExpressRoute FastPath
To configure FastPath, the virtual network gateway must be either:
* Ultra-Performance
* ErGw3AZ
While FastPath supports most configurations, it doesn’t support the following features:
* UDR on the gateway subnet: This UDR has no impact on the network traffic that FastPath sends directly from your on-premises network to the virtual machines in Azure virtual network.
* Private Link: If you connect to a private endpoint in your virtual network from your on-premises network, the connection goes through the virtual network gateway.
Configure ExpressRoute FastPath
* You must have an active ExpressRoute circuit.
* Follow the instructions to create an ExpressRoute circuit and have the circuit enabled by your connectivity provider.
* Ensure that you have Azure private peering configured for your circuit.
* Ensure that Azure private peering gets configured and establishes BGP peering between your network and Microsoft for end-to-end connectivity.
* Ensure that you have a virtual network and a virtual network gateway created and fully provisioned. A virtual network gateway for ExpressRoute uses the GatewayType ‘ExpressRoute’.
* You can link up to 10 virtual networks to a standard ExpressRoute circuit. All virtual networks must be in the same geopolitical region when using a standard ExpressRoute circuit.
* A single virtual network can be linked to up to 16 ExpressRoute circuits.
* If you enable the ExpressRoute premium add-on, you can link virtual networks outside of the geopolitical region of the ExpressRoute circuit.
* To create the connection from the ExpressRoute circuit to the target ExpressRoute virtual network gateway, the number of address spaces advertised from the local or peered virtual networks needs to be equal to or less than 200.
A network has multiple virtual networks peered with a virtual network that is connected to ExpressRoute. How should the ExpressRoute FastPath deployment be modified?
-To avoid traffic being routed through the VNet gateways, connect all the VNets to ExpressRoute FastPath circuit directly.
Troubleshoot ExpressRoute connection issues
ExpressRoute connectivity traditionally involves three distinct network zones, as follows:
* Customer Network
* Provider Network
* Microsoft Datacenter
Verify circuit provisioning and state through the Azure portal
In the ExpressRoute Essentials, Circuit status indicates the status of the circuit on the Microsoft side. Provider status indicates if the circuit is Provisioned/Not provisioned on the service-provider side.
Validate peering configuration
Each ExpressRoute circuit can have: Azure private peering (traffic to private virtual networks in Azure), and/or Microsoft peering (traffic to public endpoints of PaaS and SaaS). Status of an ExpressRoute circuit peering can be checked under the ExpressRoute circuit blade.
Validate Address Resolution Protocol (ARP)
Address Resolution Protocol (ARP) is a layer 2 protocol defined in RFC 826. ARP is used to map the Ethernet address (MAC address) with an ip address. ARP tables can help validate layer 2 configuration and troubleshooting basic layer 2 connectivity issues.
The ARP table for an ExpressRoute circuit peering provides the following information for each interface (primary and secondary):
* Mapping of on-premises router interface ip address to the MAC address
* Mapping of ExpressRoute router interface ip address to the MAC address
* Age of the mapping ARP tables can help validate layer 2 configuration and troubleshooting basic layer 2 connectivity issues.
ExpressRoute Monitoring Tools
ExpressRoute uses Network insights to provide a detailed topology mapping of all ExpressRoute components (peerings, connections, gateways) in relation with one another. Network insights for ExpressRoute also have preloaded metrics dashboard for availability, throughput, packet drops, and gateway metrics.
- You can analyze metrics for Azure ExpressRoute with metrics from other Azure services using metrics explorer by opening Metrics from the Azure Monitor menu.
1. What property of an ExpressRoute circuit is useful when opening a support ticket with the service provider? A service key uniquely identifies an ExpressRoute circuit.
**An engineer wants to know if their service provider has any changes that affect their circuit. What is the quickest way to check? ** Check the Last modified by property of the relevant peering.
