Design & implement azure ExpressRoute Flashcards
What is ExpressRoute and what does it offer?
ExpressRoute extends on-premises networks into the Microsoft cloud over a private connection with the help of a connectivity provider. ExpressRoute establishes connections to various Microsoft cloud services, such as Microsoft Azure and Microsoft 365.
It offers more reliability, faster speeds, consistent latencies, and higher security.
What type of connections can form ER?
Connectivity can be from an any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual cross-connection through a connectivity provider at a colocation facility.
Name and briefly explain 4 use cases for ER in azure.
- Faster and Reliable connection to Azure services - Organizations using Azure services look for reliable connections to Azure services and data centers. Public internet is dependent upon many factors and may not be suitable for a business. Using ExpressRoute connections to transfer data between on-premises systems and Azure can also give significant cost benefits.
- Storage, backup, and Recovery - Backup and Recovery are important for an organization for business continuity and recovering from outages. ExpressRoute gives you a fast and reliable connection to Azure with bandwidths up to 100 Gbps. ExpressRoute is excellent for scenarios such as periodic data migration, replication for business continuity, disaster recovery, and other high-availability strategies.
- Extends Data center capabilities - ExpressRoute can be used to connect and add compute and storage capacity to your existing data centers. With high throughput and fast latencies, Azure feels like a natural extension to or between your data centers, so you enjoy the scale and economics of the public cloud without having to compromise on network performance.
- Predictable, reliable, and high-throughput connections - With predictable, reliable, and high-throughput connections offered by ExpressRoute, enterprises can build applications that span on-premises infrastructure and Azure without compromising privacy or performance.
What are the 4 connectivity models for ER?
- Co-located at a cloud exchange
In a facility with a cloud exchange, virtual cross-connections to the Microsoft cloud are provided through the colocation provider’s Ethernet exchange. Colocation providers can offer either Layer 2 cross-connections, or managed Layer 3 cross-connections between your infrastructure in the colocation facility and the Microsoft cloud.
- Point-to-point Ethernet connections
Point-to-point Ethernet providers can offer Layer 2 connections, or managed Layer 3 connections between your site and the Microsoft cloud.
- Any-to-any (IPVPN) networks
IPVPN providers offer any-to-any connectivity between your branch offices and datacenters. The Microsoft cloud can be interconnected to your WAN to make it look just like any other branch office. WAN providers typically offer managed Layer 3 connectivity.
- Direct from ExpressRoute sites
ExpressRoute Direct provides dual 100 Gbps or 10-Gbps connectivity, which supports Active/Active connectivity at scale.
Name the differences between ER service provider & ER Direct.
Name and describe the 2 ways in which redundancy can be deployed for ER.
- Configure ExpressRoute and site to site coexisting connections
Configuring Site-to-Site VPN and ExpressRoute coexisting connections has several advantages:
A Site-to-Site VPN is a secure failover path for ExpressRoute.
Site-to-Site VPNs to connect to sites that aren’t connected through ExpressRoute.
No downtime occurs when adding a new gateway or gateway connection.
- Create a zone redundant virtual network gateway in Azure availability zones
You can deploy VPN and ExpressRoute gateways in Azure Availability Zones. Deploying gateways in Azure Availability Zones physically and logically separates gateways within a region, while protecting your on-premises network connectivity to Azure from zone-level failures.
2 types are Zone-redundant gateways & Zonal gateways
How are Zone-Redundant & Zonal gateway SKUs identified?
You can identify these SKUs by the “AZ” in the SKU name.
What PIP SKU do both ZR & Zonal GWs rely on?
Zone-redundant gateways and zonal gateways both rely on the Azure public IP resource Standard SKU. The configuration of the Azure public IP resource determines whether the gateway that you deploy is zone-redundant, or zonal.
What are the 3 ER circuit SKUs?
- Local SKU - With Local SKU, you’re automatically charged with an Unlimited data plan.
- Standard and Premium SKU - You can select between a Metered or an Unlimited data plan. All ingress data are free of charge except when using the Global Reach add-on.
What is the difference between an Azure region & an ER peering location?
Azure regions are global datacenters where Azure compute, networking, and storage resources are located. The resource location determines which Azure datacenter (or availability zone) the resource is created in.
ExpressRoute locations (sometimes referred to as peering locations or meet-me-locations) are colocation facilities where Microsoft Enterprise Edge (MSEE) devices are located. ExpressRoute locations are the entry point to Microsoft’s network – and are globally distributed, providing customers the opportunity to connect to Microsoft’s network around the world.
What other options are available for customers without fibre-connectivity as an option?
- Other service providers
- Datacenter providers
- National Research and Education networks (NERN)
- System integrators
How would you go about choosing the right ER circuit & billing model?
- evaluate the current usage and determine how much data is used monthly to start with.
- The next step is to figure out which of the available ExpressRoute is the best choice depending upon the requirements of the Enterprise keeping in mind the budget and SLA requirements.
- Decide between the Local, Standard, and Premium SKUs.
What peering options are available for ER circuits?
An ExpressRoute circuit has two peering options associated with it: Azure private, and Microsoft. Each peering is configured identically on a pair of routers (in active-active or load sharing configuration) for high availability.
Name a few pre-requisites that are needed when configuring peering?
- Peering can be configured in any order you choose. However, you must make sure that you complete the configuration of each peering one at a time.
- You must have an active ExpressRoute circuit. To configure peerings, the ExpressRoute circuit must be in a provisioned and enabled state.
- If you plan to use a shared key/MD5 hash, be sure to use the key on both sides of the tunnel. The limit is a maximum of 25 alphanumeric characters. Special characters aren’t supported.
Name some differences between Private & Microsoft peering.
- Private Peering:
- Supports 4000 prefixes by default, 10,000 with ExpressRoute Premium.
- Supports Any valid IP address range within your WAN.
- Private and public AS numbers supported. You must own the public AS number if you choose to use one.
- Supports IPv4, IPv6 (preview)
- RFC1918 and public IP addresses can be used on the routing interface.
- Supports MD5 - Microsoft Peering:
- Supports 200 prefixes by default.
- Supports Public IP addresses owned by you or your connectivity provider.
- Private and public AS numbers supported. However, you must prove ownership of public IP addresses.
- Supports IPv4, IPv6
- public IP addresses can be used on the routing interface, but they must be registered to you in routing registries.
- Supports MD5
What is the recommended config for both peerings?
The recommended configuration is that private peering is connected directly to the core network, and the public and Microsoft peering links are connected to your DMZ.
What is the pre-requisite should you want to connect a VNet to an IPv6 based ER circuit?
make sure that your virtual network is dual stack
How are both peering options configured?
- Private Peering:
- Azure compute services, namely virtual machines, and cloud services, that are deployed within a virtual network can be connected through the private peering domain.
- You can set up bi-directional connectivity between your core network and Azure virtual networks which lets you connect to virtual machines and cloud services directly on their private IP addresses. - Microsoft peering:
- Connectivity to Microsoft online services (Microsoft 365 and Azure PaaS services) occurs through Microsoft peering.
- You can enable bidirectional connectivity between your WAN and Microsoft cloud services through the Microsoft peering routing domain.
- You must connect to Microsoft cloud services only over public IP addresses owned by you or your connectivity provider and you must adhere to all the defined rules.
What is the purpose of Route Filters when configuring an ER peering?
A route filter lets you identify services you want to consume through your ExpressRoute circuit’s Microsoft peering. It’s essentially an allowed list of all the BGP community values. Once a route filter resource gets defined and attached to an ExpressRoute circuit, all prefixes that map to the BGP community values gets advertised to your network.
To attach route filters with Microsoft 365 services, you must have authorization to consume Microsoft 365 services through ExpressRoute.
What steps must be performed when connecting your VNet to your ER Circuit?
- You must have an active ExpressRoute circuit.
- Ensure that you have Azure private peering configured for your circuit.
- Ensure that Azure private peering gets configured and establishes BGP peering between your network and Microsoft for end-to-end connectivity.
- Ensure that you have a virtual network and a virtual network gateway created and fully provisioned. A virtual network gateway for ExpressRoute uses the GatewayType ‘ExpressRoute’, not VPN.
- You can link up to 10 virtual networks to a standard
ExpressRoute circuit. All virtual networks must be in the same geopolitical region when using a standard ExpressRoute circuit. - A single virtual network can be linked to up to 16 ExpressRoute circuits. The ExpressRoute circuits can be in the same subscription, different subscriptions, or a mix of both.
- If you enable the ExpressRoute premium add-on, you can link virtual networks outside of the geopolitical region of the ExpressRoute circuit. The premium add-on allows you to connect more than 10 virtual networks to your ExpressRoute circuit depending on the bandwidth chosen.
- To create the connection from the ExpressRoute circuit to the target ExpressRoute virtual network gateway, the number of address spaces advertised from the local or peered virtual networks needs to be equal to or less than 200. Once the connection is successfully created, you can add other address spaces, up to 1,000, to the local or peered virtual networks.
How are VPNs established over ER private connections?
You can use Microsoft peering to establish a site-to-site IPsec/IKE VPN tunnel between your selected on-premises networks and Azure VNets.
Note!:
When you set up site-to-site VPN over Microsoft peering, you are charged for the VPN gateway and VPN egress.
What are some of the steps for configuring a S2S-VPN over ER connection?
- Configure Microsoft peering for your ExpressRoute circuit.
- Advertise selected Azure regional public prefixes to your on-premises network via Microsoft peering.
- Configure a VPN gateway and establish IPsec tunnels
- Configure the on-premises VPN device.
- Create the site-to-site IPsec/IKE connection.
- (Optional) Configure firewalls/filtering on the on-premises VPN device.
- Test and validate the IPsec communication over the ExpressRoute circuit.
Name 4 different ways ER can be implemented.
- You can connect to Microsoft in one of the peering locations and access regions within the geopolitical region.
- You can enable ExpressRoute Premium to extend connectivity across geopolitical boundaries. For example, if you connect to Microsoft in Amsterdam through ExpressRoute, you have access to all Microsoft cloud services hosted in all regions across the world.
- You can transfer data cost-effectively by enabling the Local SKU. With Local SKU, you can bring your data to an ExpressRoute location near the Azure region you want.
- You can enable ExpressRoute Global Reach to exchange data across your on-premises sites by connecting your ExpressRoute circuits. With ExpressRoute Global Reach, you can connect your private data centers together through these two ExpressRoute circuits. Your cross-data-center traffic traverses through Microsoft’s network.
What is ER FastPath?
FastPath is designed to improve the data path performance between your on-premises network and your virtual network. When enabled, FastPath sends network traffic directly to virtual machines in the virtual network, bypassing the gateway.
