Azure ExpressRoute Gateway: A Comprehensive Guide

Azure ExpressRoute Gateway is a secure and reliable way to connect your on-premises network to Azure, with dedicated network connections.

ExpressRoute connections are private, so your data stays secure and isn't exposed to the public internet.

ExpressRoute Gateway supports multiple network protocols, including BGP, static routing, and IPsec.

To set up an ExpressRoute Gateway, you'll need to create a new gateway and then connect it to your virtual network.

The ExpressRoute Gateway can be configured to use a single IP address or multiple IP addresses for load balancing.

Azure ExpressRoute Gateway is a great way to connect your on-premises network to Microsoft Azure.

You'll need to have an ExpressRoute circuit and a subscription to Azure to get started.

ExpressRoute is a dedicated network connection that provides a secure and reliable way to connect to Azure.

This connection is typically established by a telecommunications provider.

To set up an ExpressRoute Gateway, you'll need to create a new virtual network gateway.

A virtual network gateway is a network device that enables communication between your on-premises network and Azure.

This is a crucial step in setting up Azure ExpressRoute Gateway.

The virtual network gateway will be used to manage your ExpressRoute connection.

Make sure to choose the correct gateway SKU for your needs.

The gateway SKU determines the performance and capacity of your virtual network gateway.

You can choose from several gateway SKUs, including UltraPerformance and HighPerformance.

Each SKU has its own set of features and pricing.

Be sure to review the pricing and features of each SKU before making a decision.

Once you've created your virtual network gateway, you can configure your ExpressRoute Gateway.

This involves setting up the gateway's routing configuration and security settings.

The routing configuration determines how traffic is routed between your on-premises network and Azure.

The security settings ensure that your data is protected during transmission.

With your ExpressRoute Gateway set up, you can start connecting your on-premises network to Azure.

This will give you a fast and secure way to access Azure services and resources.

To create a gateway, you'll need to run the Connect-AzAccount cmdlet. This will establish a connection with Azure.

You'll then need to declare your variables, such as the resource group, location, and gateway name. Make sure to edit the sample to reflect the settings you want to use.

You can create a gateway in an Azure Extended Zone by adding the $ExtendedLocation variable to your variables. For example, if you want to create the gateway in the Los Angeles Extended Zone, you would set $ExtendedLocation to "losangeles".

To add a gateway subnet to your virtual network, use the Add-AzVirtualNetworkSubnetConfig cmdlet. The gateway subnet must be named "GatewaySubnet" and must be /27 or larger.

If you're using a dual stack virtual network and plan to use IPv6-based private peering over ExpressRoute, create a dual stack gateway subnet instead. This will allow you to use IPv6 addresses in addition to IPv4 addresses.

You can request a public IP address using the New-AzPublicIpAddress cmdlet. The IP address is requested before creating the gateway, and it's dynamically assigned. You'll use this IP address in the next configuration section.

Here are the available gateway SKUs:

To create the configuration for your gateway, use the New-AzVirtualNetworkGatewayIpConfig cmdlet. This will define the subnet and public IP address to use.

To enable transit routing between ExpressRoute and Azure VPN, you need to set up Azure Route Server. This allows connectivity between local networks connected to ExpressRoute and those connected to a site-to-site VPN connection.

To establish routing between site-to-site VPN connections and ExpressRoute, you must also set up Azure Route Server. This enables routing between branches connected to ExpressRoute and those connected to a site-to-site VPN connection.

Azure Route Server can handle up to 11,000 routes that span virtual network address spaces, on-premises networks, and virtual network peering connections. To ensure stability, refrain from advertising more than 11,000 routes to ExpressRoute.

To configure a Site-to-Site VPN as a failover path for ExpressRoute, you need to understand that this connection applies only to virtual networks linked to the Azure private peering path.

ExpressRoute is always the primary link, and data flows through the Site-to-Site VPN path only if the ExpressRoute circuit fails. To avoid asymmetrical routing, your local network configuration should prefer the ExpressRoute circuit over the Site-to-Site VPN.

You can prefer the ExpressRoute path by setting a higher local preference for the routes received from ExpressRoute. This means that even if the routes are the same, Azure will use the longest prefix match to choose the route towards the packet's destination.

To set up your site-to-site VPN connection as a backup, you must configure your on-premises network so that the VPN connection is routed to the Internet. This is because if ExpressRoute Microsoft Peering is enabled, you can receive the public IP address of your Azure VPN gateway on the ExpressRoute connection.

VPN Transit Routing is a crucial aspect of network architecture, and it's essential to understand how to configure it correctly. To enable transit routing between ExpressRoute and Azure VPN, you need to set up Azure Route Server.

If you want to enable connectivity between one of your local networks connected to ExpressRoute and another local network connected to a site-to-site VPN connection, Azure Route Server is the way to go. This setup allows you to establish a secure and reliable connection between your on-premises networks and Azure.

To establish routing between site-to-site VPN connections and ExpressRoute, you can use Azure Route Server. This will enable you to connect your branches connected to ExpressRoute with branches connected to a site-to-site VPN connection.

Here's a step-by-step guide to setting up Azure Route Server for VPN transit routing:

1. Delete the existing ExpressRoute or Site-to-site VPN gateway.

2. Delete and recreate the GatewaySubnet to have a prefix of /27 or shorter.

3. Configure a VNet with a Site-to-Site connection and then configure the ExpressRoute gateway.

4. Once the ExpressRoute gateway is deployed, you can link the virtual network to the ExpressRoute circuit.

By following these steps, you can establish a secure and reliable VPN transit routing configuration between your on-premises networks and Azure.

Route advertising limits are a crucial aspect of ExpressRoute configurations. You can advertise up to 4000 prefixes for private peering and 200 prefixes for Microsoft peering.

To increase the limit for private peering, you'll need to upgrade to ExpressRoute premium, which allows for up to 10,000 routes. This is a significant increase, especially for large networks.

The limits vary depending on the type of peering and the ExpressRoute SKU you're using. Here's a breakdown of the maximum number of routes you can advertise:

If you exceed these limits, your ExpressRoute connection may disconnect, including peered virtual networks using gateway transit. To avoid this, make sure to update your prefixes to be within the allowed range.

The BGP hold timer is 180 seconds.

In some cases, you can configure different timers, and the BGP session parameters will be negotiated accordingly.

The BGP hold timer can't be changed on the Microsoft side, so you won't be able to adjust it there.

Keep-alive messages are sent every 60 seconds, which is a fixed setting.

You can configure route filters for Microsoft peering to start prefix advertisements. For more information, see Configure route filters for Microsoft peering.

Route filters allow you to select the services you need advertised over Microsoft peering. This is useful if you want to add Azure public prefixes advertisements over the same Microsoft peering.

To attach a route filter to your circuit, you need to select the services you need advertised. You can then create a route filter, select the services you need advertised, and attach the filter to your Microsoft peering.

You don't see any routes until you attach a route filter to your circuit to start prefix advertisements. For more information, see Configure route filters for Microsoft peering.

If you're using route filters, anyone can turn on Microsoft peering. However, for consuming Microsoft 365 services, you still need to get authorized by Microsoft 365.

Here's a list of services that can be advertised over Microsoft peering:

Note that some services may not be supported, so it's always a good idea to check the documentation for the service to see if it's supported over Microsoft peering.