Create an Azure ExpressRoute Connection

Contents

Create an ExpressRoute circuit in the Azure portal
Create a PacketFabric Hosted Connection
Create the secondary connection
Configure peering
Create and link a virtual network gateway

Prerequisites

  • Before you begin, you should already have a PacketFabric port and cross connect in place. For more information, see Create a Port.

  • Review the steps outlined in the process overview.

Create an ExpressRoute circuit in the Azure portal

  1. From the Microsoft Azure home page, click Create a Resource.

    screenshot of the create a resource action in the azure portal

  2. Select Networking > ExpressRoute.

    screenshot of the expressroute selection in the azure portal

  3. Under Basics, complete the following fields:

    • Header row

      • Field
      • Description
    • Row 1

      • Subscription
      • Your subscription is created at the account level and determines how you are billed.
    • Row 2

      • Resource group

      • The resource group is like a directory folder. You can use resource groups to perform bulk operations on resources. For example, you can cascade permissions, create copies, delete groups, and so on.

        Each resource can only belong to one group, and the group can only belong to one subscription.

    • Row 2

      • Region

      • Select the Azure region that works best for you. This region represents the availability zone or data center in which a resource is located.

        The region does not need to be the same as the PacketFabric on-ramp. For example, you might want to keep resources within a group within the same region or spread them among various regions for redundancy.

        If you would like to select a region close to your on-ramp, PacketFabric is present in the following regions:

        • US West (Silicon Valley)
        • North Central US (Chicago)
        • East US, East US2 (Washington D.C.)
        • Las Vegas
    • Row 2

      • Name
      • Provide a meaningful name for the circuit.
  4. Under Configuration, complete the following fields:

    • Header row
      • Field
      • Description
    • Row 1
      • Port type
      • Select Provider.
    • Row 2
      • Create new or import from classic
      • Create new.
    • Row 2
      • Provider
      • Select PacketFabric.
    • Row 2
      • Peering location
      • Select from the available locations. This is the PacketFabric on-ramp.
    • Row 2
      • Bandwidth
      • Select your capacity.
    • Row 2
      • SKU

      • Select your service tier.

        The Premium add-on allows connectivity between geopolitical regions, more prefixes, and more virtual network connections. For more information, see Microsoft - What is ExpressRoute premium?

    • Row 2
      • Billing model

      • Select the appropriate billing model.

        This only applies to Microsoft’s billing model. All PacketFabric hosted cloud connections are billed separately and at a flat monthly rate.

        • Metered: Billed according to usage.
        • Unlimited: Pay a flat monthly rate.
    • Row 2
      • Allow classic operations

      • Select Yes if you are planning to connect to resources that were deployed under Azure’s classic model.

        This would include any resources created before 2014 that have not been migrated and/or post-2014 resources that you created through the classic portal.

  5. Under Tags, you can optionally add name/value pairs. Tags allow you to organize resources across resource groups. They can be applied to subscriptions, resource groups, and resources.

    For example, you could use tags to note location (e.g. city: richmond or building: d ) and environments (e.g. environment: test or state: beta ).

  6. Review your selections and click Create.

  7. It might take a few moments for your circuit to deploy. When complete, click Go to resource.

    screenshot of the deployed circuit and the go to resource action

    NOTE: If you do not see the Go to resource action, click Refresh or go to the resources page and re-select the ExpressRoute circuit.
  8. From the ExpressRoute circuit overview page, locate the service key and copy it to your clipboard.

    screenshot of the expressroute overview page

IMPORTANT:

Each service key is unique to a specific circuit. Embedded within the service key is the following information:

Who: PacketFabric
Where: Peering location/on-ramp
How much: Bandwidth

You can use the service key twice: once for the primary connection, and again for the secondary connection.

But because they are so specific, you cannot reuse a service key across multiple regions or recycle them between circuits. For example, you can’t create two hosted connections to two different on-ramp locations using the same service key.

Microsoft begins charging you as soon as the service key is created, regardless of whether you have provisioned your PacketFabric connection.

Create a PacketFabric Hosted Connection

  1. Log in to the PacketFabric portal. From the Home page, click Cloud Connectivity:

    screnshot of cloud option under create services

  2. Select Hosted Cloud Connectivity.

  3. Select Azure.

Complete the following fields:

Azure Service Key

Enter the Azure service key that you copied from the ExpressRoute circuit overview page.

Select From

Select the source interface. The source interface is the PacketFabric interface directly connected to your network.

Select Destination Region & Speed
Select Destination Region
This is the physical on-ramp location you are using. Select the same one you selected for your Peering location when creating the ExpressRoute.
This cannot be changed after it is provisioned.
Select Speed
This is the speed/capacity you are setting for your ExpressRoute circuit. Again, you should select the same speed you selected when creating the ExpressRoute.
Product Confirmation
Product Description
Enter a description for the connection.
Billing
Select the appropriate billing account to associate with this service.
Configuration
  • Private Peering VLAN: The VLAN ID you are using for private peering. You will use this when you configure peering in the Azure portal.

    The VLAN ID must be unique within the circuit (not used for any other peerings).

    You can manually enter the ID or click Next Available. If you click Next Available, we will find the highest in-use VLAN ID and increment by one. For example, if the highest in-use ID is 15, this field autopopulates with 16.

  • Microsoft Peering VLAN: The VLAN ID you are using for Microsoft peering. This is optional and is used to connect to Office 365.

    Like private peering, the VLAN ID must be unique within the circuit (not used for any other peerings).

The VLAN IDs you select now do not need to be permanent. You can go back and modify them at any time.

Review your information. When everything is correct, click Place Order.

Create the secondary connection

Each Microsoft service key allows for a primary and secondary circuit connection. See the diagram in Microsoft ExpressRoute Overview.

The first time you use your Microsoft service key to set up a connection, PacketFabric automatically provisions your primary circuit connection.

If you set up another connection using the same service key, PacketFabric provisions the secondary circuit connection.

Use the same VLAN IDs you used for the primary connection.

Configure peering

When the cloud connection has completed provisioning, return to the Azure portal and refresh the ExpressRoute overview page.

The provider status should update to the Provisioned status:

screenshot of the expressroute circuit provider status

When you configure peering, you are asked to provide VLAN IDs. Use the IDs you provided when you created your PacketFabric circuit above.

To confirm which IDs you are using, navigate to the port details page for the source port and view the Active VCs table.

Private peering

Click Azure private to configure a private connection to your Azure VNet.

screenshot of azure peering

NOTE: The Azure public peering option has been deprecated.
  • Row
    • Field
    • Description
  • Row
    • ASN

    • Enter your public or private ASN.

      If you are using a private ASN, you cannot use numbers from 65515 to 65520. These are reserved for Microsoft’s internal use.

  • Row
    • Primary subnet

    • This is a /30 subnet for your primary link. It can be a public or private IP address range, but it cannot be a range that is already being used in your Azure VNet.

      Assign the first useable IP address to your router. Microsoft uses the second.

      If you are using public IP addresses, they should not be advertised to the public internet.

  • Row
    • Secondary subnet
    • This is another /30 subnet. It follows the same rules as the primary subnet, but is used with your secondary link.
  • Row
    • VLAN ID
    • This is the Private Peering VLAN ID you entered when creating the PacketFabric hosted connection. Use the same VLAN ID for both the primary and secondary links.
  • Row
    • Shared key
    • An optional MD5 hash. This must be present on both sides of the tunnel and is limited to 25 characters. Special characters are not supported.

For more information, see the following Microsoft articles:

Microsoft peering

You only need to set up Microsoft peering if you are using Microsoft 365 or Office 365 and would like to provide on-premises users with a dedicated connection. Microsoft 365 apps still require public internet endpoints.

screenshot of microsoft peering

  • Row
    • Field
    • Description
  • Row
    • ASN

    • Enter your public ASN.

      You can use a private ASN, but Microsoft will need to manually validate it before use. Microsoft will also remove private ASNs from the AS PATH for received prefixes. This means you cannot optimize routing for Microsoft peering.

      As mentioned above, you cannot use private AS numbers from 65515 to 65520. These are reserved for Microsoft’s internal use.

  • Row
    • Primary subnet

    • This is a /30 subnet for your primary link. This must be a valid public IPv4 prefix owned by you and registered in an RIR/IRR.

      Assign the first useable IP address to your router. Microsoft uses the second.

      While you must use a public IPv4 address range, it should not be advertised to the public internet.

  • Row
    • Secondary subnet
    • This is another /30 subnet. It follows the same rules as the primary subnet, but is used with your secondary link.
  • Row
    • VLAN ID
    • This is the Microsoft Peering VLAN ID you entered when creating the PacketFabric hosted connection. Use the same VLAN ID for both the primary and secondary links.
  • Row
    • Advertised public prefixes

    • A list of IPv4 or IPv6 prefixes to advertise over the BGP session. These prefixes must be public and registered to you.

      You can provide up to 200 prefixes in a comma-separated list.

  • Row
    • Customer ASN
    • If you are advertising prefixes that are not registered to the peering ASN, you can use this field to specify the ASN to which they are registered. (Optional)
  • Row
    • Routing registry name
    • The RIR/IRR in which your public IP prefixes and ASN are registered. (Optional)
  • Row
    • Shared key
    • An MD5 hash. This must be present on both sides of the tunnel and is limited to 25 characters. Special characters are not supported. (Optional)

For more information, see the following Microsoft articles:

Create and link a virtual network gateway

Create a virtual network gateway for ExpressRoute

Before you continue, consider whether you want to utilize Azure’s zone-redundant gateways. For more information, see see High Availability and Redundancy in ExpressRoute Connections.

  1. Use the search bar at the top of the Azure portal to find and select Virtual network gateways.

    screenshot of azure portal search

  2. Click Add.

    screenshot of azure portal add action

  3. Under Basics, complete the following fields:

    • Header row
      • Field
      • Description
    • Row 1
      • Subscription
      • Select the subscription associated with your virtual network.
    • Row 2
      • Resource group
      • The resource group is autopopulated based on the virtual network you select.
    • Row 2
      • Name
      • Provide a meaningful name for the gateway.
    • Row 2
      • Region
      • Select the region associated with your virtual network.
    • Row 2
      • Gateway type
      • Select ExpressRoute.
    • Row 2
      • SKU

      • Select one of the following:

        • Standard/ErGw1AZ: 1,000 Megabits/second
        • High Performance/ErGw2AZ: 1,000 Megabits/second
        • Ultra Performance/ErGw3AZ: 1,000 Megabits/second

        The SKUs that begin with ErGw indicate that the gateway is in a zone-redundant region.

        If you are planning to implement FastPath, you must select the Ultra Performance gateway.

        For more information about the differences between SKUs, see Estimated performances by gateway SKU.

    • Row 2
      • Virtual network
      • Select the virtual network to which you are connecting.
    • Row 2
  4. Click Next to add tags (optional).

  5. Click Next and then Create.

NOTE: Ensure you have already set up peering before linking your virtual network gateway. Otherwise, you will get an error when you provision the connection.
  1. In the Azure portal, go to the overview page for your ExpressRoute circuit.

  2. From the menu on the left, select Connections.

    screenshot of expressroute menu

  3. Click Add.

  4. Provide a meaningful name and then click Next.

  5. Under Settings, complete the following fields:

    • Header row
      • Field
      • Description
    • Row 1
      • Virtual network gateway
      • Select the gateway leading to the appropriate virtual network.
    • Row 2
    • Row 2
      • Routing weight

      • The routing weight is relevant when both of the following conditions are met:

        • A virtual network is connected to multiple circuits,

          AND

        • Those circuits are advertising the same network prefixes.

        In that situation, traffic is sent to the ExpressRoute circuit with the highest routing weight. You can enter a value between 0 and 32000.

  6. Click Next to add tags (optional).

  7. Click Next and then Create.

Next steps

If you are using Microsoft 365 peering, you also need to set up route filters. For more information, see Configure route filters for Microsoft peering.