{"id":66341,"date":"2022-12-16T14:00:00","date_gmt":"2022-12-16T13:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/?p=66341"},"modified":"2023-07-25T17:43:43","modified_gmt":"2023-07-25T16:43:43","slug":"azure-expressroute-explained","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/technetuk\/2022\/12\/16\/azure-expressroute-explained\/","title":{"rendered":"Azure ExpressRoute Explained"},"content":{"rendered":"\n

In this article, we will explain Azure ExpressRoute<\/a>. First, we will take a look at how ExpressRoute enables a private connection to the Microsoft backbone network, before moving on to the available SKUs and different types of ExpressRoute offerings, as well as how to enable resiliency. It’s everything you wanted to know but were afraid to ask!<\/p>\n\n\n\n

Azure Network & Backbone<\/h3>\n\n\n\n

Microsoft has a huge global, low-latency backbone network that connects to the multiple express route gateways available for consumption by the Azure regions. Those Azure regions each consist of multiple datacenters (or zones), which connect to the express route gateways. As multiple gateways onto the backbone network are connected to each Azure datacenter, this forms a highly resilient connection to each Azure region. The diagrams below explain this more clearly:<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n
\n
\"\"<\/div>\n<\/figure>\n\n\n

Within an Azure region, multiple services exist which attach to the Microsoft backbone, for example, IaaS services like virtual machines, PaaS services like Azure App Services, and SaaS offerings like Office 365 that live in the Microsoft cloud rather than a specific region in Azure, but still connects to the Microsoft backbone network.<\/p>\n\n\n\n

The Backbone network also extends to \u2018edge nodes\u2019. Services on the \u2018edge\u2019 include global services like Azure Front Door and Azure CDN. Edge nodes live in a carrier-neutral facility that different carriers can connect to also (think AT&T, Verizon, Vodafone, BT, etc.), which effectivity connect to and form the internet. This is how the Azure regions connect to the internet.<\/p>\n\n\n\n

Also on the backbone network, are peering points (or \u2018meet me\u2019 locations) that facilitate private connectivity to customer networks. These are secure carrier-neutral locations that include lots of routers, forming the \u2018Microsoft Enterprise Edge\u2019 (or MSEE). Partners and service providers also have routers that interconnect to the MSEE to form a connection between the two. Any new Azure regions will have a peering point located close by, but this will not be part of the Azure region.<\/p>\n\n\n\n

Finally, on the customer network, in the example of a physical location, fiber would be laid to the office by a service provider, and connected to the customer network using a router. MPLS networks (any-to-any) can also be connected to the service providers peering point.<\/p>\n\n\n\n

When a connection is created, 2 connections are actually created for resilience. 2 BGP sessions are created to exchange routes. The 2 customer routers, connect to the 2 service provider routers, which connect to the MSEE routers, which then connect to Azure. Any 802.1q tags used for VLANs on premises are stripped out, as VLANs cannot be extended to Azure.<\/p>\n\n\n\n

SKUs<\/h3>\n\n\n\n

Connecting to the backbone does not connect you to a particular Azure region. It connects you to the global backbone network. Which regions you can access is controlled by the SKU (or type of circuit) of the ExpressRoute connection you choose.<\/p>\n\n\n\n

Local SKU<\/strong><\/h4>\n\n\n\n

This allows you only to talk to the region local to the Peering point (i.e. the closest Azure region). e.g. If I connected an on-premise network to the London Peering point to the UK South Azure region this would be fine, but I could not connect to the UK West or US East Azure regions.<\/p>\n\n\n\n

Some Peering points do not have the Local SKU available, e.g. Dallas, Atlanta to name a couple. To find out which Peering points have the Local SKU available and which Azure region they line up with, you can check the Microsoft Learn page on ExpressRoute partners and peering locations<\/a>.<\/a><\/p>\n\n\n\n

Standard SKU<\/strong><\/h4>\n\n\n\n

This allows you to connect to any geo-political region within the peering point region. e.g. If I connected an on-premise network to the London Peering point to UK South or UK West Azure regions, this would be fine, but I could not connect to the US East region.<\/p>\n\n\n\n

Premium SKU<\/strong><\/h4>\n\n\n\n

This allows you to connect to other regions outside of the peering point region. e.g. If I connected an on-premise network to the London Peering point it could be connected to the US East Azure region.<\/p>\n\n\n\n

With ExpressRoute, Ingress is free. Egress is metered. There is also an unmetered SKU that costs a lot more.<\/p>\n\n\n\n

VNet Gateway SKUS<\/h4>\n\n\n\n

There are different SKUs for the VNet Gateway based on performance, using metrics such as speed, number of packets, and connections per second.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

ExpressRoute Direct<\/h3>\n\n\n\n

ExpressRoute direct is an option for customers that want higher bandwidth connections. It provides dual 100-Gbps or 10-Gbps connectivity, that supports Active\/Active connectivity at scale. It achieves this by connecting the on-premises router to the MSEE router directly (not through a service provider), directly connecting to 2 ports on the router. At the peering location, this means there is a physical (layer 1) connection directly to the MSEE routers ports.<\/p>\n\n\n\n

One advantage of ExpressRoute direct, is the ability to use Media Access Control security (MACsec). This allows you to encrypt the traffic between the routers if desired, and therefore the traffic is encrypted on any physical cable the data travels within the Peering location to the MSEE router.<\/p>\n\n\n\n