Azure ExpressRoute: connecting to Azure effortlessly

In the rapidly evolving digital landscape, seamless and secure cloud connectivity is a cornerstone for enterprises aiming to leverage the full spectrum of cloud services. Azure ExpressRoute stands out as a pivotal service offered by Microsoft Azure, enabling private connections between Azure data centers and infrastructure on-premises or in a colocation environment.

What is Azure ExpressRoute?

Azure ExpressRoute is a service that bypasses the public internet, providing a private, dedicated network connection between your on-premises infrastructure and Microsoft Azure. This direct connection aims to enhance reliability, speed, and security for your cloud-based applications and data​​​​.

Main benefits of express route

ExpressRoute offers a plethora of advantages, crucial for any organization looking to boost their cloud capabilities:

  • Global Connectivity: It enables organizations to connect to Microsoft cloud services from anywhere in the world.
  • Layer 3 Connectivity: Utilizing BGP, it establishes dynamic routing between your local network, Azure, and Microsoft public addresses.
  • Enhanced Reliability and Security: Avoiding the public internet significantly increases the reliability of connections and enhances security and privacy​.

Characteristics of Azure ExpressRoute

  • Layer 3 Connectivity: Leveraging BGP for routing, ensuring robust and dynamic network communication.
  • Built-in Redundancy: Each connection is backed by dual connections to Microsoft Enterprise edge routers, enhancing reliability.
  • Diverse Microsoft Cloud Services Access: Users gain access to a wide range of Microsoft services, including Azure, Microsoft 365, and Dynamics 365.
  • Global and Local Connectivity Options: Supports connectivity across geopolitical regions and offers localized connections for optimized performance​​​.

ExpressRoute connectivity models

Users can create a connection between the on-premise network and Microsoft Cloud through a point-to-point Ethernet, cloud-based co-location, and universal connection (IPVPN) connection. Connectivity companies may offer one or more connectivity models.

Point-to-point Ethernet connections

Ethernet links are used in point-to-point connections. On-Premises and Azure can be linked using Point-to-point Ethernet providers. The relationships can either be layer 2 or managed layer three connections.

Universal Networks (IPVPN)

The extended network can be integrated into Microsoft Cloud using IPSec VPN providers. The providers above connect data centers and branch offices. To appear like any other branch, Microsoft Cloud can be interconnected to WAN whose providers provide mainly managed layer three connectivity.

Connectivity providers use ExpressRoute circuits that allow a connection between local infrastructure and Microsoft. For all connectivity models, ExpressRoute capabilities and features are the same.

ExpressRoute Circuits

A logical connection between Microsoft cloud services and local infrastructure via a connection provider is referred to as the ExpressRoute circuit. ExpressRoute circuits can be ordered in bulk and they can be purchased across regions. The connection between the ExpressRoute circuits and your data centers is through connectivity providers.

Notably, ExpressRoute circuits are never mapped to physical entities. Instead, they are identified using a standard GUID, known as a service key (S-key). S-key constitutes the only information shared amongst the user, connectivity provider, and Microsoft. It is not for security reasons that the s-key is secret. Between an ExpressRoute circuit and the service key, there exists a one-to-one mapping.

Peering ExpressRoute

Azure public, Azure private, and Microsoft are the associated routing/peering domains in the ExpressRoute circuit. For high availability, each peering is configured identically on a pair of routers (in active-active or load-sharing configuration). To represent IP addressing schemes, Azure services are classified as Public Azure and Private Azure.

Azure private certification

The private domain connects Azure Computer Services, i.e., virtual machines (IaaS) and cloud services (PaaS) that are deployed within a virtual network. In Microsoft Azure, the connection is deemed as a trusted extension of a core network. A configuration can be done to establish bidirectional connectivity between the core network and Azure virtual networks. The above registration allows for the connectivity of virtual machines and cloud services on private IP addresses directly.

Microsoft ExpressRoute Scenarios

Since Office 365 is meant to be reliably and securely accessible over the Internet, it is recommendable that ExpressRoute should be used in particular scenarios.

Microsoft trust allows for Connectivity to Microsoft online services, i.e., Office 365, Dynamics 365, and Azure PaaS services. The Microsoft Trust Routing Domain enables two-way connectivity between WAN and Microsoft cloud services. However, the connection must be through public IP addresses that are owned by either the user or the connectivity provider. All the defined rules must be respected.

Azure public peering (deprecated for new circuits)

Some services must be offered in public IP addresses, e.g., Azure Storage, SQL databases, and Websites. Connectivity to services hosted on public IP addresses, including the virtual IP addresses of cloud services, can be done privately via the public trust routing domain. Connection to public trust domain to user DMZ can be established and connected to all Azure services on the public IP addresses from user WAN without having to communicate via the Internet.

Often, connectivity is initiated from user WAN to Microsoft Azure Services. The above routing domain does not allow for connectivity to the user network. The user can sign in to all Azure services after the publication registration has been enabled. The user is not allowed to select the services for which routes are published.

Aviatrix Enhances ExpressRoute Deployments

Aviatrix, with its advanced cloud network platform, complements Azure ExpressRoute by offering enhanced visibility, control, and security features. It addresses common challenges associated with cloud connectivity, such as complex configurations and management of cloud networking components. Aviatrix’s solutions ensure that organizations can fully leverage ExpressRoute’s benefits while maintaining a robust, secure, and efficient cloud network infrastructure​.

Become the cloud networking hero of your business.

See how Aviatrix can increase security and resiliency while minimizing cost, skills gap, and deployment time.