This chapter covers ExpressRoute Global Reach and FastPath, two advanced features that extend the capabilities of Azure ExpressRoute. On the AZ-104 exam, these topics appear in the 'Configure and manage virtual networking' section (objective 4.4) and typically account for 5-10% of networking questions. Understanding these features is critical because they enable direct, low-latency connectivity between on-premises networks across different Azure regions and optimize data path performance within a virtual network. This chapter provides the depth you need to answer scenario-based questions correctly, including configuration steps, limitations, and cost implications.
Jump to a section
Imagine two separate shipping ports, Port A and Port B, each owned by the same company, connected by a private submarine cable. Normally, if a ship in Port A needs to send cargo to a ship in Port B, it must first go out to the open ocean (the public internet), travel to a common hub, then enter Port B. This is slow, expensive, and insecure. ExpressRoute is like a private submarine cable directly connecting Port A to Port B, bypassing the open ocean. Now, ExpressRoute Global Reach is like laying an additional private cable directly between Port A and Port B, allowing ships from Port A to travel directly to Port B without even going through the local docking area (Microsoft Edge) of the other port. FastPath is like a high-speed express lane within Port A's harbor: when a ship arrives from Port B via the private cable, FastPath bypasses the main port inspection and routing office (the gateway) and goes directly to the dock, reducing latency. Without FastPath, every packet from Port B must first be inspected and routed by the port office (the ExpressRoute gateway), which adds delay. With FastPath, the packet goes directly from the submarine cable to the dock (the virtual network) without stopping at the office. This analogy maps exactly: ExpressRoute is the private connection, Global Reach connects two different ExpressRoute circuits across regions, and FastPath bypasses the gateway for faster data flow within a region.
What is ExpressRoute Global Reach?
ExpressRoute Global Reach is an add-on feature for Azure ExpressRoute that allows you to connect two or more on-premises networks together through Microsoft's global network, using ExpressRoute circuits. Without Global Reach, each on-premises site can connect to Azure via its own ExpressRoute circuit, but traffic between those on-premises sites must traverse the public internet or a private WAN. With Global Reach, you can enable direct connectivity between your on-premises sites across different Azure regions, bypassing the internet entirely. This is achieved by peering the ExpressRoute circuits at the Microsoft Enterprise Edge (MSEE) routers.
How Global Reach Works Internally
When you enable Global Reach on two ExpressRoute circuits (each connecting a different on-premises network to Azure), Microsoft configures BGP peering between the MSEE routers of those circuits. Specifically, the two circuits exchange routes for the on-premises prefixes via the Microsoft backbone. The traffic flow is: On-premises Site A -> ExpressRoute Circuit A -> MSEE Router A -> Microsoft backbone -> MSEE Router B -> ExpressRoute Circuit B -> On-premises Site B. This path is private and does not traverse the public internet. The BGP sessions are established over the Microsoft backbone, and the routes are advertised with a specific community string (12076:5010 for Global Reach).
Key Components and Defaults
ExpressRoute Circuits: Must be in different peering locations (e.g., one in Amsterdam, one in Dublin) or same location but different circuits. They can be in the same or different Azure regions.
BGP Peering: Global Reach uses BGP to exchange routes. The circuits must have private peering configured. The ASN for Microsoft is 12076.
Route Limits: Each ExpressRoute circuit can advertise up to 4000 prefixes via private peering (or 10,000 with premium add-on). Global Reach does not increase this limit; the combined prefixes from both circuits must still fit within the limit.
Bandwidth: The bandwidth between sites is limited by the smaller of the two ExpressRoute circuits. For example, if Circuit A is 1 Gbps and Circuit B is 10 Gbps, the Global Reach connection is limited to 1 Gbps.
Latency: Adds approximately 5-10 ms compared to a direct connection, due to the extra hop through the MSEE routers and backbone.
Configuration and Verification
To enable Global Reach, you use PowerShell or Azure CLI. Here is an example using Azure CLI:
# First, create the ExpressRoute circuits and configure private peering on each.
# Then, enable Global Reach on the two circuits:
az network express-route gateway connection create \
--resource-group RG1 \
--name connection-to-circuit2 \
--gateway-name ERGateway1 \
--peer-circuit /subscriptions/{sub-id}/resourceGroups/RG2/providers/Microsoft.Network/expressRouteCircuits/Circuit2 \
--routing-weight 10To verify, you can check the BGP status on your on-premises routers. You should see routes from the remote site with the Microsoft ASN 12076. You can also use az network express-route list-route-tables to view the routes.
What is ExpressRoute FastPath?
ExpressRoute FastPath is a feature that improves the data path performance between your on-premises network and Azure virtual networks by bypassing the ExpressRoute virtual network gateway. Normally, traffic from an ExpressRoute circuit to a virtual network goes through the gateway, which performs routing, network address translation, and other functions, adding latency (typically 5-10 ms per packet). FastPath sends traffic directly from the MSEE router to the virtual network's resources (e.g., VMs) without passing through the gateway. This reduces latency and improves throughput.
How FastPath Works Internally
FastPath uses a direct data plane connection between the MSEE router and the virtual network's subnet. The control plane still uses the gateway for route exchange (BGP), but the data plane bypasses it. When a packet arrives at the MSEE router, it looks up the destination IP in the virtual network's routing table (learned via BGP from the gateway). If the destination is in a subnet that is directly connected (i.e., in the same virtual network as the gateway), the MSEE router encapsulates the packet and sends it directly to the virtual network's host (the Hyper-V host where the VM resides). This is done using VXLAN encapsulation with a specific VNI that identifies the virtual network. The gateway is only used for control plane functions like route propagation and network policies (e.g., NSGs applied at the subnet level are still enforced by the host, not the gateway).
Key Components and Defaults
ExpressRoute Gateway: Must be UltraPerformance or ErGw3AZ (for AZ-104, know that FastPath requires a high-performance gateway SKU: UltraPerformance or ErGw3AZ). Standard and HighPerformance SKUs do not support FastPath.
Virtual Network: Must be directly connected to the ExpressRoute circuit via a connection. FastPath cannot be used with virtual network peering or VPN gateways.
Supported Regions: FastPath is available in all Azure regions, but some regions may have limitations. Check the documentation for the latest list.
Limitations: FastPath does not support private endpoints, UDRs on the gateway subnet, or network virtual appliances (NVAs) in the path. If you have an NVA, traffic must go through the gateway.
Performance: Reduces latency by up to 50% compared to gateway path. Throughput can increase by up to 10 Gbps depending on the gateway SKU.
Configuration and Verification
FastPath is enabled on the ExpressRoute connection object. Here is an example using PowerShell:
$connection = Get-AzExpressRouteConnection -ResourceGroupName RG1 -ExpressRouteGatewayName ERGateway1 -Name Connection1
$connection.FastPathEnabled = $true
Set-AzExpressRouteConnection -InputObject $connectionTo verify, you can check the connection properties:
Get-AzExpressRouteConnection -ResourceGroupName RG1 -ExpressRouteGatewayName ERGateway1 -Name Connection1 | Select-Object FastPathEnabledIf FastPath is enabled, FastPathEnabled will be True.
Interaction with Related Technologies
Global Reach and FastPath: These can be used together. Global Reach connects two on-premises sites via ExpressRoute, and FastPath can be enabled on each circuit to optimize traffic to their respective virtual networks. However, traffic between the two on-premises sites (via Global Reach) does not use FastPath because it does not enter a virtual network.
ExpressRoute Gateway: FastPath bypasses the gateway for data plane, but the gateway still handles control plane. If you disable the gateway, FastPath stops working.
Virtual Network Peering: FastPath only works for the virtual network directly connected to the ExpressRoute circuit. If you peer a spoke virtual network to the hub, traffic from ExpressRoute to the spoke will still go through the gateway (unless you use a gateway transit setup, but FastPath does not extend to peered networks).
Private Endpoints: FastPath does not support private endpoints. If you have a private endpoint in the virtual network, traffic to that endpoint will go through the gateway.
Exam-Relevant Details
Cost: ExpressRoute Global Reach has additional charges per GB of data processed. FastPath is free but requires a higher gateway SKU.
SLA: Both features are covered under the ExpressRoute SLA (99.95% availability) when properly configured.
Limitations: Global Reach cannot be used to connect circuits in the same peering location if they are in the same Azure region (e.g., two circuits in Amsterdam connecting to West Europe). This is a common exam trap. Also, Global Reach requires that both circuits have private peering configured.
Routing: With Global Reach, you must ensure that your on-premises routers do not advertise the same routes from both sites to avoid routing loops. Microsoft uses AS path prepending to prefer one path over another.
Summary of Commands
Enable Global Reach: Use az network express-route gateway connection create with --peer-circuit.
Enable FastPath: Use PowerShell Set-AzExpressRouteConnection with -FastPathEnabled $true.
Verify FastPath: Check FastPathEnabled property.
Check BGP routes: Use az network express-route list-route-tables or show ip bgp on-premises.
Identify ExpressRoute Circuits
You must have two ExpressRoute circuits in different peering locations (or same location but different Azure regions). Each circuit must have private peering configured and be connected to a virtual network gateway. For Global Reach, the circuits can be in the same or different subscriptions. For FastPath, you need a single circuit connected to a virtual network with an UltraPerformance or ErGw3AZ gateway.
Configure Private Peering
On each ExpressRoute circuit, configure private peering with a /30 subnet for the BGP session. Use a VLAN ID and a shared key (MD5 hash) for authentication. The BGP session is established between your on-premises router and the MSEE router. Verify the session is up using BGP commands (e.g., 'show ip bgp summary'). The ASN for Microsoft is 12076.
Create Virtual Network Gateways
For each circuit, create a virtual network gateway in the desired Azure region. The gateway SKU must be UltraPerformance or ErGw3AZ for FastPath. For Global Reach, any gateway SKU works. Connect the gateway to the ExpressRoute circuit using a connection object. Ensure the gateway subnet is created with a /27 or larger subnet.
Enable Global Reach
Use Azure CLI or PowerShell to create a connection between the two ExpressRoute circuits. Specify the peer circuit ID. This configures BGP peering between the MSEE routers. After enabling, routes from one on-premises network will appear in the route table of the other. Verify by checking BGP routes on your on-premises routers.
Enable FastPath
On the ExpressRoute connection object, set the FastPathEnabled property to true. This can only be done if the gateway SKU is UltraPerformance or ErGw3AZ. FastPath will then bypass the gateway for data traffic. Verify by checking the connection properties. Note that FastPath does not work with private endpoints or NVAs.
Enterprise Scenario 1: Global Retail Chain
A global retailer has data centers in London and Singapore, each connected to Azure via ExpressRoute (London to UK South, Singapore to Southeast Asia). They need real-time inventory synchronization between the two data centers, but the existing internet-based VPN is too slow and unreliable. By enabling ExpressRoute Global Reach, they achieve a private, low-latency connection between London and Singapore through the Microsoft backbone. The configuration involved creating ExpressRoute circuits (1 Gbps each) with private peering, then using the Azure CLI to enable Global Reach. The result: latency dropped from 200 ms (internet) to 120 ms (Microsoft backbone), and throughput is consistent at 1 Gbps (limited by the smaller circuit). A common mistake was forgetting to configure private peering on both circuits, which caused the Global Reach connection to fail. Also, they had to ensure that on-premises routers did not advertise overlapping routes to avoid routing loops.
Enterprise Scenario 2: Financial Services with High-Performance Requirements
A financial services firm uses ExpressRoute to connect their headquarters to Azure West US for trading applications. They need ultra-low latency for market data feeds. By enabling FastPath on their ExpressRoute connection (using an ErGw3AZ gateway), they reduced latency from 8 ms (gateway path) to 3 ms (FastPath). The configuration was straightforward: they upgraded the gateway to ErGw3AZ and enabled FastPath via PowerShell. However, they ran into an issue: they had a network virtual appliance (NVA) for firewall inspection in the path. FastPath cannot bypass the gateway if an NVA is present; traffic must go through the gateway. They had to redesign the network to remove the NVA from the data path or use Azure Firewall instead. Another limitation: they used private endpoints for some Azure services (e.g., Azure SQL), and FastPath does not support private endpoints, so those connections still went through the gateway.
Scenario 3: Multi-Region Disaster Recovery
A company has two Azure regions (East US and West US) each with its own ExpressRoute circuit connecting to separate on-premises sites. They use Global Reach to enable direct connectivity between the on-premises sites for database replication. They also enable FastPath on each circuit to optimize traffic between on-premises and their virtual networks. The challenge was managing the BGP routing: they had to ensure that the on-premises routers did not advertise the same prefixes from both sites. They used AS path prepending to make one path preferred. Additionally, they had to monitor bandwidth usage because Global Reach incurs data transfer costs. A misconfiguration led to a routing loop that caused a temporary outage; the fix was to add a route filter to block certain prefixes from being advertised via Global Reach.
What AZ-104 Tests
The exam objective 4.4 includes 'Configure ExpressRoute FastPath and Global Reach'. You should expect scenario-based questions where you must choose the correct feature to solve a connectivity problem. The exam tests:
When to use Global Reach vs. other connectivity options (e.g., VPN, VNet peering).
Prerequisites for FastPath (gateway SKU, no NVAs).
Limitations of both features.
Cost implications (Global Reach has per-GB charges, FastPath is free but requires higher gateway SKU).
Common Wrong Answers
'FastPath can be used with any ExpressRoute gateway SKU' – Wrong. FastPath requires UltraPerformance or ErGw3AZ. Candidates often assume it works with Standard or HighPerformance because they think 'faster' is always available.
'Global Reach can connect two ExpressRoute circuits in the same peering location and same Azure region' – Wrong. Microsoft does not allow this because it would create a redundant path that could cause routing loops. The circuits must be in different peering locations or different regions.
'FastPath works with private endpoints' – Wrong. FastPath does not support private endpoints. Candidates confuse FastPath with other performance features.
'Global Reach requires both circuits to be in the same subscription' – Wrong. They can be in different subscriptions. The exam tests cross-subscription scenarios.
Key Numbers and Terms
Gateway SKUs for FastPath: UltraPerformance (ErGw3AZ).
Microsoft ASN: 12076.
Global Reach community: 12076:5010.
Maximum prefixes per circuit: 4000 (standard) or 10,000 (premium).
Bandwidth between sites: limited by the smaller circuit.
FastPath latency reduction: up to 50%.
Edge Cases
FastPath with UDRs: If you have a UDR on the gateway subnet that forces traffic to an NVA, FastPath will not work. The exam may present a scenario where traffic is routed to an NVA and ask if FastPath can be used.
Global Reach with overlapping IP spaces: If both on-premises networks use the same IP range (e.g., 10.0.0.0/16), Global Reach will not work because routes conflict. You must use NAT or redesign IP addressing.
FastPath and VNet peering: If a spoke VNet is peered to the hub VNet that has the ExpressRoute gateway, FastPath does not extend to the spoke. Traffic from ExpressRoute to the spoke still goes through the gateway.
How to Eliminate Wrong Answers
If the question mentions 'reduce latency to VMs' and the gateway SKU is Standard, FastPath is not possible – eliminate any answer that says enable FastPath.
If the question asks to connect two on-premises sites and the circuits are in the same peering location and region, Global Reach is not possible – look for an alternative like VPN or third-party connectivity.
If the question mentions 'private endpoints' or 'NVAs', FastPath cannot be used – choose the option that keeps the gateway path.
ExpressRoute Global Reach connects two on-premises networks via Microsoft backbone using separate ExpressRoute circuits.
Global Reach requires circuits in different peering locations or different Azure regions; same location and region is not allowed.
FastPath bypasses the ExpressRoute gateway for data traffic, reducing latency by up to 50%.
FastPath requires UltraPerformance (ErGw3AZ) gateway SKU; Standard and HighPerformance do not support it.
FastPath does not work with private endpoints, NVAs, or VNet peering transit.
Global Reach incurs data transfer costs; FastPath is free.
Both features require private peering configured on the ExpressRoute circuits.
Microsoft ASN is 12076; Global Reach uses community 12076:5010.
These come up on the exam all the time. Here's how to tell them apart.
ExpressRoute Global Reach
Private connectivity through Microsoft backbone
Higher throughput (up to 10 Gbps per circuit)
More consistent latency (no internet variability)
Requires ExpressRoute circuit (dedicated fiber or partner)
Additional cost for data transfer
VPN Gateway (Site-to-Site)
Uses public internet with encryption (IPsec)
Throughput up to 1.25 Gbps per tunnel
Latency varies with internet conditions
Lower cost, no dedicated infrastructure needed
Easy to set up, no partner required
ExpressRoute FastPath
Bypasses virtual network gateway for data plane
Reduces latency by up to 50%
Requires UltraPerformance or ErGw3AZ gateway
Does not support private endpoints or NVAs
Free feature (no additional cost)
Standard Gateway Path
Traffic always passes through the gateway
Adds 5-10 ms latency per packet
Works with any gateway SKU
Supports all features including private endpoints and NVAs
No special requirements
Mistake
FastPath works with any ExpressRoute gateway SKU.
Correct
FastPath requires the UltraPerformance gateway SKU (ErGw3AZ). Standard and HighPerformance SKUs do not support FastPath.
Mistake
Global Reach can connect two ExpressRoute circuits in the same peering location and same Azure region.
Correct
Global Reach requires circuits to be in different peering locations or different Azure regions. Connecting two circuits in the same location and region is not allowed to prevent routing loops.
Mistake
FastPath bypasses all gateway functions, including route propagation.
Correct
FastPath only bypasses the data plane. The control plane (BGP route propagation) still goes through the gateway. Routes are still learned via the gateway.
Mistake
Global Reach is free of charge.
Correct
Global Reach has additional data transfer costs per GB processed. FastPath is free but requires a higher gateway SKU.
Mistake
FastPath works with virtual network peering and transit routing.
Correct
FastPath only works for traffic to the virtual network directly connected to the ExpressRoute circuit. It does not extend to peered virtual networks.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, but only if the ExpressRoute circuits are in different peering locations. For example, two circuits in Amsterdam and Dublin both connecting to West Europe can be connected via Global Reach. However, two circuits both in Amsterdam connecting to West Europe cannot. The exam tests this specific limitation.
No. FastPath bypasses the gateway, but if you have a UDR on the gateway subnet that forces traffic to an NVA, FastPath cannot be used because the NVA requires traffic to go through the gateway. You must remove the NVA or use Azure Firewall instead.
The maximum number of prefixes advertised via private peering is 4000 (standard) or 10,000 (with premium add-on). This limit applies to the total prefixes from both on-premises networks when using Global Reach. If you exceed this, you must use route filters or reduce prefixes.
Yes, you can enable FastPath on an existing connection, but you must first ensure the gateway SKU is UltraPerformance or ErGw3AZ. If it is not, you need to upgrade the gateway (which causes downtime). Use PowerShell or CLI to set the FastPathEnabled property.
No, Global Reach only supports IPv4. IPv6 traffic is not supported over Global Reach. This is a common exam detail.
FastPath will not work for traffic to that private endpoint. Traffic to the private endpoint will still go through the gateway. Other traffic (to VMs) can still use FastPath. However, it is recommended to avoid mixing FastPath and private endpoints in the same virtual network for simplicity.
Yes, Global Reach supports up to 10 circuits per connection. You can create a mesh topology by connecting multiple circuits together. However, each connection is a separate configuration. The exam may mention this as a scalability option.
You've just covered ExpressRoute Global Reach and FastPath — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?