This chapter covers the design and routing of Azure ExpressRoute circuits, a critical component for hybrid networking in enterprise architectures. For the AZ-305 exam, understanding ExpressRoute circuit design, including redundancy, routing domains, and BGP peering, is essential as it directly impacts high availability and connectivity requirements. Approximately 10-15% of exam questions touch on networking topics, with ExpressRoute being a key focus area. Mastering this content will help you design robust, secure, and compliant hybrid network solutions.
Jump to a section
Think of ExpressRoute as a dedicated, private rail line from your corporate campus to a major logistics hub (Azure). Unlike the public internet—a shared highway with traffic jams, potholes, and potential hijackers—your private rail line provides a guaranteed, fast, and secure connection. You lease the tracks from a carrier (the connectivity provider) who builds the physical rail from your building to the hub. At your building, you have a loading dock (your router) that connects to the rail line. At the hub, there's a secure gate (the Microsoft Enterprise Edge, or MSEE) that only your trains can use. The rail line is physically separate from the public roads, so no one else can interfere. You can have two separate rail lines for redundancy (active/active or active/passive). The hub uses a system called BGP to know which buildings belong to you and how to route your cargo. If you want to connect multiple campuses, you can use the hub to interconnect them via the same private rail network, avoiding the public internet entirely. This is exactly how ExpressRoute works: it provides a private, dedicated connection between your on-premises network and Azure, bypassing the internet, with BGP for routing and multiple circuit options for redundancy.
What is ExpressRoute and Why Use It?
Azure ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider. This connection is more reliable, more secure, offers lower latencies, and provides higher bandwidth than typical internet-based connections. ExpressRoute connections do not go over the public internet, so they are not subject to internet latency, packet loss, or security risks. This makes ExpressRoute ideal for scenarios like disaster recovery, large-scale data migration, hybrid applications, and regulatory compliance where data cannot traverse the public internet.
How ExpressRoute Works: The Mechanism
An ExpressRoute circuit is a logical connection between your on-premises infrastructure and Microsoft's cloud. It is established through a connectivity provider (e.g., AT&T, Verizon, Equinix) that provisions a physical or virtual connection from your location to a Microsoft Enterprise Edge (MSEE) router at a peering location. The circuit is identified by a service key (a GUID) that you use to link the circuit to your Azure subscription.
Once the circuit is provisioned, you create two BGP sessions between your router and the MSEE routers: one for private peering (to access Azure VNets) and one for Microsoft peering (to access Microsoft SaaS services like Office 365, Dynamics 365, and Azure PaaS services). Each peering uses a /30 subnet for BGP peering IP addresses. Private peering uses VLAN ID 0 (default) or a custom VLAN ID, and Microsoft peering uses a public VLAN ID. BGP communities are used to control route advertisement and redistribution.
Redundancy and High Availability
Every ExpressRoute circuit consists of two redundant connections from the MSEE devices at the peering location to your provider's edge routers. These two connections are active/active by default, meaning both carry traffic simultaneously. For higher availability, you can create two ExpressRoute circuits (one primary, one secondary) connected to different MSEE devices at different peering locations. This is known as ExpressRoute Resiliency. The exam expects you to know that a single circuit provides redundancy within the same location, but for full resiliency, you need two circuits from different providers or locations.
BGP Routing and Route Advertisement
BGP (Border Gateway Protocol) is used to exchange routes between your on-premises network and Azure. For private peering, you advertise your on-premises prefixes to Azure, and Azure advertises the VNet address spaces back to you. For Microsoft peering, you advertise public IP prefixes that you own (or that are assigned to you), and Azure advertises Microsoft public IP prefixes. BGP timers: Keepalive interval is 60 seconds, hold timer is 180 seconds by default. You can configure custom BGP timers but the exam focuses on default values.
Route limits: For private peering, you can advertise up to 1000 routes from on-premises (200 with a standard circuit). For Microsoft peering, the limit is 200 routes. Azure will not accept more than the limit; excess routes are ignored. You can request a route limit increase by opening a support ticket.
ExpressRoute Gateways and Virtual Networks
To connect a VNet to an ExpressRoute circuit, you need an ExpressRoute gateway (a virtual network gateway) in the VNet. The gateway is deployed in a dedicated subnet called GatewaySubnet. The gateway SKU determines throughput and performance: Standard (1 Gbps), High Performance (2 Gbps), Ultra Performance (10 Gbps). For cross-region connectivity, you use ExpressRoute Global Reach, which allows you to connect two ExpressRoute circuits from different on-premises locations to each other through Azure's backbone, enabling private connectivity between your sites.
ExpressRoute Direct
ExpressRoute Direct gives you the ability to connect directly to Microsoft's global network at a peering location with two 10 Gbps or 100 Gbps ports. This bypasses the connectivity provider, giving you more control and potentially lower costs for high-bandwidth scenarios. It supports both active/active and active/passive configurations. The exam may ask about ExpressRoute Direct as a solution for large-scale data ingestion or when a provider is not an option.
Configuration and Verification Commands
To create an ExpressRoute circuit using Azure CLI:
az network express-route create --resource-group myRG --name myCircuit --bandwidth 1000 --provider "Equinix" --peering-location "Silicon Valley" --sku-family MeteredData --sku-tier StandardTo configure private peering:
az network express-route peering create --resource-group myRG --circuit-name myCircuit --peering-type AzurePrivatePeering --peer-asn 65001 --primary-peer-subnet 10.0.0.0/30 --secondary-peer-subnet 10.0.1.0/30 --vlan-id 100To verify the circuit status:
az network express-route list --resource-group myRG -o table
az network express-route show --resource-group myRG --name myCircuitInteraction with Related Technologies
ExpressRoute integrates with Azure VPN Gateway for site-to-site VPN as a backup (ExpressRoute + VPN failover). It also works with Azure Virtual WAN, where you can connect ExpressRoute circuits to a Virtual WAN hub for centralized networking. ExpressRoute Global Reach allows interconnection of circuits across regions. For monitoring, you can use Azure Monitor and Network Performance Monitor to track circuit health and performance.
Key Exam Values
Bandwidth options: 50 Mbps, 100 Mbps, 200 Mbps, 500 Mbps, 1 Gbps, 2 Gbps, 5 Gbps, 10 Gbps.
SKU families: MeteredData (pay per GB) and UnlimitedData (fixed monthly fee).
SKU tiers: Standard (all regions) and Premium (global connectivity, increased route limits).
Route limits: 1000 routes for private peering (Standard), 4000 for Premium. Microsoft peering: 200 routes.
BGP ASN: Private peering uses a private ASN (e.g., 65001-65535). Microsoft peering requires a public ASN or a private ASN with a public IP.
VLAN ID: 0-4095 (VLAN 0 is reserved for QinQ circuits; Dot1Q circuits use a specific VLAN ID).
Provision ExpressRoute Circuit
Work with a connectivity provider to order an ExpressRoute circuit. The provider provisions the physical or virtual connection from your on-premises location to an MSEE router at a peering location. You receive a service key (GUID) from Azure after creating the circuit resource. The circuit status changes from 'Provisioning' to 'Provisioned' when the provider completes their part.
Configure BGP Peering
Configure private peering and/or Microsoft peering on the circuit. For private peering, specify a /30 subnet for primary and secondary BGP IP addresses, a VLAN ID, and an ASN (private). BGP sessions are established between your router and the MSEE routers. The hold timer is 180 seconds; keepalive is 60 seconds. Routes are exchanged once the session is up.
Link Circuit to Azure Subscription
Use the service key to link the ExpressRoute circuit to your Azure subscription via the Azure portal, CLI, or PowerShell. You can authorize multiple subscriptions (up to 10 for Standard, more with Premium). This step associates the circuit with your tenant and allows you to create connections to VNets.
Create ExpressRoute Gateway
Deploy an ExpressRoute virtual network gateway in the GatewaySubnet of your VNet. Choose the appropriate SKU (Standard, High Performance, Ultra Performance) based on bandwidth needs. The gateway will be the termination point for the BGP session from the MSEE router into your VNet. This step may take up to 45 minutes.
Connect Gateway to Circuit
Create a connection resource linking the ExpressRoute gateway to the circuit. This triggers the establishment of BGP peering between the gateway and the MSEE routers. The gateway learns on-premises routes via BGP and injects them into the VNet routing table. Traffic flows after the connection is established.
Enterprise Scenario 1: Hybrid Data Center Extension
A large financial services company has a primary data center in New York and a secondary in Chicago. They need to extend their on-premises network to Azure for disaster recovery and burst capacity. They order two ExpressRoute circuits: one from Equinix NY to Azure East US, and another from Equinix Chicago to Azure Central US. Both circuits are configured with private peering. They use BGP ASN 65001 on-premises. They advertise their on-premises /16 supernet to Azure. The circuits are active/active, with traffic load-balanced. They also enable ExpressRoute Global Reach to connect the two on-premises sites via Azure's backbone, eliminating the need for MPLS. Misconfiguration: If they forget to enable Global Reach on both circuits, the on-premises sites cannot communicate through Azure, and they must rely on their own WAN.
Enterprise Scenario 2: SaaS Access with Microsoft Peering
A global retail chain uses Office 365 and Dynamics 365. They want to ensure reliable, low-latency access for their employees. They deploy ExpressRoute circuits in each major region with Microsoft peering. They advertise their public IP prefixes (e.g., 203.0.113.0/24) to Azure. They configure route filters to control which Microsoft services are accessible over the ExpressRoute. They also set up a VPN gateway as a backup in case the ExpressRoute circuit fails. Performance: Each circuit provides 1 Gbps, and they use BGP communities to prioritize traffic. Common issue: If they advertise a prefix that overlaps with a Microsoft public prefix, BGP may reject the route, causing connectivity loss.
Enterprise Scenario 3: Large-Scale Data Ingestion
A media company needs to upload petabytes of video content to Azure Blob Storage daily. They use ExpressRoute Direct with 10 Gbps ports at a peering location. They connect their on-premises storage arrays directly to the Microsoft edge without a provider. They configure private peering to access VNets hosting the storage accounts. They use multiple circuits for load balancing and failover. Monitoring: They use Azure Monitor to track circuit utilization and set alerts for >80% utilization. Misconfiguration: If they use the wrong VLAN ID or BGP ASN, the peering will not establish, delaying the data transfer.
What AZ-305 Tests on ExpressRoute
The AZ-305 exam tests your ability to design ExpressRoute solutions for high availability, performance, and security. Key objective codes: 4.2 (Design a site-to-site connectivity solution), 4.3 (Design for high availability), and 4.4 (Design for security). You must understand the differences between Standard and Premium SKUs, route limits, and redundancy options.
Common Wrong Answers and Why Candidates Choose Them
"A single ExpressRoute circuit provides full redundancy." This is false because a single circuit uses two connections within the same peering location. If the entire peering location fails, connectivity is lost. The correct answer is to use two circuits from different peering locations.
"ExpressRoute uses IPsec encryption." ExpressRoute does not encrypt traffic by default. Traffic is private but not encrypted. Candidates confuse it with VPN. Encryption is optional via additional technologies like MACsec (ExpressRoute Direct) or application-level encryption.
"Microsoft peering requires a private ASN." Actually, Microsoft peering requires a public ASN (or a private ASN if you own a public IP prefix). Private peering uses a private ASN. Candidates mix up the two.
"Premium SKU is needed for global connectivity." Standard SKU also provides global connectivity but with route limits. Premium adds increased route limits and connectivity to all geopolitical regions. The exam may ask about Premium for specific features like enhanced route limits.
Specific Numbers and Terms
Route limits: 1000 routes (Standard private peering), 4000 (Premium).
BGP hold timer: 180 seconds.
VLAN ID range: 0-4095 (0 reserved for QinQ).
Bandwidth options: 50 Mbps to 10 Gbps.
ExpressRoute gateway SKUs: Standard (1 Gbps), High Performance (2 Gbps), Ultra Performance (10 Gbps).
Edge Cases and Exceptions
ExpressRoute Direct supports MACsec encryption at Layer 2.
ExpressRoute FastPath bypasses the gateway for improved performance but requires certain configurations.
You can use ExpressRoute with Azure Virtual WAN to simplify network management.
Route filters are required for Microsoft peering to select which services are accessible.
How to Eliminate Wrong Answers
Use the underlying mechanism: If a question asks about redundancy, think about failure domains. A single circuit has a single point of failure at the peering location. For encryption, remember ExpressRoute is private, not encrypted. For peering, remember that Microsoft peering uses public IPs and public ASNs. For SKU, consider route limits and geopolitical regions. Always look for keywords like "encryption", "redundancy", "global", and "route limits" to guide your answer.
ExpressRoute provides a private, dedicated connection from on-premises to Azure, bypassing the internet.
Each ExpressRoute circuit has two redundant connections (active/active) within the same peering location.
For full high availability, use two circuits from different peering locations.
BGP is used for routing; private peering uses private ASNs, Microsoft peering uses public ASNs.
Route limits: 1000 routes for Standard, 4000 for Premium on private peering.
ExpressRoute Direct provides direct 10 Gbps or 100 Gbps connections without a provider.
Global Reach enables on-premises sites to communicate via Azure backbone.
ExpressRoute does not encrypt traffic by default; use MACsec or IPsec if needed.
These come up on the exam all the time. Here's how to tell them apart.
ExpressRoute Standard SKU
Route limit: 1000 routes for private peering
VNet connections: up to 10 per circuit
Geographic coverage: all Azure regions within a geopolitical region
Cost: lower monthly fee
Suitable for: most enterprise workloads within a single geopolitical region
ExpressRoute Premium SKU
Route limit: 4000 routes for private peering
VNet connections: up to 100 per circuit
Geographic coverage: all Azure regions globally
Cost: higher monthly fee
Suitable for: global enterprises requiring extensive connectivity and route tables
Mistake
ExpressRoute provides encrypted traffic by default.
Correct
ExpressRoute traffic is private but not encrypted. It traverses a dedicated connection that does not go over the internet, but the data is not automatically encrypted. For encryption, you must use additional measures like IPsec or MACsec.
Mistake
A single ExpressRoute circuit with two connections is fully redundant.
Correct
The two connections within a single circuit are redundant only within the same peering location. If the entire location fails, the circuit goes down. For full redundancy, you need two circuits from different peering locations.
Mistake
Microsoft peering uses the same BGP ASN as private peering.
Correct
Microsoft peering requires a public ASN (or a private ASN if you own a public IP prefix), while private peering uses a private ASN. They are configured separately and have different requirements.
Mistake
ExpressRoute Premium SKU is required for global connectivity.
Correct
Standard SKU supports global connectivity to all Azure regions. Premium SKU provides additional benefits like increased route limits and connectivity to all geopolitical regions, but it is not required for basic global connectivity.
Mistake
You can connect multiple VNets to a single ExpressRoute circuit without any limits.
Correct
A single ExpressRoute circuit can be connected to multiple VNets, but there are limits on the number of VNet connections and the total number of routes. Standard circuit supports up to 10 VNet connections (with authorization) and 1000 routes. Premium increases these limits.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The Standard SKU supports up to 1000 routes and 10 VNet connections per circuit, covering all Azure regions within a geopolitical region. The Premium SKU increases route limits to 4000 and VNet connections to 100, and provides global connectivity across all geopolitical regions. Premium is more expensive and is used for large-scale global deployments.
Each ExpressRoute circuit includes two connections (primary and secondary) from the MSEE routers to your provider's edge. These are active/active by default. For full redundancy across locations, you should provision two circuits at different peering locations. This protects against a single peering location failure.
Yes, through ExpressRoute Direct. This allows you to connect directly to Microsoft's edge routers at a peering location using 10 Gbps or 100 Gbps ports, bypassing a provider. It is ideal for high-bandwidth scenarios or when a provider is not available.
BGP is used to exchange routing information between your on-premises network and Azure. For private peering, you advertise your on-premises prefixes to Azure, and Azure advertises VNet prefixes back. For Microsoft peering, you advertise public IP prefixes. BGP ensures dynamic route propagation and failover.
You can use Azure Monitor to track circuit metrics like bandwidth utilization, packet drops, and BGP session status. Network Performance Monitor (NPM) provides end-to-end network performance monitoring. Alerts can be configured for threshold breaches.
FastPath is a feature that improves network performance by bypassing the ExpressRoute gateway for traffic between on-premises and Azure. It reduces latency and increases throughput. It is available for select gateway SKUs and requires specific configurations.
Yes, you can connect up to 10 VNets per circuit with Standard SKU, and up to 100 with Premium. Each VNet connection requires an authorization from the circuit owner. The VNet must have an ExpressRoute gateway in the same region as the circuit.
You've just covered ExpressRoute Circuit Design and Routing — now see how well it sticks with free AZ-305 practice questions. Full explanations included, no account needed.
Done with this chapter?