In the previous chapter, we introduced the virtual private network (VPN) gateway service as a way to connect on-premises networks to Azure. While this method provides a secure connection, it may not always be the best option for scenarios that require high predictability and performance. In this chapter, we will explore the implementation of ExpressRoute, another gateway service offered by Azure, as an alternative solution for remote network connectivity.

You will cover the following topics in this chapter:

• Understanding what ExpressRoute is and its main use cases
• Understanding ExpressRoute components
• Deciding on an ExpressRoute connectivity model
• Selecting the right ExpressRoute circuit stock-keeping unit (SKU)
• Selecting the right ExpressRoute gateway SKU
• Improving data path performance with ExpressRoute FastPath
• Designing and implementing cross-network connectivity...

To follow along with the instructions in this chapter, you will need the following:

• A PC with an internet connection
• An Azure subscription

In the previous chapter, we covered one of the services that we can use to establish hybrid network connectivity in Azure—the VPN gateway. We explained that it can be used to create an encrypted tunnel between remote networks or users and the Azure virtual network (VNet) over the public internet.

The VPN gateway establishes a secure connection, but network throughput is not guaranteed as traffic is sent over the public internet. Once network traffic leaves any of the connected networks, the throughput is unpredictable as we have very little control over how the traffic is routed or processed (Figure 6.1). This makes this option non-ideal in situations where guaranteed low latency is required. For example, we may have a business requirement to ensure predictable performance for mission-critical services. To achieve this, we can implement ExpressRoute connectivity:

Figure 6.1 – Throughput...

The purpose of ExpressRoute is to connect a remote customer network to a customer’s Azure VNet or a customer’s Microsoft cloud service tenant. But to understand how ExpressRoute works, we need to understand the components that an ExpressRoute connection is made of. Take a look at the following diagram:

Figure 6.3 – ExpressRoute key network components

Figure 6.3 illustrates the logical connection of a customer network to the Microsoft network using ExpressRoute. The numbers in the diagram represent important network points, listed as follows:

1. On-premises devices: Devices located physically within an organization’s premises.
2. Customer edge (CE) routers: Routers used by customers to connect to their ExpressRoute partner network.
3. Provider edge devices facing CE routers: These are routers/switches used by ExpressRoute service providers (SPs) to connect to CE routers.
4. Partner...

When architecting an ExpressRoute connection, there are different connectivity models that we can implement for a circuit—a provider model and an ExpressRoute direct model. We need to specify the option that we’re using when we create our ExpressRoute gateway (Figure 6.4). Let’s have a look at the different models:

Figure 6.4 – Selecting an ExpressRoute connectivity model

Understanding the provider model

The provider model connects a remote network to the Azure network through a third-party provider connection network. To establish this connection, we need to work with a partner that specializes in ExpressRoute connectivity (as shown in Figure 6.3).

Figure 6.3, which we saw earlier, actually illustrates the logical connection of a customer network to the Microsoft network using the provider model.

Depending on the service offerings of the ExpressRoute partner that we choose...

After deciding which ExpressRoute model we want to implement, we need to decide on an ExpressRoute circuit SKU to implement. Provisioning an ExpressRoute circuit establishes a redundant Layer 2 connection between CE/partner edge routers and the Microsoft edge routers. To do this, we need to decide on the ExpressRoute circuit SKU to implement. We have three SKU options to select from depending on our organization’s requirements—Local, Standard, and Premium (Figure 6.9):

Figure 6.9 – Selecting an ExpressRoute SKU

To be able to select the right option, we need to understand the available options and how they fit within the design of an ExpressRoute implementation. Let’s look at them in more detail.

The first option, Local, can provide connectivity to VNets in one or two Azure regions in the same metro/geographical area. For example, if we implemented an ExpressRoute Local circuit...

After deciding which ExpressRoute circuit SKU we want to implement, we need to decide on an ExpressRoute gateway SKU to implement. An ExpressRoute gateway is a service that connects an ExpressRoute circuit with an Azure VNet (Figure 6.15):

Figure 6.15 – Sample ExpressRoute implementation

When we create an ExpressRoute gateway service, we need to specify the SKU that we want to use (Figure 6.16) based on our organization’s requirements. We have the following SKU options to choose from:

• Standard/ErGw1AZ
• High performance/ErGw2AZ
• Ultra performance/ErGw3AZ:

Figure 6.16 – ExpressRoute gateway SKU options

The Standard and ErGw1AZ options support a maximum of four ExpressRoute circuit connections and up to 1 Gbps bandwidth.

The High performance and ErGw2AZ options support a maximum of eight ExpressRoute circuit connections. The gateway instances...

The FastPath feature of ExpressRoute is designed to improve data path performance between connected remote networks and Azure VNets. To understand how the FastPath feature works, we need to understand the default behavior without it.

By default, the ExpressRoute gateway performs two main tasks—exchanging network routes with our remote networks AND routing network traffic to Azure VNet resources (Figure 6.22). Routing the network traffic adds a little processing overhead, which impacts performance metrics such as packets per second (PPS) and connections per second (CPS):

Figure 6.22 – Traffic routing without FastPath

When enabled, FastPath sends network traffic directly to VNet resources, bypassing the gateway (Figure 6.23). This results in higher throughput and overall better performance!

FastPath is available for all ExpressRoute circuits, but the ExpressRoute gateway must...

By default, ExpressRoute connections route network traffic only between connected remote networks and Azure VNets. For example, an organization has two branch offices connected to Azure networks (as shown in Figure 6.26), as follows:

• A remote network in London that connects to an Azure network in “UK South” via an ExpressRoute circuit in London
• A remote network in New York that connects to an Azure network in “East US” via an ExpressRoute circuit in New York

The result of this connectivity is that the 10.30.0.0/16 network can communicate with the 10.10.0.0/16 network, and the 10.40.0.0/16 network can communicate with the 10.20.0.0/16 network. However, no other cross-network communication will be possible:

Figure 6.26 – Single-region ExpressRoute connection scenario

Enhancing cross-network connectivity using VNet peering

To enhance...

Securing data in transit is important to mitigate security threats such as eavesdropping attacks and data theft. By default, ExpressRoute provides private connectivity but not secure (or encrypted) connectivity. For highly regulated organizations in areas such as banking and government, this may not be sufficient to meet their data security requirements, which is why Microsoft offers two optional solutions for encrypting data in transit on an ExpressRoute circuit—point-to-point encryption with MACsec and end-to-end encryption with IPsec.

Let’s start with MACsec, which is only supported for the ExpressRoute Direct implementation. MACsec stands for Media Access Control Security. It is a Layer 2 encryption implementation that can be used to encrypt physical links. Once we configure it, the BGP data traffic and customer data traffic is encrypted in hardware on the routers between our network devices and Microsoft...

No network is completely fault-proof! Hardware issues or incorrect configurations can happen. To mitigate the effects of these failures, it is essential to have a well-designed network that includes mechanisms to minimize their impact.

Every ExpressRoute circuit is established with a primary and secondary connection between a redundant pair of CE/partner edge routers and Microsoft edge routers (as shown in Figure 6.32). The routing between these two sides is managed by BGP, which also detects any downlinks and automatically switches to the other available link:

Figure 6.32 – ExpressRoute redundancy

BGP uses two key parameters to detect link failures and initiate failover—the keep-alive time and the holdtime. Keep-alive messages are sent between the routers to confirm that the connection is still active. The frequency of these messages is determined by the configured keep-alive time. On Microsoft...

Here are the tasks that we will complete in this exercise:

• Task 1 – create a VNet and gateway subnet
• Task 2 – deploy the ExpressRoute VNet gateway service
• Task 3 – create and provision an ExpressRoute circuit
• Task 4 – retrieve your service key (you need to send this to your SP)
• Task 5 – check serviceProviderProvisioningState status
• Task 6 – connect the ExpressRoute gateway to the ExpressRoute circuit
• Task 7 – deprovision an ExpressRoute circuit
• Task 8 – clean up resources

Let’s get into this!

Task 1 – create a VNet and gateway subnet

To implement an ExpressRoute gateway, the first thing to do is to create a VNet with a gateway subnet called GatewaySubnet (the subnet cannot be named anything else). Also, this must be a dedicated subnet, which means no other resource should be deployed into it apart from...

In this chapter, we delved into the topic of ExpressRoute and its various use cases. We began by discussing the components of an ExpressRoute connection, including the connectivity model, circuit SKU, and gateway SKU. We then explored ways to improve data path performance with ExpressRoute FastPath, as well as how to design and implement cross-network connectivity over ExpressRoute. We concluded by providing guidance on the implementation of encryption, BFD, and a hands-on exercise for implementing an ExpressRoute gateway.f

This chapter equips you with the knowledge and skills necessary to excel on the ExpressRoute objectives of the certification exam and effectively work with ExpressRoute in real-world scenarios.

In the next chapter, we will learn about designing and implementing the Azure virtual WAN service. See you there!