Adopting and getting used to a new technology is not always easy. When a traditional Network Engineer starts facing newer and not so traditional technologies such as Public Clouds, it is very likely that the first or one of the first problems he or she will face is linking on-prem infrastructure with the public cloud. In Azure, this task is done by an Express Route.
As a traditional Network Engineer for so many years, it was simple for me to grasp the concept on how a Cisco router would exchange routes with an Express Route object by using BGP. In the other hand, as someone not so savvy in Azure, I had a somehow hard time understanding what building blocks need to be implemented so that an Azure Virtual Network could use an Express Route.
After some time spent browsing through Microsoft Azure documentation I was able to put together the following very simple schematics of an Express Route to Virtual Network connection:
Assuming that a Router has already been configured for BGP peering with the Express Route along with a subinterface or q-in-q (for more on this look at this link), and the Virtual Network on the Azure side has also been already configured, here are the steps to build the three middle objects in the topology above:
1.- Create an Express Route object
1.1 First we need to create an Express Route Resource.
1.2 After this, we need to need to set the Express Route parameters. Within this parameters, there are some that we need to look at some more detail. The Provider setting in which we can select from a very extensive list of ISP for Express Route connection such as Equinix, Megaport, Zayo and others. At this point and as a prerequisite for this, we should have already configured this connection and here we are just activating it. After selecting the provider, we will be able to select a location from a list that will depend on where that provider offers peering with Microsoft. Depending on the provider there will also be different Bandwidth Options, The SKU will determine the level of support we are going to get for the Express Route. A Premium will provide, for instance, support for more Virtual Networks than basic; and also some other higher limits. The Billing Model can be Metered or Unlimited, both of them for outbound traffic (there are no limits for inbound traffic).
1.3 After defining these parameters, we need to go to the Overview page of the Express Route circuit and copy the service key.
1.4 This service key needs to be sent to the Express Route connection provider for its provisioning. For some providers, this key can be directly entered in a control panel for the circuit. After this, when looking at the circuit status it needs to show the following:
Provider Status: Provisioned
Circuit Status: Enabled
1.5 Now it is time to configure the Peering. In the use case discussed here, we are going to configure an Azure Private peering with the on premises router.
1.6 The peer ASN is the Autonomous System for our on premises router. Then we configure a Primary and a Secondary subnet, both of them with /30 mask. These two subnets can be peered with a single router with two redundant links (normally connected to different ISPs), or to two different routes in a dual-homed fashion. In both cases, the first usable address should be assigned to the router side of the link, and the second usable address will be used by the Express Route side of the peering. The VLAN ID should be the same as the VLAN configured on the Router side. In case of having configured q-in-q on the router, the VLAN configured here corresponds to the dot1q VLAN and not the second VLAN . For example, if the router side is configured with encapsulation dot1Q 154 second-dot1q 310
, we need to configure VLAN 154 on the Express Route side.
2.- Create a Virtual Network Gateway Object
We need to create a Virtual Network Gateway of type Express Route to create a site-to-site VPN connection between Azure virtual network and the on prem virtual network.
It is important to select ExpressRoute as Gateway Type. Here we link this Virtual Network Gateway with the Virtual Network (TestVNet in this example). We can create a new Public IP Address here on the fly or had it created previously and select it here.
3.- Create a Connection Object
To link an Express Route Circuit to a Virtual Network Gateway, and consequently to a Virtual Network, we need to configure a Connection Object.
Verify that the connection is working.
Now we have an Express Route circuit connected to our Virtual Network and to our on premises routers.
References
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-circuit-portal-resource-manager
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-routing-portal-resource-manager
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-locations#partners
https://www.cisco.com/c/en/us/solutions/collateral/cloud/guide-c07-740698.html
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-add-gateway-portal-resource-manager
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-linkvnet-portal-resource-manager