1. Home
  2. Training Library
  3. Microsoft Azure
  4. Courses
  5. Implementing Azure ExpressRoute

Choosing Between Private Peering, Microsoft Peering, or Both

Start course

As dependency on cloud services grows, so does the need for a reliable, low-latency network connection to the cloud. Also, some organizations and government agencies require a dedicated connection that does not pass network traffic over the public internet. Azure ExpressRoute provides a dedicated, redundant connection to Azure cloud services.  

In this course, we examine Azure ExpressRoute. Azure ExpressRoute creates a reliable, dedicated connection between an organization's on-premises environment and Microsoft Azure. We cover design considerations when planning for ExpressRoute, requirements for installing ExpressRoute, and management and troubleshooting tasks. The learning objectives for this course map to the Azure AZ-700: Designing and Implementing Microsoft Azure Networking Solutions exam.

Learning Objectives

  • Choose between provider and direct model (ExpressRoute Direct)
  • Design and implement Azure cross-region connectivity between multiple ExpressRoute locations
  • Select an appropriate ExpressRoute SKU and tier
  • Design and implement ExpressRoute Global Reach and ExpressRoute FastPath 
  • Choose between private peering only, Microsoft peering only, or both
  • Configure private peering and Microsoft peering
  • Create and configure an ExpressRoute gateway
  • Connect a virtual network to an ExpressRoute circuit
  • Recommend a route advertisement configuration
  • Configure encryption over ExpressRoute
  • Implement Bidirectional Forwarding Detection
  • Diagnose and resolve ExpressRoute connection issues

Intended Audience

  • System or network administrators with responsibilities for connecting an on-premises network to Azure
  • Anyone preparing for the Azure AZ-700: Designing and Implementing Microsoft Azure Networking Solutions exam


  • A basic understanding of networking, routing, and VPN concepts

In this lecture we are going to review peering, what it is and how it's used with ExpressRoute. We'll start out with a simple question, what is peering? Network peering is when two autonomous networks directly connect to exchange traffic. Most organizations have a private network and that network is typically isolated from other networks with Firewalls and other security services. Commonly, these networks are isolated from others with the exception of restricted access to the internet. We can refer to these as Routing Domains.

A routing domain is also known as an autonomous system, or simply AS. An Autonomous system is a collection of networks administered as a single entity. An Autonomous System Number, or ASN, is a number from one to 64511 available from the Internet Assigned Numbers Authority, or IANA, a governing body that manages ASN number assignments as well as other internet numbers. Autonomous System Numbers 64512 to 65535 are reserved from private use.

An AS Number is used to identify an Autonomous system, or routing domain. Peering takes place when two of these Autonomous systems connect and exchange BGP routing information. Peering connects autonomous systems. We have two options available when peering with ExpressRoute. Well three kind of, we'll cover that in a minute.

There's the option for Azure Private Peering. Azure Private Peering connects an on-premises network to Azure Compute service, such as Infrastructure as a service or IaaS VM and cloud Platform as a service, or PaaS services. Microsoft peering connection on-premises networks to Microsoft 365 and Azure PaaS services, Office products for example. The last option is Public Peering. It's not really an option because public peering is depreciated for all new ExpressRoute circuits. We won't go into details on public peering because it's depreciated, but it's worth mentioning if you ever run into it on older ExpressRoute circuits.

Let's take a closer look at Azure Private Peering. One goal of implementing ExpressRoute is to connect on-premises networks with remote Azure networks. Private peering connects an on-premises network with Azure Cloud services such as virtual networks and resources connected to those virtual networks. Azure private peering makes the Azure networks a trusted extension of the core, on-premises network. What about Microsoft Peering? We mentioned already that Microsoft Peering connection on-premises networks with Microsoft 365 and Azure Pass Services.

With Microsoft Peering, on-premises networks can access the Public IP address ranges of the Microsoft services over the ExpressRoute connection. Note that Microsoft peering appears with the public IP address, that's an important distinction. Some of the services include with Microsoft Peering are Microsoft 365 products like Office, PowerBI, Azure Active Directory, Azure DevOps, and Azure Public IP address for IaaS service such as Virtual Machines, virtual Network gateways and load balancers. There are others as well. Microsoft peering supports connectivity to publicly available services over ExpressRoute.

We need to review Microsoft 365 and ExpressRoute before moving on. Although it is possible to connect with Microsoft 365 services over ExpressRoute, Microsoft 365 was designed for secure and reliable connectivity over the internet. Microsoft does not recommend connecting to Microsoft 365 over ExpressRoute in most circumstances because it may not provide the best connectivity. It may be necessary to peer with Microsoft 365 for government agencies or other secure environments with laws the prevent access to data over a public network. Microsoft must authorize connecting to Microsoft 365 over ExpressRoute. Also, connecting to Microsoft 365 requires the ExpressRoute Premium add on.

Let's go back to the previous diagram. Azure Private Peering takes place between a private network and private endpoints in Azure, such as a VNet. The configuration creates a direct connection between the two networks. Microsoft peering uses the public IP addresses for connectivity. Because of that, the recommended configuration for Microsoft Peering is to connect to the organizations DMZ. This forces sessions to public IP's out the DMZ from the internal network, for both peered resources or public Internet access. Also, with this configuration, security rules are still in affect from the DMZ to the internal network.

Now that we have an understanding of the differences between Private Peering and Microsoft Peering, let's compare some of the settings and limitations for each. Private peering supports 4000 IP Prefixes for peering, 10,000 if using Premium. Microsoft peering supports 200. Private peering supports any IP address valid on the internal WAN. For Microsoft Peering, Public IP address must be owned by the organization or the company providing connectivity. A private AS number or a public AS number that the organization owns is required for public peering.

Microsoft Peering supports private and public AS numbers, The organization must own public IP addresses used. Both support IPv4 and IPv6 and MD5 Hash. Deciding what peering option to choose depends on the type of services that require access. If an organization requires access to services available on the Azure Network, such as IaaS VM's or services with a private endpoint, Azure Private peering will provide that connectivity. If secure, private access is required for services like Power BI, Microsoft 365 and Azure AD, Microsoft Peering is an option. Express route can also peer with both if that's required.

About the Author
Travis Roberts
Cloud Infrastructure Architect

Travis Roberts is a Cloud Infrastructure Architect at a Minneapolis consulting firm, a Microsoft MVP, MCT, and author. Travis has 20 years of IT experience in the legal, pharmaceutical, and marketing industries and has worked with IT hardware manufacturers and managed service providers. In addition, Travis has held numerous technical certifications throughout his career from Microsoft, VMware, Citrix, and Cisco.