1. Home
  2. Training Library
  3. Microsoft Azure
  4. Courses
  5. Implementing Azure ExpressRoute

Configuring Microsoft and Private Peering

Start course

As dependency on cloud services grows, so does the need for a reliable, low-latency network connection to the cloud. Also, some organizations and government agencies require a dedicated connection that does not pass network traffic over the public internet. Azure ExpressRoute provides a dedicated, redundant connection to Azure cloud services.  

In this course, we examine Azure ExpressRoute. Azure ExpressRoute creates a reliable, dedicated connection between an organization's on-premises environment and Microsoft Azure. We cover design considerations when planning for ExpressRoute, requirements for installing ExpressRoute, and management and troubleshooting tasks. The learning objectives for this course map to the Azure AZ-700: Designing and Implementing Microsoft Azure Networking Solutions exam.

Learning Objectives

  • Choose between provider and direct model (ExpressRoute Direct)
  • Design and implement Azure cross-region connectivity between multiple ExpressRoute locations
  • Select an appropriate ExpressRoute SKU and tier
  • Design and implement ExpressRoute Global Reach and ExpressRoute FastPath 
  • Choose between private peering only, Microsoft peering only, or both
  • Configure private peering and Microsoft peering
  • Create and configure an ExpressRoute gateway
  • Connect a virtual network to an ExpressRoute circuit
  • Recommend a route advertisement configuration
  • Configure encryption over ExpressRoute
  • Implement Bidirectional Forwarding Detection
  • Diagnose and resolve ExpressRoute connection issues

Intended Audience

  • System or network administrators with responsibilities for connecting an on-premises network to Azure
  • Anyone preparing for the Azure AZ-700: Designing and Implementing Microsoft Azure Networking Solutions exam


  • A basic understanding of networking, routing, and VPN concepts

Welcome to the lecture where we review the steps to set up Microsoft and Azure Private Peering. We'll get started with configuring Microsoft Peering. Before we get started with peering, go to the ExpressRoute Circuit and verify the Provider status shows provisioned. We can't move forward until the ExpressRoute Circuit is fully provisioned. Under peering types, select Microsoft. We'll start by supplying an AS number for Peering. 

Next is the IP address we can specify IPV4, IPV6 or both. We add a pair of subnets for the primary and secondary link. From these subnets, the first usable IP is assigned to the local router and the second usable IP is used by Microsoft. Also add an advertised public prefix. This is a list of all prefixes advertised over the BGP session. If using multiple prefixes, use a comma-separated list. These prefixes must be registered to the organization at an Internet Routing Registry or regional internet registry.

Notice on the screen it indicates validation as needed. Add the VLAN ID. No other peering in the circuit can use this VLAN ID. In both primary and secondary you use the same VLAN ID. Adding a customer ASN is optional. Select the routing and registry name. This is the registry the AS number and Address prefixes are registered to. The last option is a shared key. Add the shared key to use MD5 hash on the circuit.

Microsoft will not peer with customers public IP addresses unless they are owned by the customer. In this example, validation is needed. This requires a support ticket to Microsoft to show proof of ownership. Once proof is provided, the status will show Configured. Click save once finished. Now if we go back to the ExpressRoute Overview, the Microsoft Peering shows provisioned. We can also see the subnets configured and who modified the configuration last. We can also access the configuration to make changes from here if needed.

The process for configuring Azure Private Peering is similar to Microsoft Peering. Start by selecting Azure private once the ExpressRoute Circuit shows provisioned. Next add a peering AS number, this number can be a private AS number. The AS number can be any private number except for 65,515 to 65,520. These are reserved and cannot be used. Select if IPV4, IPV6, or both will be used. Supply two subnets for peering. One is for the primary link and the other is for the secondary link. The first usable IP address in these blocks are for the local router. And the second is for Microsoft to use. Add a VLAN ID for peering. We can also add a shared key for MD5 hash, that is optional.

Notice on this page we can also configure Global Reach, if we had additional ExpressRoute Circuits in this environment. Click save once finished. Once finished the ExpressRoute Overview page will show the Azure private peering status of provisioned along with the Primary and secondary subnet configuration and who last modified the circuit. That is how to configure Microsoft Peering and Azure Private Peering on an ExpressRoute Circuit.

About the Author
Travis Roberts
Cloud Infrastructure Architect

Travis Roberts is a Cloud Infrastructure Architect at a Minneapolis consulting firm, a Microsoft MVP, MCT, and author. Travis has 20 years of IT experience in the legal, pharmaceutical, and marketing industries and has worked with IT hardware manufacturers and managed service providers. In addition, Travis has held numerous technical certifications throughout his career from Microsoft, VMware, Citrix, and Cisco.