1. Home
  2. Training Library
  3. Microsoft Azure
  4. Courses
  5. Implementing Azure ExpressRoute

ExpressRoute Overview

ExpressRoute Overview

As dependency on cloud services grows, so does the need for a reliable, low-latency network connection to the cloud. Also, some organizations and government agencies require a dedicated connection that does not pass network traffic over the public internet. Azure ExpressRoute provides a dedicated, redundant connection to Azure cloud services.  

In this course, we examine Azure ExpressRoute. Azure ExpressRoute creates a reliable, dedicated connection between an organization's on-premises environment and Microsoft Azure. We cover design considerations when planning for ExpressRoute, requirements for installing ExpressRoute, and management and troubleshooting tasks. The learning objectives for this course map to the Azure AZ-700: Designing and Implementing Microsoft Azure Networking Solutions exam.

Learning Objectives

  • Choose between provider and direct model (ExpressRoute Direct)
  • Design and implement Azure cross-region connectivity between multiple ExpressRoute locations
  • Select an appropriate ExpressRoute SKU and tier
  • Design and implement ExpressRoute Global Reach and ExpressRoute FastPath 
  • Choose between private peering only, Microsoft peering only, or both
  • Configure private peering and Microsoft peering
  • Create and configure an ExpressRoute gateway
  • Connect a virtual network to an ExpressRoute circuit
  • Recommend a route advertisement configuration
  • Configure encryption over ExpressRoute
  • Implement Bidirectional Forwarding Detection
  • Diagnose and resolve ExpressRoute connection issues

Intended Audience

  • System or network administrators with responsibilities for connecting an on-premises network to Azure
  • Anyone preparing for the Azure AZ-700: Designing and Implementing Microsoft Azure Networking Solutions exam


  • A basic understanding of networking, routing, and VPN concepts

Hello and welcome to an overview of ExpressRoute. Before we get into details, it makes sense to review what ExpressRoute is and why you may wanna use it. Let's talk about cloud services, Microsoft's cloud services more specifically. These are services hosted in Microsoft datacenters, they offer Software as a Service offerings, such as Office 365 and Dynamics 365 for example. These are born in the cloud and designed for reliable and secure access over the internet.

We also have Azure. Azure is a collection of Platform as a Service or Infrastructure as a Service offerings. Some are designed to be accessed over the internet, and most have the ability to be accessed from the internet, but not all. Matter of fact, in order for Microsoft to host reliable and secure services in Azure, some of those services cannot be accessed from the internet, they need to be isolated in their own environment. 

So how can an organization leverage services in Azure without accessing those services from the internet? Well, there are a couple options. One is to establish a virtual private network or VPN between the users and Azure. A VPN creates an encrypted tunnel between two locations over a public internet, it provides connectivity, and although it's secure, internet traffic is best effort, meaning once the network packet leaves the private network, we have no say over how or even if those packets are routed to the endpoint.

Some network traffic is more important than others, for example, Voice over IP traffic should have priority over web traffic. We can assign priorities to specific types of traffic with Quality of Service or QoS tags. Those QoS tags, however, are not honored on the internet. Also, all network traffic on the internet shares resources. Shared bandwidth can experience higher latency than network traffic on the private network. VPNs work well for test and dev environments, but we need something more resilient for medium and large enterprises running mission critical environments in Azure.

Also, some organizations or government agencies can't use shared resources, VPNs will not work for those environments. ExpressRoute provides a direct connection from an on-premises location to Azure or Microsoft 365 services. All traffic stays on a private network, so the network traffic is more reliable, can reach guaranteed faster speeds with lower or more consistent latency compared to VPN. We can connect to two different types of services with ExpressRoute from an on-premises site.

We can connect a private VNets in Azure, as well as Microsoft services, such as Azure AD, App Services, and Office 365. To do this, a connection is established between the partner edge device, the provider of the on-premises equipment, and the Microsoft Edge. They're actually two circuits, for redundancy, there's a primary and a secondary path connecting to redundant hardware between the partner and the Microsoft Edge. 

Once connected, private peering is established between the customer and the Azure Private Networks, and between the customer and the Microsoft online services, such as Microsoft 365 and Azure Platform as a Service or PaaS offerings. There are a few different options for connecting to Microsoft and Azure services with ExpressRoute, but they all follow a similar configuration. Let's talk about the peering options next.

Azure Private Peering allows us to connect to resources deployed to an Azure Virtual Network. This could include Infrastructure as a Service or IaaS services, such as virtual machines or other Platform as a Service or PaaS services, such as App Services or Azure SQL. Azure Private Peering is a trusted extension of your on-premises network, allowing you to connect to resources in Azure with your private IP address.

Microsoft Peering on the other hand allows us to connect to publicly accessible Microsoft and Azure resources over the ExpressRoute connection, taking advantage of the private low-latency connection for public services. There is one catch, by default, Microsoft 365 service, such as Exchange Online, Skype for Business, and SharePoint require approval before they can be accessed over ExpressRoute.

The Microsoft 365 services are built for high availability and secure access over the public internet. There's a justification process required to peer those services with ExpressRoute. That brings us to the end of this overview lecture. I look forward to seeing you in the next to learn more about ExpressRoute.

About the Author
Travis Roberts
Cloud Infrastructure Architect

Travis Roberts is a Cloud Infrastructure Architect at a Minneapolis consulting firm, a Microsoft MVP, MCT, and author. Travis has 20 years of IT experience in the legal, pharmaceutical, and marketing industries and has worked with IT hardware manufacturers and managed service providers. In addition, Travis has held numerous technical certifications throughout his career from Microsoft, VMware, Citrix, and Cisco.