ExpressRoute Fundamentals
Understand ExpressRoute connectivity models, SKU tiers (Local/Standard/Premium), peering types, and gateway SKUs for dedicated private connectivity to Azure.
ExpressRoute Fundamentals
ExpressRoute provides a private, dedicated connection between your on-premises infrastructure and Azure. Unlike VPN, traffic never touches the public internet — it goes through a connectivity provider’s private network.
🎬 Video coming soon
ExpressRoute Fundamentals
ExpressRoute Fundamentals
~14:00ExpressRoute is a private highway between your network and Azure — while VPN uses the public internet, ExpressRoute gives you a dedicated lane. A connectivity provider physically connects your network to Azure’s edge. Traffic never touches the public internet, so you get predictable performance and higher bandwidth.
Connectivity Models
You don’t plug a cable directly into a Microsoft data centre. You work through a connectivity provider using one of four models:
| Model | How It Works | Typical Provider |
|---|---|---|
| Co-location exchange | Your equipment is in the same facility as Azure’s. Layer 2 or Layer 3 cross-connect. | Equinix, Megaport, NTT |
| Point-to-point Ethernet | Dedicated Layer 2 link from your DC to the exchange. | Carrier (e.g., Verizon, BT) |
| Any-to-any (IPVPN) | Your WAN provider (MPLS) connects all your sites and Azure as another branch. | Telstra, AT&T, Vodafone |
| ExpressRoute Direct | Dedicated physical ports (10G or 100G) directly into Microsoft’s edge. You own the port. | Direct from Microsoft |
🏢 Ravi’s scenario: Pinnacle Financial’s Auckland DC is co-located at an Equinix facility. He orders a 1 Gbps ExpressRoute circuit through Equinix as the provider. Setup takes 2-4 weeks for the provider to provision.
ExpressRoute SKU Tiers
| Feature | Local | Standard | Premium |
|---|---|---|---|
| Reach | Same metro area as peering location | All regions within a geopolitical region | All regions globally |
| Data egress | Unlimited (included) | Metered (pay per GB out) | Metered (pay per GB out) |
| VNet connections | 10 per circuit | 10 per circuit | 100 per circuit |
| Route prefixes (Microsoft peering) | Same as Standard | 4,000 IPv4 / 100 IPv6 | 10,000 IPv4 / 100 IPv6 |
| Cost | Lowest (no egress charges) | Medium | Highest |
Exam Tip — Local vs Standard vs Premium:
- Local: Cheapest option. Only reaches Azure regions near your peering location. Unlimited data egress is the key benefit — no per-GB charges. Perfect for latency-sensitive workloads near your peering location.
- Standard: Reaches all regions in the same geopolitical region (e.g., all of Asia-Pacific, all of North America). Data egress is metered.
- Premium: Global reach — connect from Australia to US regions and everywhere else. Required for cross-geo connectivity. 10x more VNet links.
🏢 Ravi’s choice: His Azure resources are in Australia East (Sydney) and he peers at the Sydney Equinix location. Local SKU gives him the lowest cost with unlimited egress. If he later expands to Southeast Asia, he’d upgrade to Premium.
Peering Types
ExpressRoute has two peering types (Azure public peering was retired):
| Feature | Private Peering | Microsoft Peering |
|---|---|---|
| What it reaches | Azure VNets (VMs, internal LBs, private endpoints) | Microsoft 365, Dynamics 365, Azure PaaS public endpoints |
| Address space | Your private IPs (RFC 1918) | Public IPs (you provide or NAT) |
| Routing | BGP between your router and Azure | BGP between your router and Azure |
| NAT required | No | Yes — you must NAT to public IPs |
| Common use case | Extend your DC to Azure | Private path to M365 and Azure PaaS |
| Required for | VM workloads, private connectivity | Organizations requiring M365 traffic off the internet |
Private peering is the most common — it’s how you access your VNets privately. Azure advertises your VNet ranges via BGP, and your router advertises your on-prem ranges back.
Microsoft peering routes traffic to Microsoft public services over the private connection instead of the internet. It requires NAT because Microsoft’s services use public IPs. This is used when compliance requires M365 traffic to never traverse the public internet.
Setting up peering:
- Private peering: Configure a /30 subnet for the BGP session (one IP for your router, one for Azure’s). Configure ASN and VLAN ID. Azure starts advertising VNet routes.
- Microsoft peering: Same BGP session setup, plus you provide public IP prefixes for NAT and configure route filters to select which Microsoft services you want to receive routes for.
ExpressRoute Gateway SKUs
Just like VPN Gateways, ExpressRoute requires a gateway in your VNet. But the SKUs are different:
| Gateway SKU | Max Connections | Throughput | FastPath | Zone-Redundant Variant |
|---|---|---|---|---|
| Standard (ErGw1Az) | 4 circuits | 1 Gbps | No | ErGw1Az |
| High Performance (ErGw2Az) | 8 circuits | 2 Gbps | No | ErGw2Az |
| Ultra Performance (ErGw3Az) | 16 circuits | 10 Gbps | Yes | ErGw3Az |
| ErGwScale | 16 circuits | Up to 40 Gbps (scalable) | Yes | Built-in |
Exam Tip: FastPath (covered in the next module) requires Ultra Performance (ErGw3Az) or ErGwScale gateway. Standard and High Performance gateways don’t support it.
Route Advertisement and Limits
What Azure advertises to on-premises (Private Peering):
- All VNet address prefixes connected to the ExpressRoute gateway
- System routes for connected VNets
What you advertise to Azure:
- Your on-premises network ranges
- Azure learns these via BGP and adds them as routes in connected VNets
Route limits:
- Private peering: 4,000 routes (Standard), 10,000 routes (Premium) from on-prem to Azure
- If you exceed the limit, the BGP session drops until routes are reduced
- Use route summarisation (aggregation) to stay within limits
Important: Azure does NOT advertise default route (0.0.0.0/0) over ExpressRoute by default. If you want forced tunneling, you must advertise 0.0.0.0/0 from on-premises. This causes all Azure internet traffic to route through your DC.
Key Takeaways
- ExpressRoute is a private, dedicated connection — no public internet
- Local SKU: cheapest, unlimited egress, limited to nearby regions
- Premium SKU: global reach, 100 VNet connections, highest cost
- Private peering: access VNets. Microsoft peering: access M365/PaaS publicly
- Gateway SKU determines throughput and FastPath eligibility
Test Your Knowledge
Ravi's resources are in Australia East and he peers at Sydney. He wants the lowest cost with predictable billing. Which ExpressRoute SKU should he choose?
Elena needs to access Azure VMs in her VNets over ExpressRoute. Which peering type does she configure?
Which ExpressRoute connectivity model lets you use your existing MPLS WAN provider to connect to Azure as another site?
Next up: ExpressRoute: Advanced Features — Global Reach, FastPath, Direct ports, encryption, and redundancy patterns.