ExpressRoute: Advanced Features

This module covers the advanced ExpressRoute features that the exam loves to test — Global Reach for connecting your DCs through Microsoft’s backbone, FastPath for performance, and encryption for security.

🎬 Video coming soon

ExpressRoute Advanced Features

~13:00

Simple explanation

ExpressRoute fundamentals get you connected. Advanced features make it enterprise-grade. Global Reach connects two on-premises sites through Azure’s backbone. FastPath skips the gateway for faster VM access. Direct gives you raw physical ports at 100 Gbps. And encryption adds security even on private connections.

Global Reach

Global Reach connects your on-premises locations to each other through Microsoft’s backbone — your DC-to-DC traffic bypasses the public internet entirely.

🏢 Ravi’s scenario: Pinnacle Financial has data centres in Auckland (NZ) and Singapore. Both have ExpressRoute circuits. Without Global Reach, DC-to-DC traffic goes over the internet or a separate WAN link. With Global Reach, traffic flows: Auckland DC → ER circuit → Microsoft backbone → ER circuit → Singapore DC.

Auckland DC ──→ ER Circuit (NZ) ──→ Microsoft Backbone ──→ ER Circuit (SG) ──→ Singapore DC

Key facts:

Requires two ExpressRoute circuits in different peering locations
Both circuits must be Standard or Premium SKU (not Local)
Not available in all countries — check regional availability
Data transfer is metered (egress charges apply)
Configuration: create a Global Reach connection linking the two circuits

Global Reach vs Site-to-Site VPN Between DCs

If you don’t have ExpressRoute at both sites, you can’t use Global Reach. Alternatives:

Feature	Global Reach	S2S VPN over ER	Internet S2S VPN
Path	Microsoft backbone	ER + Azure VPN Gateway	Public internet
Latency	Lowest	Low (but adds gateway hop)	Variable
Throughput	Circuit bandwidth	Gateway SKU limited	Connection dependent
Encryption	MACsec or IPsec optional	IPsec built-in	IPsec built-in
Cost	ER circuit costs + data transfer	ER + gateway costs	Gateway costs only
Requirement	ER at both sites	ER + VPN GW coexistence	VPN devices at both sites

FastPath

FastPath bypasses the ExpressRoute gateway for data traffic, sending packets directly from the ExpressRoute circuit to VMs in the VNet. This reduces latency and increases throughput.

☁️ Elena’s scenario: Skyline Logistics runs a high-frequency trading application that needs the lowest possible latency between on-premises and Azure VMs. FastPath eliminates the gateway hop.

How it works:

Without FastPath: On-prem → ER circuit → ER gateway → VM
With FastPath: On-prem → ER circuit → VM (directly)

The gateway is still needed for control plane (BGP route exchange, connection management) but data plane bypasses it.

Requirements:

Ultra Performance (ErGw3Az) or ErGwScale gateway — Standard and High Performance don’t support it
ExpressRoute circuit must be active and connected

Limitations of FastPath (exam favourites):

Private endpoints — FastPath cannot bypass the gateway for traffic to private endpoints. Traffic to PEs still goes through the gateway.
Peered VNets — FastPath only works for the directly connected VNet, not peered VNets. Peered VNet traffic still routes through the gateway.
Load Balancer — Internal Load Balancer with HA ports in the directly connected VNet works, but not in peered VNets.

ExpressRoute Direct

ExpressRoute Direct provides dedicated physical ports (10 Gbps or 100 Gbps) directly into Microsoft’s edge routers. You own the ports; you create circuits on top of them.

ExpressRoute Direct vs Standard ExpressRoute
Feature	Standard ExpressRoute	ExpressRoute Direct
Physical ports	Shared (managed by connectivity provider)	Dedicated 10G or 100G port pairs you own
Maximum bandwidth	Up to 10 Gbps per circuit	10 Gbps or 100 Gbps per port pair
Multiple circuits	One circuit per provider order	Create multiple circuits on your port pair
MACsec encryption	Not available	Available — Layer 2 encryption on physical link
Provider required	Yes — order through a connectivity provider	No — connect directly to Microsoft edge routers
Cost model	Provider charges plus circuit metering	Port pair charges plus circuit metering (higher base cost)
Use case	Most enterprise deployments	Massive bandwidth, MACsec, or regulatory isolation needs

Encryption Options

MACsec (ExpressRoute Direct only):

Layer 2 encryption between your edge router and Microsoft’s
Encrypts all traffic on the physical link
Requires ExpressRoute Direct ports and compatible hardware
Protects against eavesdropping on the physical connection

IPsec over ExpressRoute (any circuit):

Creates a Site-to-Site VPN tunnel over the ExpressRoute private peering
Layer 3 encryption — works with any ExpressRoute circuit (not just Direct)
Requires a VPN Gateway in addition to the ER Gateway (coexistence)
Lower throughput than MACsec (limited by VPN Gateway SKU)

🔒 Aisha’s scenario: Sentinel Banking needs encryption on their ExpressRoute link. They don’t have ExpressRoute Direct, so they configure IPsec over ER: a VPN tunnel rides on top of the ExpressRoute private peering, encrypting all traffic between on-prem and Azure.

Bidirectional Forwarding Detection (BFD)

BFD provides sub-second link failure detection over ExpressRoute private peering.

Without BFD: BGP detects a link failure based on hold timers — typically 180 seconds (3 missed keepalives at 60-second intervals). That’s 3 minutes of potential blackholing.

With BFD: Failure detection happens in under 1 second. BGP is notified immediately and reconverges to the backup path.

Enabled on the Microsoft side by default for new circuits
Must be configured on your on-premises router as well
Requires both sides to negotiate BFD parameters
Works over private peering only (not Microsoft peering)

Redundancy Patterns

ExpressRoute is designed with built-in redundancy, but understanding the levels helps for exam scenarios:

Level 1 — Built-in dual connections: Every ExpressRoute circuit includes two physical connections (primary and secondary) to two Microsoft edge routers. This is automatic — you always get dual paths.

Level 2 — Circuit redundancy: Deploy two ER circuits in different peering locations. If one location fails completely (provider outage, natural disaster), the other takes over. Connect both circuits to the same VNet via the same or different ER gateways.

Level 3 — ER + VPN backup: Use a Site-to-Site VPN as a backup for ExpressRoute. If the ER circuit fails, traffic fails over to the VPN tunnel. The VPN provides lower bandwidth but works over the internet — independent of the ER provider.

VPN and ER gateways coexist in the same GatewaySubnet
BGP route preferences determine active path (ER routes preferred by default)
Failover is automatic when ER routes are withdrawn

Troubleshooting ExpressRoute

Common ExpressRoute issues and diagnostics:

Symptom	Check	Tool
Circuit status “Not Provisioned”	Provider hasn’t completed provisioning	Azure Portal — circuit status
BGP not established	Peering configuration mismatch (ASN, VLAN, IPs)	Get-AzExpressRouteCircuitRouteTable
Low throughput	Gateway SKU too small or circuit bandwidth saturated	Azure Monitor — ER Gateway metrics
Asymmetric routing	Multiple ER circuits with different AS-path lengths	Check BGP route advertisements
Intermittent drops	Physical layer issues on provider link	BFD status, provider NOC

Always check: Circuit status → Provider status → BGP session → Route table → Gateway metrics.

Key Takeaways

Global Reach connects DCs through Microsoft’s backbone — requires ER at both sites
FastPath bypasses the gateway for data traffic but not for private endpoints or peered VNets
ExpressRoute Direct provides dedicated ports with MACsec encryption
IPsec over ER gives encryption on any circuit (not just Direct)
BFD provides sub-second failover vs 180 seconds without it

Test Your Knowledge

Question

What are the two key limitations of FastPath?

Click or press Enter to reveal answer

Answer

1. Cannot bypass the gateway for traffic to private endpoints. 2. Does not work for peered VNets — only the directly connected VNet benefits from FastPath.

Click to flip back

Question

What is ExpressRoute Global Reach?

Click or press Enter to reveal answer

Answer

Connects two on-premises locations through Microsoft's backbone using their respective ExpressRoute circuits. DC-to-DC traffic bypasses the public internet entirely. Requires circuits at different peering locations.

Click to flip back

Question

What encryption options are available for ExpressRoute?

Click or press Enter to reveal answer

Answer

MACsec (Layer 2) — only for ExpressRoute Direct, encrypts the physical link. IPsec over ER (Layer 3) — works with any circuit, creates a VPN tunnel over private peering.

Click to flip back

Question

How fast does BFD detect link failure vs standard BGP?

Click or press Enter to reveal answer

Answer

BFD: sub-second detection. Standard BGP: approximately 180 seconds (3 missed keepalives at 60-second intervals). BFD notifies BGP immediately for fast reconvergence.

Click to flip back

Knowledge Check

Ravi has ExpressRoute circuits in Auckland and Singapore. He wants DC-to-DC traffic to use Microsoft's backbone instead of the internet. What feature does he need?

Knowledge Check

Elena enables FastPath on her ExpressRoute connection. She notices traffic to a private endpoint in the VNet still goes through the gateway. Why?

Knowledge Check

Aisha needs to encrypt traffic over her existing ExpressRoute circuit but doesn't have ExpressRoute Direct. What should she use?

Next up: Azure Virtual WAN — Simplify global connectivity with Microsoft’s managed hub-and-spoke at scale.