EMAIL SUPPORT
dclessons@dclessons.comLOCATION
AFExpressRoute Routing Introduction
ExpressRoute Routing
In order to connect to Microsoft Cloud services using the Express Route , customers need to set up and Manage Routing. Some of the Service providers provide managed Service for Routing Setup.
Microsoft Does Not Support any Router Redundancy Protocol like HSRP , VRRP for high availability Configuration.
IP address for Peering
Customers need to reserve a few blocks of IP address to configure routing between Customer network and Microsoft Enterprise Edge (MSEEs) routers.
IP Address used for Azure Private Peering:
IPv4:
- You must reserve a /29 subnet or two /30 subnets for routing interfaces.
- The subnets used for routing can be either private IP addresses or public IP addresses.
- The subnets must not conflict with the range reserved by the customer for use in the Microsoft cloud.
- If a /29 subnet is used, it is split into two /30 subnets.
- The first /30 subnet is used for the primary link and the second /30 subnet is used for the secondary link.
- For each of the /30 subnets, you must use the first IP address of the /30 subnet on your router. Microsoft uses the second IP address of the /30 subnet to set up a BGP session.
- You must set up both BGP sessions for our availability SLA to be valid.
Example :
Consider a case where you select 192.168.100.128/29 to set up private peering. 192.168.100.128/29 includes addresses from 192.168.100.128 to 192.168.100.135, among which:
- 192.168.100.128/30 will be assigned to link1, with the provider using 192.168.100.129 and Microsoft using 192.168.100.130.
- 192.168.100.132/30 will be assigned to link2, with the provider using 192.168.100.133 and Microsoft using 192.168.100.134.
IP address used for Microsoft Peering:
Enterprise must use its owned Public IP address for setting up the BGP sessions. Microsoft must be able to verify the Ownership of the IP addresses through Routing Internet Registries and Internet Routing Registries.
- The IPs listed in the portal for Advertised Public Prefixes for Microsoft Peering will create ACLs for the Microsoft core routers to allow inbound traffic from these IPs.
- Enterprise must use a unique /29 (IPv4) or /125 (IPv6) subnet or two /30 (IPv4) or /126 (IPv6) subnets to set up the BGP peering for each peering per ExpressRoute circuit (if you have more than one).
- If a /29 subnet is used, it is split into two /30 subnets.
- The first /30 subnet is used for the primary link and the second /30 subnet will be used for the secondary link.
- For each of the /30 subnets, you must use the first IP address of the /30 subnet on your router. Microsoft uses the second IP address of the /30 subnet to set up a BGP session
- Enterprise must set up both BGP sessions for our availability SLA to be valid.
IP address used for Azure Public Peering
In today's scenario, Azure Public Peering is not supported on New Circuit. Customers must use its owned Public IP address for setting up the BGP sessions. Microsoft must be able to verify the Ownership of the IP addresses through Routing Internet Registries and Internet routing Registries.
- Enterprise must use a unique /29 subnet or two /30 subnets to set up the BGP peering for each peering per ExpressRoute circuit (if Enterprise have more than one).
- If a /29 subnet is used, it is split into two /30 subnets.
- The first /30 subnet is used for the primary link and the second /30 subnet is used for the secondary link.
- For each of the /30 subnets, you must use the first IP address of the /30 subnet on your router. Microsoft uses the second IP address of the /30 subnet to set up a BGP session.
- Enterprise must set up both BGP sessions for our availability SLA to be valid.
Public IP address Requirement
Private Peering:
In this scenario, Enterprise can choose a Public or Private IPV4 address for Private Peering . Azure provides End to End isolation of your traffic , due to which IP address Overlapping is not possible in case of private peering. These addresses are not advertised to the internet.
Microsoft Peering:
With the help of this peering, Enterprise can connect to Microsoft Cloud Services like Microsoft 365 services : Exchange Online, Sharepoint Online, Skype for Business , Microsoft teams.
Microsoft Support bi-directional connectivity on the Microsoft Peering. Traffic destined to Microsoft Cloud Services must use a valid public IPv4 address before they enter the Microsoft Network.
It should be made sure that Enterprise IP address and AS number are registered to you in one of the following registries.
- ARIN
- APNIC
- AFRINIC
- CACNIC
- RIPENCC
- RADB
- ALTDB
Microsoft Allow private AS number for Microsoft Peering , but Microsoft will remove the private As number in the AS PATH for received prefixes. As a result , Enterprise cannot append private AS numbers in the AS PATH to influence routing for Microsoft Peering.
AS Numbers between 64496-64511 are reserved by IANA for documentation purposes and are not allowed in the path.
It should be noted that Enterprise does not advertise the same public IP route to the public Internet and over ExpressRoute. In order to avoid the asymmetric routing , Microsoft recommends the NAT IP address advertised to Microsoft over expressroute ( from the range that should not be advertised over the internet).
Dynamic Route Exchange
Routing Exchange will be over eBGP protocol. EBGP sessions are established between the MSEEs and Enterprise routers. If it is necessary to authenticate a BGP session , Enterprise can use MD5 hash.
Autonomous System Numbers(ASN)
Microsoft uses AS 12076 for Azure public, Azure private and Microsoft Peering. Reserved ASN between 65515-65520 should be used for Internal use. Both 16 and 32 bit AS numbers are supported.
Data Transfer symmetry is not must taken into consideration , as Forward and return path may traverse different router pairs. Identical routes must be advertised from either side across Multiple circuit pairs belonging to Enterprise.
Route Aggregation & Prefix-List
Microsoft supports upto 4000 IPV4 prefixes and 100 IPV6 prefixes advertised to Microsoft through Microsoft private peering. This limit can be increased to 10000 IPv4 prefixes if the Express Route premium add-on is enabled. Microsoft accepts up to 200 prefixes per BGP session for Azure public and Microsoft Peering.
BGP session is dropped if the number of prefixes exceeds the limit. Microsoft accepts default routes on the private peering link only. Providers must filter out default route and private IP addresses ( RFC 1918) from Azure public and Microsoft Peering paths.
LEAVE A COMMENT
Please login here to comment.