What is Azure ExpressRoute?

• 
  

ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection with the help of a connectivity provider. With ExpressRoute, you can establish connections to Microsoft cloud services, such as Microsoft Azure and Microsoft 365.

Connectivity can be from an any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual cross-connection through a connectivity provider at a colocation facility. ExpressRoute connections offer more reliability, faster speeds, consistent latencies, and higher security than typical connections over the Internet, because they don’t go over the public Internet. For information on how to connect your network to Microsoft using ExpressRoute, see ExpressRoute connectivity models.

 Note

In the context of ExpressRoute, the Microsoft Edge describes the edge routers on the Microsoft side of the ExpressRoute circuit. This is the ExpressRoute circuit's point of entry into Microsoft's network.

Key benefits

• Layer 3 connectivity between your on-premises network and the Microsoft Cloud through a connectivity provider. Connectivity can be from an any-to-any (IPVPN) network, a point-to-point Ethernet connection, or through a virtual cross-connection via an Ethernet exchange.
• Connectivity to Microsoft cloud services across all regions in the geopolitical region.
• Global connectivity to Microsoft services across all regions with the ExpressRoute premium add-on.
• Dynamic routing between your network and Microsoft via BGP.
• Built-in redundancy in every peering location for higher reliability.
• Connection uptime SLA.
• QoS support for Skype for Business.

For more information, see the ExpressRoute FAQ.

ExpressRoute cheat sheet

Quickly access the most important ExpressRoute resources and information with this cheat sheet.

Features

Layer 3 connectivity

Microsoft uses BGP, an industry standard dynamic routing protocol, to exchange routes between your on-premises network, your instances in Azure, and Microsoft public addresses. We establish multiple BGP sessions with your network for different traffic profiles. More details can be found in the ExpressRoute circuit and routing domains article.

Redundancy

Each ExpressRoute circuit consists of two connections to two Microsoft Enterprise edge routers (MSEEs) at an ExpressRoute Location from the connectivity provider or your network edge. Microsoft requires dual BGP connections from the connectivity provider or your network edge – one to each MSEE. You might choose not to deploy redundant devices/Ethernet circuits at your end. However, connectivity providers use redundant devices to ensure that your connections are handed off to Microsoft in a redundant manner.

Resiliency

Microsoft offers multiple ExpressRoute peering locations in many geopolitical regions. For maximum resiliency, Microsoft recommends that you establish connection to two ExpressRoute circuits in two peering locations. If ExpressRoute Metro is available with your service provider and in your preferred peering location, you can achieve a higher level of resiliency compared to a standard ExpressRoute circuit. For non-production and non-critical workloads, you can achieve standard resiliency by connecting to a single ExpressRoute circuit that offers redundant connections within a single peering location. The Azure portal provides a guided experience to help you create a resilient ExpressRoute configuration. For Azure PowerShell, CLI, ARM template, Terraform, and Bicep, maximum resiliency can be achieved by creating a second ExpressRoute circuit in a different ExpressRoute location and establishing a connection to it. For more information, see Create maximum resiliency with ExpressRoute.

Connectivity to Microsoft cloud services

ExpressRoute connections enable access to the following services:

• Microsoft Azure services
• Microsoft 365 services

 Note

Microsoft 365 was created to be accessed securely and reliably via the Internet. Because of this, we recommend ExpressRoute for specific scenarios. For information about using ExpressRoute to access Microsoft 365, visit

For a detailed list of services supported over ExpressRoute, visit the ExpressRoute FAQ page.

Connectivity to all regions within a geopolitical region

You can connect to Microsoft from one of our peering locations and access regions within the same geopolitical region.

For example, if you connect to Microsoft in Amsterdam through ExpressRoute. You have access to all of Microsoft cloud services hosted in North and West Europe. For an overview of the geopolitical regions, the associated Microsoft cloud regions, and corresponding ExpressRoute peering locations, see the ExpressRoute partners and peering locations article.

Global connectivity with ExpressRoute Premium

You can enable ExpressRoute Premium to extend connectivity across geopolitical boundaries. If you connect to Microsoft in Amsterdam through ExpressRoute, you have access to all of Microsoft cloud services hosted in every region across the globe. For example, you have access to services deployed in West US or Australian East the same way you access North and West Europe regions. National clouds are excluded.

Local connectivity with ExpressRoute Local

You can transfer data cost-effectively by enabling the Local SKU. With Local SKU, you can bring your data to an ExpressRoute location near the Azure region you want. With Local, Data transfer is included in the ExpressRoute port charge.

For peering location and supported Azure local region, see providers by locations.

Across on-premises connectivity with ExpressRoute Global Reach

By enabling ExpressRoute Global Reach, you can exchange data across your on-premises sites through your ExpressRoute circuits. For instance, suppose you have two private data centers, one in California and one in Texas, each connected to an ExpressRoute circuit in their respective regions. You can use ExpressRoute Global Reach to link your data centers with these circuits, and your cross data-center traffic uses the Microsoft network.

For more information, see ExpressRoute Global Reach.

Rich connectivity partner ecosystem

ExpressRoute has a constantly growing ecosystem of connectivity providers and systems integrator partners. For the latest information, see ExpressRoute partners and peering locations.

Connectivity to national clouds

Microsoft operates isolated cloud environments for special geopolitical regions and customer segments. For a list of national clouds and providers, see ExpressRoute partners and peering locations.

ExpressRoute Direct

ExpressRoute Direct provides customers the opportunity to connect directly into Microsoft’s global network at peering locations strategically distributed across the world. ExpressRoute Direct provides dual 100-Gbps connectivity, which supports Active/Active connectivity at scale.

Key features that ExpressRoute Direct provides include, but aren't limited to:

• Massive data ingestion into services like Azure Storage and Azure Cosmos DB.
• Physical isolation for industries that are regulated and require dedicated and isolated connectivity. For example: banks, governments, and retails.
• Granular control of circuit distribution based on business unit.

For more information, see About ExpressRoute Direct.

Bandwidth options

You can purchase ExpressRoute circuits for a wide range of bandwidths. The supported bandwidths are listed as follows. Be sure to check with your connectivity provider to determine the bandwidths they support.

• 50 Mbps
• 100 Mbps
• 200 Mbps
• 500 Mbps
• 1 Gbps
• 2 Gbps
• 5 Gbps
• 10 Gbps

The built-in redundancy of your circuit is configured using primary and secondary connections, each of the procured bandwidth, to two Microsoft Enterprise Edge routers (MSEEs). The bandwidth available through your secondary connection can be used for more traffic if necessary. Since the secondary connection is meant for redundancy, it isn't guaranteed and shouldn't be used for extra traffic for a sustained period of time. If you plan to use only your primary connection to transmit traffic, the bandwidth for the connection is fixed, and attempting to oversubscribe it results in increased packet drops.

 

Create Azure network connection

Azure network connections (ANC) let you provision Cloud PCs that are attached to a virtual network that you manage.

You can have up to 10 ANCs per tenant.

As part of the connection process, the Windows 365 service is granted the following permissions:

• Reader permission on the Azure subscription.
• Windows 365 Network Interface Contributor role on the specified resource group.
• Windows 365 Network User role on the virtual network.

Requirements

To create an ANC, you must meet these requirements:

• Have the Intune Administrator or Windows 365 Administrator role.
• Have an Active Directory user account with sufficient permissions to join the AD domain into this Organizational Unit (hybrid Microsoft Entra join ANCs only).
• Have the Subscription Reader role in the Azure Subscription where the VNET associated with the ANC was located.
• If you want to create an ANC with a network or resource group that was never used in any pervious ANC creation, then you must have the Subscription owner or user administrator role.
• For Disaster Recovery (DR) purposes, make sure that there are at least 50% of the IP addresses available in your subnet. If reprovisioning for DR is required, sufficient new IP addresses are required for each Cloud PC provisioned on the subnet.
• For Windows 365 Government - GCC only and not GCC-H - make sure to complete the script options listed in Set up tenants for Windows 365 Government.
  • If you aren't using Azure CloudShell, make sure that your PowerShell execution policy is configured to allow Unrestricted scripts. If you use Group Policy to set execution policy, make sure that the Group Policy Object (GPO) targeted at the Organizational Unit (OU) defined in the ANC is configured to allow Unrestricted scripts. For more information, see Set-ExecutionPolicy.

When planning your ANC VNets with ExpressRoute as the on-premises connectivity model, refer to Azure’s documentation on VM limits. For the ExpressRoute Gateway SKU, make sure that you have the correct sized Gateway for the number of Cloud PCs planned within the VNet. Exceeding this limit could cause instability in your connectivity.

---

Create an ANC

1. Sign in to the Microsoft Intune admin center, select Devices > Windows 365 (under Provisioning) > Azure network connection > Create.

2. Depending on the type of ANC you want to create, choose Microsoft Entra Join or Hybrid Microsoft Entra Join.

   

3. On the Network details page, enter a Name for the new connection. The connection name must be unique within the customer tenant.

   

4. Select a Subscription and Resource group for the new connection. Create a new resource group to contain your Cloud PC resources. Optionally, you can instead select an existing resource group in the list (which grant Windows 365 permissions to the existing resource group). If you don’t have a healthy ANC, you won't be able to proceed.

5. Select a Virtual network and Subnet.

6. Select Next.

7. For hybrid Microsoft Entra join ANCs, on the AD domain page, provide the following information:

 

What's new in Azure Communications Gateway?

VNet injection for Azure Communications Gateway (preview)

From April 2024, you can set up private networking between your on-premises environment and Azure Communications Gateway. VNet injection for Azure Communications Gateway (preview) allows the network interfaces on your Azure Communications Gateway which connect to your network to be deployed into virtual networks in your subscription. This allows you to control the traffic flowing between your network and your Azure Communications Gateway instance using private subnets, and lets you use private connectivity to your premises such as ExpressRoute Private Peering and Virtual Private Networks (VPNs).

For more information about private networking, see Connecting to Azure Communications Gateway. For deployment instructions, see Prepare to connect Azure Communications Gateway to your own virtual network.

Support for Azure Operator Call Protection Preview

From April 2024, you can use Azure Communications Gateway to provide Azure Operator Call Protection Preview. Azure Operator Call Protection uses AI to perform real-time analysis of consumer phone calls to detect potential phone scams and alert subscribers when they are at risk of being scammed. It's built on Azure Communications Gateway.

For more information about Azure Operator Call Protection, see What is Azure Operator Call Protection Preview?. For deployment instructions, see Set up Azure Operator Call Protection Preview.

Lab deployments

From March 2024, you can set up a dedicated lab deployment of Azure Communications Gateway. Lab deployments allow you to make changes and test them without affecting your production deployment. For example, you can:

• Test configuration changes to Azure Communications Gateway.
• Test new Azure Communications Gateway features and services (for example, configuring Microsoft Teams Direct Routing or Zoom Phone Cloud Peering).
• Test changes in your preproduction network, before rolling them out to your production networks.

You plan for, order, and deploy lab deployments in the same way as production deployments. You must have deployed a standard deployment or be about to deploy one. You can't use a lab deployment as a standalone Azure Communications Gateway deployment.

For more information, see Lab Azure Communications Gateway overview.

Flow-through provisioning for Operator Connect and Teams Phone Mobile

From February 2024, Azure Communications Gateway supports flow-through provisioning for Operator Connect and Teams Phone Mobile customers and numbers with the Azure Communications Gateway's Provisioning API (preview). Flow-through provisioning on Azure Communications Gateway allows you to provision the Operator Connect environments and Azure Communications Gateway (for custom header configuration) using the same method. It meets the Operator Connect and Teams Phone Mobile requirement to use APIs to manage your customers and numbers after you launch your service.

Provisioning Azure Communications Gateway and the Operator Connect and Teams Phone Mobile environment includes:

• Managing the status of your enterprise customers in the Operator Connect and Teams Phone Mobile environment.
• Provisioning numbers in the Operator Connect and Teams Phone Mobile environment.
• Configuring Azure Communications Gateway to add custom headers.

Before you launch your Operator Connect or Teams Phone Mobile service, you can also use the Number Management Portal (preview).

Connectivity metrics

From February 2024, you can monitor the health of the connection between your network and Azure Communications Gateway with new metrics for responses to SIP INVITE and OPTIONS exchanges. You can view statistics for all INVITE and OPTIONS requests, or narrow your view down to individual regions, request types, or response codes. For more information on the available metrics, see Connectivity metrics. For an overview of working with metrics, see Analyzing, filtering and splitting metrics in Azure Monitor.

Support for Zoom Phone Cloud Peering

From November 2023, Azure Communications Gateway supports providing PSTN connectivity to Zoom with Zoom Phone Cloud Peering. You can provide Zoom Phone calling services to many customers, each with many users, with minimal disruption to your existing network.

For more information about Zoom Phone Cloud Peering with Azure Communications Gateway, see Overview of interoperability of Azure Communications Gateway with Zoom Phone Cloud Peering. For an overview of deploying and configuring Azure Communications Gateway for Zoom, see Get started with Azure Communications Gateway.

Custom header on messages to operator networks

Azure Communications Gateway can add a custom header to messages sent to your core network. You can use this feature to add custom information that your network might need, for example to assist with billing.

You must choose the name of the custom header when you deploy Azure Communications Gateway. This header name is used for all numbers with custom header configuration.

You must then use the Provisioning API to configure each number with the contents of the custom header.

In November 2023, custom header configuration is available for Microsoft Teams Direct Routing, Operator Connect, and Zoom Phone Cloud Peering.

Support for multitenant Microsoft Teams Direct Routing

From October 2023, Azure Communications Gateway supports providing PSTN connectivity to Microsoft Teams through Direct Routing. You can provide Microsoft Teams calling services to many customers, each with many users, with minimal disruption to your existing network. Azure Communications Gateway automatically updates the SIP signaling to indicate the correct tenant, without needing changes to your core network to map between numbers and customer tenants.

Azure Communications Gateway can screen Direct Routing calls originating from Microsoft Teams to ensure that the number is enabled for Direct Routing. This screening reduces the risk of caller ID spoofing, because it prevents customer administrators assigning numbers that you haven't allocated to the customer.

For more information about Direct Routing with Azure Communications Gateway, see Overview of interoperability of Azure Communications Gateway with Microsoft Teams Direct Routing. For an overview of deploying and configuring Azure Communications Gateway for Direct Routing, see Get started with Azure Communications Gateway.

ExpressRoute Microsoft Peering between Azure and operator networks

From September 2023, you can use ExpressRoute Microsoft Peering to connect operator networks to Azure Communications Gateway as an alternative to Microsoft Azure Peering Services Voice (also known as MAPS Voice). We recommend that most deployments use MAPS for voice unless there's a specific reason that ExpressRoute Microsoft Peering is preferable. For example, you might have existing ExpressRoute connectivity to your network that you can reuse. For details and examples of when ExpressRoute might be preferable to MAPS, see Using ExpressRoute for Microsoft PSTN services.

Integrated Mobile Control Point for Teams Phone Mobile integration

From May 2023, you can deploy Mobile Control Point (MCP) as part of Azure Communications Gateway. MCP is an IMS Application Server that simplifies interworking with Microsoft Phone System for mobile calls. It ensures calls are only routed to the Microsoft Phone System when a user is eligible for Teams Phone Mobile services. This process minimizes the changes you need in your mobile network to route calls into Microsoft Teams. For more information, see Mobile Control Point in Azure Communications Gateway for Teams Phone Mobile.

You can add MCP when you deploy Azure Communications Gateway or by requesting changes to an existing deployment. For more information, see Deploy Azure Communications Gateway or Get support or request changes to your Azure Communications Gateway.