Create and modify peering for an ExpressRoute circuit using the Azure portal

• 
  

This article shows you how to create and manage routing configuration for an Azure Resource Manager ExpressRoute circuit using the Azure portal. You can also check the status, update, or delete and deprovision peerings for an ExpressRoute circuit. If you want to use a different method to work with your circuit, select an article from the following list:

You can configure private peering and Microsoft peering for an ExpressRoute circuit. Peerings can be configured in any order you choose. However, you must make sure that you complete the configuration of each peering one at a time. For more information about routing domains and peerings, see ExpressRoute routing domains.

Prerequisites

• Make sure that you've reviewed the following pages before you begin configuration:
  • Prerequisites
  • Routing requirements
  • Workflows
• You must have an active ExpressRoute circuit. Follow the instructions to Create an ExpressRoute circuit and have the circuit enabled by your connectivity provider before you continue. To configure peering(s), the ExpressRoute circuit must be in a provisioned and enabled state.
• If you plan to use a shared key/MD5 hash, be sure to use the key on both sides of the tunnel. The limit is a maximum of 25 alphanumeric characters. Special characters aren't supported.

These instructions only apply to circuits created with service providers offering Layer 2 connectivity services. If you're using a service provider that offers managed Layer 3 services (typically an IPVPN, like MPLS), your connectivity provider configures and manages the routing for you.

Microsoft peering

This section helps you create, get, update, and delete the Microsoft peering configuration for an ExpressRoute circuit.

To create Microsoft peering

1. Configure the ExpressRoute circuit. Check the Provider status to ensure that the circuit is fully provisioned by the connectivity provider before continuing further.

   If your connectivity provider offers managed Layer 3 services, you can ask your connectivity provider to enable Microsoft peering for you. You won't need to follow the instructions listed in the next sections. However, if your connectivity provider doesn't manage routing for you, after creating your circuit, continue with these steps.

   Circuit - Provider status: Not provisioned

   

   Circuit - Provider status: Provisioned

   

2. Configure Microsoft peering for the circuit. Make sure that you have the following information before you continue.

   • A pair of subnets owned by you and registered in an RIR/IRR. One subnet is used for the primary link, while the other will be used for the secondary link. From each of these subnets, you assign the first usable IP address to your router as Microsoft uses the second usable IP for its router. You have three options for this pair of subnets:
     • IPv4: Two /30 subnets. These must be valid public IPv4 prefixes.
     • IPv6: Two /126 subnets. These must be valid public IPv6 prefixes.
     • Both: Two /30 subnets and two /126 subnets.
   • Microsoft peering enables you to communicate with the public IP addresses on Microsoft network. So, your traffic endpoints on your on-premises network should be public too. This is often done using SNAT.

   e as small as a single IP address (represented as '/32' for IPv4 or '/128' for IPv6).

   • A valid VLAN ID to establish this peering on. Ensure that no other peering in the circuit uses the same VLAN ID. For both Primary and Secondary links you must use the same VLAN ID.
   • AS number for peering. You can use both 2-byte and 4-byte AS numbers.
   • Advertised prefixes: You provide a list of all prefixes you plan to advertise over the BGP session. Only public IP address prefixes are accepted. If you plan to send a set of prefixes, you can send a comma-separated list. These prefixes must be registered to you in an RIR / IRR.
   • Optional - Customer ASN: If you're advertising prefixes not registered to the peering AS number, you can specify the AS number to which they're registered with.
   • Routing Registry Name: You can specify the RIR / IRR against which the AS number and prefixes are registered.
   • Optional - An MD5 hash if you choose to use one.

3. You can select the peering you wish to configure, as shown in the following example. Select the Microsoft peering row.

   

4. Configure Microsoft peering. Save the configuration once you've specified all parameters. The following image shows an example configuration:

   

    Important

   Microsoft verifies if the specified 'Advertised public prefixes' and 'Peer ASN' (or 'Customer ASN') are assigned to you in the Internet Routing Registry. If you are getting the public prefixes from another entity and if the assignment is not recorded with the routing registry, the automatic validation will not complete and will require manual validation. If the automatic validation fails, you will see the message 'Validation needed'.

   If you see the message 'Validation needed', collect the document(s) that show the public prefixes are assigned to your organization by the entity that is listed as the owner of the prefixes in the routing registry and submit these documents for manual validation by opening a support ticket.

   If your circuit gets to a Validation needed state, you must open a support ticket to show proof of ownership of the prefixes to our support team. You can open a support ticket directly from the portal, as shown in the following example:

   

To view Microsoft peering details

You can view the properties of Microsoft peering by selecting the row for the peering.

To update Microsoft peering configuration

You can select the row for the peering that you want to modify, then modify the peering properties and save your modifications.

Azure private peering

This section helps you create, get, update, and delete the Azure private peering configuration for an ExpressRoute circuit.

To create Azure private peering

1. Configure the ExpressRoute circuit. Ensure that the circuit is fully provisioned by the connectivity provider before continuing.

   If your connectivity provider offers managed Layer 3 services, you can ask your connectivity provider to enable Azure private peering for you. You won't need to follow the instructions listed in the next sections. However, if your connectivity provider doesn't manage routing for you, after creating your circuit, continue with the next steps.

   Circuit - Provider status: Not provisioned

   

   Circuit - Provider status: Provisioned

   

2. Configure Azure private peering for the circuit. Make sure that you have the following items before you continue with the next steps:

   • A pair of subnets that aren't part of any address space reserved for virtual networks. One subnet is used for the primary link, while the other will be used for the secondary link. From each of these subnets, you assign the first usable IP address to your router as Microsoft uses the second usable IP for its router. You have three options for this pair of subnets:
     • IPv4: Two /30 subnets.
     • IPv6: Two /126 subnets.
     • Both: Two /30 subnets and two /126 subnets.
   • A valid VLAN ID to establish this peering on. Ensure that no other peering in the circuit uses the same VLAN ID. For both Primary and Secondary links you must use the same VLAN ID.
   • AS number for peering. You can use both 2-byte and 4-byte AS numbers. You can use a private AS number for this peering except for the number from 65515 to 65520, inclusively.
   • You must advertise the routes from your on-premises Edge router to Azure via BGP when you configure the private peering.
   • Optional - An MD5 hash if you choose to use one.

3. Select the Azure private peering row, as shown in the following example:

   

4. Configure private peering. Save the configuration once you've specified all parameters.

   

To view Azure private peering details

You can view the properties of Azure private peering by selecting the peering.

To update Azure private peering configuration

You can select the row for peering and modify the peering properties. After updating, save your changes.

Clean up resources

To delete Microsoft peering

You can remove your Microsoft peering configuration by right-clicking the peering and selecting Delete as shown in the following image:

To delete Azure private peering

You can remove your private peering configuration by right-clicking the peering and selecting Delete as shown in the following image:

 Warning

You must ensure that all virtual network connections and ExpressRoute Global Reach connections are removed before running this operation.

 

Create and modify ExpressRoute Circuits

This quickstart shows you how to create an ExpressRoute circuit using the Azure portal and the Azure Resource Manager deployment model. You can also check the status, update, delete, or deprovision a circuit.

There are currently two create experience for ExpressRoute circuits in the portal. The new preview create experience is available through this Preview link. The current create experience is available through the Azure portal. For guidance on how to create an ExpressRoute circuit with the preview create experience select the Preview tab at the top of the page.

Prerequisites

Create and provision an ExpressRoute circuit

Sign in to the Azure portal

Create a new ExpressRoute circuit

 Important

Your ExpressRoute circuit is billed from the moment a service key is issued. Ensure that you perform this operation when the connectivity provider is ready to provision the circuit.

1. On the Azure portal menu, select + Create a resource. Search for ExpressRoute and then select Create.

   

2. On the Create ExpressRoute page. Provide the Resource Group, Region, and Name for the circuit. Then select Next: Configuration >.

   Setting	Value
   Resource group	Select Create new. Enter ExpressRouteResourceGroup Select OK.
   Region	West US 2
   Name	TestERCircuit

   

3. When you enter in the values on this page, make sure that you specify the correct SKU tier (Local, Standard, or Premium) and data metering billing model (Unlimited or Metered).

   

   Setting	Description
   Port type	Select if you're connecting to a service provider or directly into Microsoft's global network at a peering location.
   Create new or import from classic	Select if you're creating a new circuit or if you're migrating a classic circuit to Azure Resource Manager.
   Provider	Select the internet service provider who you are requesting your service from.
   Peering Location	Select the physical location where you're peering with Microsoft.
   SKU	Select the SKU for the ExpressRoute circuit. You can specify Local to get the local SKU, Standard to get the standard SKU or Premium for the premium add-on. You can change between Local, Standard, and Premium.
   Billing model	Select the billing type for egress data charge. You can specify Metered for a metered data plan and Unlimited for an unlimited data plan. You can change the billing type from Metered to Unlimited.
   Allow classic operations	Enable this option to allow classic virtual networks to link to the circuit.

   
   

4. Select Review + create and then select Create to deploy the ExpressRoute circuit.

View the circuits and properties

View all the circuits

You can view all the circuits that you created by searching for ExpressRoute circuits in the search box at the top of the portal.

All Expressroute circuits created in the subscription appear here.

View the properties

You can view the properties of the circuit by selecting it. On the Overview page for your circuit, you find the Service Key. Provide the service key to the service provider to complete the provisioning process. The service key is unique to your circuit.

Send the service key to your connectivity provider for provisioning

On this page, Provider status gives you the current state of provisioning on the service-provider side. Circuit status provides you with the state on the Microsoft side. For more information about circuit provisioning states, see the Workflows article.

When you create a new ExpressRoute circuit, the circuit is in the following state:

Provider status: Not provisioned
Circuit status: Enabled

The circuit changes to the following state when the connectivity provider is currently enabling it for you:

Provider status: Provisioning
Circuit status: Enabled

To use the ExpressRoute circuit, it must be in the following state:

Provider status: Provisioned
Circuit status: Enabled

Periodically check the status and the state of the circuit key

You can view the properties of the circuit that you're interested in by selecting it. Check the Provider status and ensure that it has moved to Provisioned before you continue.

Create your routing configuration

For step-by-step instructions, refer to the ExpressRoute circuit routing configuration article to create and modify circuit peerings.

Link a virtual network to an ExpressRoute circuit

Next, link a virtual network to your ExpressRoute circuit. Use the Linking virtual networks to ExpressRoute circuits article when you work with the Resource Manager deployment model.

Getting the status of an ExpressRoute circuit

You can view the status of a circuit by selecting it and viewing the Overview page.

Modifying an ExpressRoute circuit

You can modify certain properties of an ExpressRoute circuit without impacting connectivity. You can modify the bandwidth, SKU, billing model and allow classic operations on the Configuration page. For information on limits and limitations, see the ExpressRoute FAQ.

You can do the following tasks with no downtime:

• Enable or disable an ExpressRoute Premium add-on for your ExpressRoute circuit.

   Important

  Changing the SKU from Standard/Premium to Local is not supported in Azure portal. To downgrade the SKU to Local, you can use Azure PowerShell or Azure CLI.

• Increase the bandwidth of your ExpressRoute circuit, provided there's capacity available on the port.

   Important

  • Downgrading the bandwidth of a circuit is not supported.
  • To determine if there is available capacity for a bandwidth upgrade, submit a support request.

• Change the metering plan from Metered Data to Unlimited Data.

   Important

  Changing the metering plan from Unlimited Data to Metered Data is not supported.

• You can enable and disable Allow Classic Operations.

   Important

  You may have to recreate the ExpressRoute circuit if there is inadequate capacity on the existing port. You cannot upgrade the circuit if there is no additional capacity available at that location.

  Although you can seamlessly upgrade the bandwidth, you cannot reduce the bandwidth of an ExpressRoute circuit without disruption. Downgrading bandwidth requires you to deprovision the ExpressRoute circuit and then reprovision a new ExpressRoute circuit.

  Disabling the Premium add-on operation can fail if you're using resources that are greater than what is permitted for the standard circuit.

To modify an ExpressRoute circuit, select Configuration.

Deprovisioning and deleting an ExpressRoute circuit

1. On the Azure portal menu, navigate to the ExpressRoute circuit you wish to deprovision.

2. In the Overview page, select Delete. If there are any associated resources attached to the circuit, you're asked to view the resources. Select Yes to see the associations that need to be removed before starting the deprovisioning process. If there are no associated resources, you can proceed with step 4.

   

3. In the View Associated Resources of Circuit pane, you can see the resources associated with the circuit. Ensure you delete the resources before proceeding with the deprovisioning of the circuit.

   

4. After deleting all associated resources, work with your circuit service provider to deprovision the circuit on their end. The circuit is required to be deprovisioned before it can be deleted.

   

5. After your circuit service provider has confirmed that they've deprovisioned the circuit, confirm that the Provider status changes to Not provisioned in the Azure portal. Once the Provider status is Not provisioned, you'll be able to delete the circuit.