Create and manage ExpressRoute public peering
This article helps you create and manage public peering routing configuration for an ExpressRoute circuit. You can also check the status, update, or delete and deprovision peerings. This article applies to Resource Manager circuits that were created before public peering was deprecated. If you have a previously existing circuit (created prior to public peering being deprecated), you can manage/configure public peering using Azure PowerShell, Azure CLI, and the Azure portal.
Note
Public peering is deprecated. You cannot create public peering on new ExpressRoute circuits. If you have a new ExpressRoute circuit, instead, use Microsoft peering for your Azure services.
Connectivity
Connectivity is always initiated from your WAN to Azure services. Azure services can't initiate connections into your network through this routing domain. If your ExpressRoute circuit is enabled for Azure public peering, you can access the public IP ranges used in Azure over the circuit.
Once public peering is enabled, you can connect to most Azure services. We don't allow you to selectively pick services for which we advertise routes to.
- Services such as Azure Storage, SQL Databases, and Websites are offered on public IP addresses.
- Through the public peering routing domain, you can privately connect to services hosted on public IP addresses, including VIPs of your cloud services.
- You can connect the public peering domain to your DMZ and connect to all Azure services on their public IP addresses from your WAN without having to connect through the internet.
Services
This section shows the services available over public peering. Because public peering is deprecated, there's no plan to add new or more services to public peering. If you use public peering and the service you want to use is support only over Microsoft peering, you must switch to Microsoft peering. See Microsoft peering for a list of supported services.
Supported:
- Most of the Azure services are supported. Check directly with the service that you want to use to verify support.
Not supported:
- Azure Active Directory
- Azure Front Door
- CDN
- Logic Apps
- Multi-factor Authentication Server (legacy)
- Office 365
- Power BI
- Traffic Manager
To validate availability for a specific service, you can check the documentation for that service to see if there's a reserved range published for that service. Then you may look up the IP ranges of the target service and compare with the ranges listed in the Azure IP Ranges and Service Tags - China Cloud XML file. Alternatively, you can open a support ticket for the service in question for clarification.
Peering comparison
Private Peering | Microsoft Peering | Public Peering (deprecated for new circuits) | |
---|---|---|---|
Max. # IPv4 prefixes supported per peering | 4000 by default, 10,000 with ExpressRoute Premium | 200 | 200 |
Max. # IPv6 prefixes supported per peering | 100 | 200 | N/A |
IP address ranges supported | Any valid IP address within your WAN. | Public IP addresses owned by you or your connectivity provider. | Public IP addresses owned by you or your connectivity provider. |
AS Number requirements | Private and public AS numbers. You must own the public AS number if you choose to use one. | Private and public AS numbers. However, you must prove ownership of public IP addresses. | Private and public AS numbers. However, you must prove ownership of public IP addresses. |
IP protocols supported | IPv4, IPv6 | IPv4, IPv6 | IPv4 |
Routing Interface IP addresses | RFC1918 and public IP addresses | Public IP addresses registered to you in routing registries. | Public IP addresses registered to you in routing registries. |
MD5 Hash support | Yes | Yes | Yes |
Note
Azure public peering has 1 NAT IP address associated to each BGP session. For greater than 2 NAT IP addresses, move to Microsoft peering. Microsoft peering allows you to configure your own NAT allocations, as well as use route filters for selective prefix advertisements. For more information, see Move to Microsoft peering.
Custom route filters
You can define custom route filters within your network to consume only the routes you need. Refer to the Routing page for detailed information on routing configuration.
Azure PowerShell steps
Because public peering is deprecated, you can't configure public peering on a new ExpressRoute circuit.
Verify that you have an ExpressRoute circuit that is provisioned and also enabled. Use the following example:
Get-AzExpressRouteCircuit -Name "ExpressRouteARMCircuit" -ResourceGroupName "ExpressRouteResourceGroup"
The response is similar to the following example:
Name : ExpressRouteARMCircuit ResourceGroupName : ExpressRouteResourceGroup Location : chinanorth Id : /subscriptions/***************************/resourceGroups/ExpressRouteResourceGroup/providers/Microsoft.Network/expressRouteCircuits/ExpressRouteARMCircuit Etag : W/"################################" ProvisioningState : Succeeded Sku : { "Name": "Standard_MeteredData", "Tier": "Standard", "Family": "MeteredData" } CircuitProvisioningState : Enabled ServiceProviderProvisioningState : Provisioned ServiceProviderNotes : ServiceProviderProperties : { "ServiceProviderName": "Beijing Telecom Ethernet", "PeeringLocation": "Beijing", "BandwidthInMbps": 200 } ServiceKey : ************************************** Peerings : []
Configure Azure public peering for the circuit. Make sure that you have the following information before you proceed further.
- A /30 subnet for the primary link. This IP must be a valid public IPv4 prefix.
- A /30 subnet for the secondary link. This IP must be a valid public IPv4 prefix.
- A valid VLAN ID to establish this peering on. Ensure that no other peering in the circuit uses the same VLAN ID.
- AS number for peering. You can use both 2-byte and 4-byte AS numbers.
- Optional:
- An MD5 hash if you choose to use one.
Run the following example to configure Azure public peering for your circuit
Add-AzExpressRouteCircuitPeeringConfig -Name "AzurePublicPeering" -ExpressRouteCircuit $ckt -PeeringType AzurePublicPeering -PeerASN 100 -PrimaryPeerAddressPrefix "12.0.0.0/30" -SecondaryPeerAddressPrefix "12.0.0.4/30" -VlanId 100 Set-AzExpressRouteCircuit -ExpressRouteCircuit $ckt
If you choose to use an MD5 hash, use the following example:
Add-AzExpressRouteCircuitPeeringConfig -Name "AzurePublicPeering" -ExpressRouteCircuit $ckt -PeeringType AzurePublicPeering -PeerASN 100 -PrimaryPeerAddressPrefix "12.0.0.0/30" -SecondaryPeerAddressPrefix "12.0.0.4/30" -VlanId 100 -SharedKey "A1B2C3D4" Set-AzExpressRouteCircuit -ExpressRouteCircuit $ckt
Important
Ensure that you specify your AS number as peering ASN, not customer ASN.
To get Azure public peering details
You can get configuration details using the following cmdlet:
$ckt = Get-AzExpressRouteCircuit -Name "ExpressRouteARMCircuit" -ResourceGroupName "ExpressRouteResourceGroup"
Get-AzExpressRouteCircuitPeeringConfig -Name "AzurePublicPeering" -Circuit $ckt
To update Azure public peering configuration
You can update any part of the configuration using the following example. In this example, the VLAN ID of the circuit is being updated from 200 to 600.
Set-AzExpressRouteCircuitPeeringConfig -Name "AzurePublicPeering" -ExpressRouteCircuit $ckt -PeeringType AzurePublicPeering -PeerASN 100 -PrimaryPeerAddressPrefix "123.0.0.0/30" -SecondaryPeerAddressPrefix "123.0.0.4/30" -VlanId 600
Set-AzExpressRouteCircuit -ExpressRouteCircuit $ckt
To delete Azure public peering
You can remove your peering configuration by running the following example:
Remove-AzExpressRouteCircuitPeeringConfig -Name "AzurePublicPeering" -ExpressRouteCircuit $ckt
Set-AzExpressRouteCircuit -ExpressRouteCircuit $ckt
Azure CLI steps
Check the ExpressRoute circuit to ensure it's provisioned and also enabled. Use the following example:
az network express-route list
The response is similar to the following example:
"allowClassicOperations": false, "authorizations": [], "circuitProvisioningState": "Enabled", "etag": "W/\"1262c492-ffef-4a63-95a8-a6002736b8c4\"", "gatewayManagerEtag": null, "id": "/subscriptions/81ab786c-56eb-4a4d-bb5f-f60329772466/resourceGroups/ExpressRouteResourceGroup/providers/Microsoft.Network/expressRouteCircuits/MyCircuit", "location": "chinanorth", "name": "MyCircuit", "peerings": [], "provisioningState": "Succeeded", "resourceGroup": "ExpressRouteResourceGroup", "serviceKey": "1d05cf70-1db5-419f-ad86-1ca62c3c125b", "serviceProviderNotes": null, "serviceProviderProperties": { "bandwidthInMbps": 200, "peeringLocation": "Beijing Telecom Ethernet", "serviceProviderName": "Beijing" }, "serviceProviderProvisioningState": "Provisioned", "sku": { "family": "UnlimitedData", "name": "Standard_MeteredData", "tier": "Standard" }, "tags": null, "type": "Microsoft.Network/expressRouteCircuits]
Configure Azure public peering for the circuit. Make sure that you have the following information before you proceed further.
- A /30 subnet for the primary link. This IP must be a valid public IPv4 prefix.
- A /30 subnet for the secondary link. This IP must be a valid public IPv4 prefix.
- A valid VLAN ID to establish this peering on. Ensure that no other peering in the circuit uses the same VLAN ID.
- AS number for peering. You can use both 2-byte and 4-byte AS numbers.
- Optional - An MD5 hash if you choose to use one.
Run the following example to configure Azure public peering for your circuit:
az network express-route peering create --circuit-name MyCircuit --peer-asn 100 --primary-peer-subnet 12.0.0.0/30 -g ExpressRouteResourceGroup --secondary-peer-subnet 12.0.0.4/30 --vlan-id 200 --peering-type AzurePublicPeering
If you choose to use an MD5 hash, use the following example:
az network express-route peering create --circuit-name MyCircuit --peer-asn 100 --primary-peer-subnet 12.0.0.0/30 -g ExpressRouteResourceGroup --secondary-peer-subnet 12.0.0.4/30 --vlan-id 200 --peering-type AzurePublicPeering --SharedKey "A1B2C3D4"
Important
Ensure that you specify your AS number as peering ASN, not customer ASN.
To view Azure public peering details
You can get configuration details using the following example:
az network express-route peering show -g ExpressRouteResourceGroup --circuit-name MyCircuit --name AzurePublicPeering
The output is similar to the following example:
{
"azureAsn": 12076,
"etag": "W/\"2e97be83-a684-4f29-bf3c-96191e270666\"",
"gatewayManagerEtag": "18",
"id": "/subscriptions/9a0c2943-e0c2-4608-876c-e0ddffd1211b/resourceGroups/ExpressRouteResourceGroup/providers/Microsoft.Network/expressRouteCircuits/MyCircuit/peerings/AzurePublicPeering",
"lastModifiedBy": "Customer",
"microsoftPeeringConfig": null,
"name": "AzurePublicPeering",
"peerAsn": 7671,
"peeringType": "AzurePublicPeering",
"primaryAzurePort": "",
"primaryPeerAddressPrefix": "",
"provisioningState": "Succeeded",
"resourceGroup": "ExpressRouteResourceGroup",
"routeFilter": null,
"secondaryAzurePort": "",
"secondaryPeerAddressPrefix": "",
"sharedKey": null,
"state": "Enabled",
"stats": null,
"vlanId": 100
}
To update Azure public peering configuration
You can update any part of the configuration using the following example. In this example, the VLAN ID of the circuit is being updated from 200 to 600.
az network express-route peering update --vlan-id 600 -g ExpressRouteResourceGroup --circuit-name MyCircuit --name AzurePublicPeering
To delete Azure public peering
You can remove your peering configuration by running the following example:
az network express-route peering delete -g ExpressRouteResourceGroup --circuit-name MyCircuit --name AzurePublicPeering
Azure portal steps
To configure peering, use the PowerShell or CLI steps contained in this article. To manage a peering, you can use the following sections. For reference, these steps look similar to managing a Microsoft peering in the portal.
To view Azure public peering details
View the properties of Azure public peering by selecting the peering in the portal.
To update Azure public peering configuration
Select the row for peering, then modify the peering properties.
To delete Azure public peering
Remove your peering configuration by selecting the delete icon.
Next steps
Next step, Link a virtual network to an ExpressRoute circuit.
- For more information about ExpressRoute workflows, see ExpressRoute workflows.
- For more information about circuit peering, see ExpressRoute circuits and routing domains.
- For more information about working with virtual networks, see Virtual network overview.