Create and manage ExpressRoute public peering

This article helps you create and manage public peering routing configuration for an ExpressRoute circuit. You can also check the status, update, or delete and deprovision peerings. This article applies to Resource Manager circuits that were created before public peering was deprecated. If you have a previously existing circuit (created prior to public peering being deprecated), you can manage/configure public peering using Azure PowerShell, Azure CLI, and the Azure portal.

Note

Public peering is deprecated. You cannot create public peering on new ExpressRoute circuits. If you have a new ExpressRoute circuit, instead, use Microsoft peering for your Azure services.

Connectivity

Connectivity is always initiated from your WAN to Azure services. Azure services can't initiate connections into your network through this routing domain. If your ExpressRoute circuit is enabled for Azure public peering, you can access the public IP ranges used in Azure over the circuit.

Once public peering is enabled, you can connect to most Azure services. We don't allow you to selectively pick services for which we advertise routes to.

  • Services such as Azure Storage, SQL Databases, and Websites are offered on public IP addresses.
  • Through the public peering routing domain, you can privately connect to services hosted on public IP addresses, including VIPs of your cloud services.
  • You can connect the public peering domain to your DMZ and connect to all Azure services on their public IP addresses from your WAN without having to connect through the internet.

Services

This section shows the services available over public peering. Because public peering is deprecated, there's no plan to add new or more services to public peering. If you use public peering and the service you want to use is support only over Microsoft peering, you must switch to Microsoft peering. See Microsoft peering for a list of supported services.

Supported:

  • Most of the Azure services are supported. Check directly with the service that you want to use to verify support.

Not supported:

  • Azure Active Directory
  • Azure Front Door
  • CDN
  • Logic Apps
  • Multi-factor Authentication Server (legacy)
  • Office 365
  • Power BI
  • Traffic Manager

To validate availability for a specific service, you can check the documentation for that service to see if there's a reserved range published for that service. Then you may look up the IP ranges of the target service and compare with the ranges listed in the Azure IP Ranges and Service Tags - China Cloud XML file. Alternatively, you can open a support ticket for the service in question for clarification.

Peering comparison

Private Peering Microsoft Peering Public Peering (deprecated for new circuits)
Max. # IPv4 prefixes supported per peering 4000 by default, 10,000 with ExpressRoute Premium 200 200
Max. # IPv6 prefixes supported per peering 100 200 N/A
IP address ranges supported Any valid IP address within your WAN. Public IP addresses owned by you or your connectivity provider. Public IP addresses owned by you or your connectivity provider.
AS Number requirements Private and public AS numbers. You must own the public AS number if you choose to use one. Private and public AS numbers. However, you must prove ownership of public IP addresses. Private and public AS numbers. However, you must prove ownership of public IP addresses.
IP protocols supported IPv4, IPv6 IPv4, IPv6 IPv4
Routing Interface IP addresses RFC1918 and public IP addresses Public IP addresses registered to you in routing registries. Public IP addresses registered to you in routing registries.
MD5 Hash support Yes Yes Yes

Note

Azure public peering has 1 NAT IP address associated to each BGP session. For greater than 2 NAT IP addresses, move to Microsoft peering. Microsoft peering allows you to configure your own NAT allocations, as well as use route filters for selective prefix advertisements. For more information, see Move to Microsoft peering.

Custom route filters

You can define custom route filters within your network to consume only the routes you need. Refer to the Routing page for detailed information on routing configuration.

Azure PowerShell steps

Because public peering is deprecated, you can't configure public peering on a new ExpressRoute circuit.

  1. Verify that you have an ExpressRoute circuit that is provisioned and also enabled. Use the following example:

    Get-AzExpressRouteCircuit -Name "ExpressRouteARMCircuit" -ResourceGroupName "ExpressRouteResourceGroup"
    

    The response is similar to the following example:

    Name                             : ExpressRouteARMCircuit
    ResourceGroupName                : ExpressRouteResourceGroup
    Location                         : chinanorth
    Id                               : /subscriptions/***************************/resourceGroups/ExpressRouteResourceGroup/providers/Microsoft.Network/expressRouteCircuits/ExpressRouteARMCircuit
    Etag                             : W/"################################"
    ProvisioningState                : Succeeded
    Sku                              : {
                                       "Name": "Standard_MeteredData",
                                        "Tier": "Standard",
                                        "Family": "MeteredData"
                                      }
    CircuitProvisioningState         : Enabled
    ServiceProviderProvisioningState : Provisioned
    ServiceProviderNotes             : 
    ServiceProviderProperties        : {
                                        "ServiceProviderName": "Beijing Telecom Ethernet",
                                        "PeeringLocation": "Beijing",
                                        "BandwidthInMbps": 200
                                      }
    ServiceKey                       : **************************************
    Peerings                         : []
    
  2. Configure Azure public peering for the circuit. Make sure that you have the following information before you proceed further.

    • A /30 subnet for the primary link. This IP must be a valid public IPv4 prefix.
    • A /30 subnet for the secondary link. This IP must be a valid public IPv4 prefix.
    • A valid VLAN ID to establish this peering on. Ensure that no other peering in the circuit uses the same VLAN ID.
    • AS number for peering. You can use both 2-byte and 4-byte AS numbers.
    • Optional:
    • An MD5 hash if you choose to use one.

    Run the following example to configure Azure public peering for your circuit

    Add-AzExpressRouteCircuitPeeringConfig -Name "AzurePublicPeering" -ExpressRouteCircuit $ckt -PeeringType AzurePublicPeering -PeerASN 100 -PrimaryPeerAddressPrefix "12.0.0.0/30" -SecondaryPeerAddressPrefix "12.0.0.4/30" -VlanId 100
    
    Set-AzExpressRouteCircuit -ExpressRouteCircuit $ckt
    

    If you choose to use an MD5 hash, use the following example:

    Add-AzExpressRouteCircuitPeeringConfig -Name "AzurePublicPeering" -ExpressRouteCircuit $ckt -PeeringType AzurePublicPeering -PeerASN 100 -PrimaryPeerAddressPrefix "12.0.0.0/30" -SecondaryPeerAddressPrefix "12.0.0.4/30" -VlanId 100  -SharedKey "A1B2C3D4"
    
    Set-AzExpressRouteCircuit -ExpressRouteCircuit $ckt
    

    Important

    Ensure that you specify your AS number as peering ASN, not customer ASN.

To get Azure public peering details

You can get configuration details using the following cmdlet:

  $ckt = Get-AzExpressRouteCircuit -Name "ExpressRouteARMCircuit" -ResourceGroupName "ExpressRouteResourceGroup"

  Get-AzExpressRouteCircuitPeeringConfig -Name "AzurePublicPeering" -Circuit $ckt

To update Azure public peering configuration

You can update any part of the configuration using the following example. In this example, the VLAN ID of the circuit is being updated from 200 to 600.

Set-AzExpressRouteCircuitPeeringConfig  -Name "AzurePublicPeering" -ExpressRouteCircuit $ckt -PeeringType AzurePublicPeering -PeerASN 100 -PrimaryPeerAddressPrefix "123.0.0.0/30" -SecondaryPeerAddressPrefix "123.0.0.4/30" -VlanId 600

Set-AzExpressRouteCircuit -ExpressRouteCircuit $ckt

To delete Azure public peering

You can remove your peering configuration by running the following example:

Remove-AzExpressRouteCircuitPeeringConfig -Name "AzurePublicPeering" -ExpressRouteCircuit $ckt
Set-AzExpressRouteCircuit -ExpressRouteCircuit $ckt

Azure CLI steps

  1. Check the ExpressRoute circuit to ensure it's provisioned and also enabled. Use the following example:

    az network express-route list
    

    The response is similar to the following example:

    "allowClassicOperations": false,
    "authorizations": [],
    "circuitProvisioningState": "Enabled",
    "etag": "W/\"1262c492-ffef-4a63-95a8-a6002736b8c4\"",
    "gatewayManagerEtag": null,
    "id": "/subscriptions/81ab786c-56eb-4a4d-bb5f-f60329772466/resourceGroups/ExpressRouteResourceGroup/providers/Microsoft.Network/expressRouteCircuits/MyCircuit",
    "location": "chinanorth",
    "name": "MyCircuit",
    "peerings": [],
    "provisioningState": "Succeeded",
    "resourceGroup": "ExpressRouteResourceGroup",
    "serviceKey": "1d05cf70-1db5-419f-ad86-1ca62c3c125b",
    "serviceProviderNotes": null,
    "serviceProviderProperties": {
     "bandwidthInMbps": 200,
     "peeringLocation": "Beijing Telecom Ethernet",
     "serviceProviderName": "Beijing"
    },
    "serviceProviderProvisioningState": "Provisioned",
    "sku": {
     "family": "UnlimitedData",
     "name": "Standard_MeteredData",
     "tier": "Standard"
    },
    "tags": null,
    "type": "Microsoft.Network/expressRouteCircuits]
    
  2. Configure Azure public peering for the circuit. Make sure that you have the following information before you proceed further.

    • A /30 subnet for the primary link. This IP must be a valid public IPv4 prefix.
    • A /30 subnet for the secondary link. This IP must be a valid public IPv4 prefix.
    • A valid VLAN ID to establish this peering on. Ensure that no other peering in the circuit uses the same VLAN ID.
    • AS number for peering. You can use both 2-byte and 4-byte AS numbers.
    • Optional - An MD5 hash if you choose to use one.

    Run the following example to configure Azure public peering for your circuit:

    az network express-route peering create --circuit-name MyCircuit --peer-asn 100 --primary-peer-subnet 12.0.0.0/30 -g ExpressRouteResourceGroup --secondary-peer-subnet 12.0.0.4/30 --vlan-id 200 --peering-type AzurePublicPeering
    

    If you choose to use an MD5 hash, use the following example:

    az network express-route peering create --circuit-name MyCircuit --peer-asn 100 --primary-peer-subnet 12.0.0.0/30 -g ExpressRouteResourceGroup --secondary-peer-subnet 12.0.0.4/30 --vlan-id 200 --peering-type AzurePublicPeering --SharedKey "A1B2C3D4"
    

    Important

    Ensure that you specify your AS number as peering ASN, not customer ASN.

To view Azure public peering details

You can get configuration details using the following example:

az network express-route peering show -g ExpressRouteResourceGroup --circuit-name MyCircuit --name AzurePublicPeering

The output is similar to the following example:

{
  "azureAsn": 12076,
  "etag": "W/\"2e97be83-a684-4f29-bf3c-96191e270666\"",
  "gatewayManagerEtag": "18",
  "id": "/subscriptions/9a0c2943-e0c2-4608-876c-e0ddffd1211b/resourceGroups/ExpressRouteResourceGroup/providers/Microsoft.Network/expressRouteCircuits/MyCircuit/peerings/AzurePublicPeering",
  "lastModifiedBy": "Customer",
  "microsoftPeeringConfig": null,
  "name": "AzurePublicPeering",
  "peerAsn": 7671,
  "peeringType": "AzurePublicPeering",
  "primaryAzurePort": "",
  "primaryPeerAddressPrefix": "",
  "provisioningState": "Succeeded",
  "resourceGroup": "ExpressRouteResourceGroup",
  "routeFilter": null,
  "secondaryAzurePort": "",
  "secondaryPeerAddressPrefix": "",
  "sharedKey": null,
  "state": "Enabled",
  "stats": null,
  "vlanId": 100
}

To update Azure public peering configuration

You can update any part of the configuration using the following example. In this example, the VLAN ID of the circuit is being updated from 200 to 600.

az network express-route peering update --vlan-id 600 -g ExpressRouteResourceGroup --circuit-name MyCircuit --name AzurePublicPeering

To delete Azure public peering

You can remove your peering configuration by running the following example:

az network express-route peering delete -g ExpressRouteResourceGroup --circuit-name MyCircuit --name AzurePublicPeering

Azure portal steps

To configure peering, use the PowerShell or CLI steps contained in this article. To manage a peering, you can use the following sections. For reference, these steps look similar to managing a Microsoft peering in the portal.

To view Azure public peering details

View the properties of Azure public peering by selecting the peering in the portal.

To update Azure public peering configuration

Select the row for peering, then modify the peering properties.

To delete Azure public peering

Remove your peering configuration by selecting the delete icon.

Next steps

Next step, Link a virtual network to an ExpressRoute circuit.