Configure ExpressRoute: Accessing Office 365 & Connecting Azure VPN

(Last Updated On: October 2, 2018)

Configure ExpressRoute: Accessing Office 365 & Connecting Azure VPN

Who doesn’t love a faster, more reliable user experience? It’s a commonality among almost all things, and it’s exactly what you get when connecting to Microsoft services via Azure ExpressRoute.

ExpressRoute by-passes the internet for better speed and reliability, and there are two primary reasons why businesses choose to employ ExpressRoute connectivity: to access Office 365 services and/or to optimize their Azure VPNs.

We’ll walk you through the entire process step-by-step, from setting up and provisioning an ExpressRoute circuit to configuring Microsoft and/or private peering.

Side Note: This article will focus on using the Azure portal, however it’s also possible to achieve the same outcome using either PowerShell or the Azure CLI.

Before You Start

So who’s ready to create your first ExpressRoute circuit?! Eaaasy, tiger. Before you dive in, make sure you’ve already done all the following:

Have a valid and active Microsoft Azure account
Have access to the Azure portal
Selected an ExchangeRoute connectivity partner (Shamrock Consulting Group will get you all the best options at the guaranteed best price)
Set up adequate security on your networks
Have permission to set up new network resources

Important note: Options will vary by location, but Shamrock has your back by helping with the selection process to ensure you’re getting exactly what you need.

Goes without saying, but if you’re intending to connect to Office 365, you’ll also need an active Office 365 subscription. Make sure you also look into how to optimize Office 365 and its individual services for best performance. For example, configuring Skype for Business using QoS standards will ensure call quality is maintained as a priority.

Additionally, if you intend to connect your VPNs to Azure via ExpressRoute, you will need to create VPN gateways for each of your VPNs.

Checked off all the necessary boxes above? Good work. Now you’re officially ready to create your first ExpressRoute circuit.

Step 1: Creating an ExpressRoute Circuit

  1. Navigate to the Azure portal via your browser and log into your Azure account
  2. Select ‘Create a Resource’
  3. Choose ‘Networking’
  4. Click the ExpressRoute icon to bring up the ‘Create ExpressRoute Circuit’ form
  5. Give the circuit a name
  6. Select the service provider you’ve chosen
  7. Select the peering location where you want your circuit set up
  8. Choose the bandwidth you will need. The range is from 50Mbps to 10Gbps, and it’s good practice to start small and scale up since there’s no facility to decrease bandwidth
  9. Select the relevant SKU tier. Keep in mind that you’ll need to pay for the Premium add-on in order to access Microsoft 360 services and/or connect more than 10 VPNs to your circuit
  10. Select the relevant billing model. You can change from metered to unlimited, but not vice versa
  11. Don’t worry about the, ‘Allow Classic Operations’ checkbox – you can leave this empty
  12. Choose which Azure subscription your circuit belongs to
  13. Create and name a new resource group, or add your circuit to an existing resource group
  14. Under ‘location,’ select your Azure region
  15. After a few minutes, you should see your new circuit listed when you select ‘All Resources’ from the main menu
  16. Clicking the new circuit will bring up its properties. Under ‘Circuit Status’ you should see the word ‘Enabled,’ confirming that the circuit is provisioned on Microsoft’s end
  17. Under ‘Provider Status,’ you’ll see the words ‘Not Provisioned’
  18. You should also see a string of characters under the ‘Service Key’ label. To complete provisioning, you will need to send this ‘s-key’ to your ExpressRoute provider via email, phone, or – if you are using your provider’s own portal – by copying and pasting it into the relevant field
  19. Keep checking on the provider status, which will first show up as ‘Provisioning’ and will then change to ‘Provisioned’

Once your ExpressRoute circuit has been provisioned, you can configure your peering. For connecting your VPNs to your ExpressRoute circuit, see Step 2a below. For connecting into Office 365 resources using Microsoft peering, see Step 2b.

If you’re connecting both your VPNs and Office365, it doesn’t matter whether you complete 2a before 2b or vice versa, but make sure you only configure one peering connection at a time.

Step 2a: Configuring Private Peering and Connecting Your VPNs

On the standard SKU, you can connect up to 10 VPNs to one or more ExpressRoute circuits.

The first step in this process is to configure private peering, so let’s run through some important numbers for this:

  • A /30 subnet for both your primary and secondary link
  • A 2 or 4 byte peer autonomous system number (ASN) for your BGP sessions (private or public). Don’t use 65515 as this is reserved for internal Microsoft use
  • A VLAN ID (one that isn’t used for another peering)
  • Optionally, you can specify an MD5 hash for a shared encryption key. If you do provide this, it will have to be used on both sides of the tunnel and contain no more than 25 characters
  1. Click ‘All Resources’ and select the ExpressRoute circuit you want to configure
  2. Below the circuit properties, you’ll see a list of peerings
  3. Select the ‘Azure Private’ row to bring up the ‘Private Peering’ form
  4. Enter the above numbers into their relevant fields
  5. Click the save icon
  6. After a few minutes, the status of the Azure Private peering row should show ‘Enabled’

Next, you need to connect your VPNs to your ExpressRoute circuit(s). Here’s how:

  1. Click ‘All Resources’ and select the ExpressRoute circuit you want to connect your first VPN to
  2. Under the ‘Settings’ menu, select ‘Connections’ and then the ‘Add (+)’ icon
  3. Enter a name for your VPN connection
  4. Under ‘Virtual Network Gateway,’ select the gateway you want to use from the dropdown list
  5. Under ‘Resource Group,’ select the appropriate resource group
  6. Click ‘OK’
  7. Repeat for up to 10 VPNs in total (Remember that for up to 100 VPNs, you’ll need to pay for the Premium add-on SKU)

Step 2b: Configuring Microsoft Peering to Access Office 365

For direct access to Office 365 resources like Exchange Online, SharePoint Online and Skype for Business, you’ll need to configure Microsoft peering. The first step once again entails some important numbers (and acronyms) that you’ll need:

  • A /30 subnet for both your primary and secondary link (both are required to access Azure’s 99.95% availability SLA). These must be public IPv4 addresses registered to the RIR or IRR routing registries (you can use NAT to convert private IP addresses into public ones)
  • Your RIR/IRR name
  • A 2 or 4 byte peer autonomous system number (ASN) for your BGP sessions
  • A VLAN ID (one that isn’t already being used for another peering)
  • A list of prefixes that will be advertised over the BGP session. These will be used by Microsoft to set up an ACL for optimized security
  • Optionally, you can specify an MD5 hash for a shared encryption key. If you do provide this, it will have to be used on both sides of the tunnel and contain no more than 25 characters

To configure your Microsoft peering, do the following:

  1. Click ‘All Resources’ and select the ExpressRoute circuit you want to configure
  2. Below the circuit properties, you will see a list of peerings
  3. Select the Microsoft row to bring up the ‘Microsoft Peering’ form
  4. Enter the above numbers into their relevant fields
  5. If your IP addresses are not registered, select ‘none’ from the ‘Routing Registry Name’ dropdown. You will have to manually validate your ownership for this (see below)
  6. Click the save icon
  7. After a few minutes, the status on the Microsoft Peering form will either show ‘Configured’ or ‘Validation Needed’
  8. If manual validation is needed, go ahead and open a support ticket from the support tab on your Azure portal. Select ‘Technical’ in the ‘Issue Type’ dropdown and ‘ExpressRoute’ under the ‘Service’ dropdown. You’ll also need to choose the relevant subscription, resource and support plan

Optional: Adding Route Filters (Microsoft Peering)

By default, the prefixes for all available Office 365 services are allowed through your peering connection. This means managing a large routing table. If you prefer, it is possible to select a subset of services by applying route filters. This will require pre-authorization by your Microsoft Account provider.

Here’s the rundown:

  1. From the Azure portal, select ‘Create a Resource’
  2. Choose ‘Networking’
  3. Select ‘Route Filter’ to bring up the route filter form
  4. Create a name for the new routing rule you’re about to create
  5. Select the appropriate subscription and existing resource group
  6. Click the ‘Manage Rule’ tab at the top
  7. Under ‘Allowed Service Communities,’ you’ll see a pre-populated list of all Office 365 services and their prefixes. Simply check whichever ones you want to allow
  8. Hit save
  9. Click the ‘Add Circuit’ tab
  10. Select the appropriate circuit from the dropdown list
  11. You’re done!

How Shamrock Can Help

Shamrock is an industry leader when it comes to cloud direct connects, so you know you’re always in great hands regarding your ExpressRoute connection. We have the unique ability to connect you into Azure from any data center or office building, anywhere in the world, at any speed up to 100Gbps and we guarantee the best price in the marketplace.

If you’re looking for a fast, secure and reliable connection over a fully private connection, Shamrock can deliver it with Azure ExpressRoute.

We want your business to thrive, so all of our consultations (including Azure ExpressRoute) are completely free!

Contact us and let’s make some ExpressRoute magic together, shall we?

Ben Ferguson

Ben Ferguson

Ben Ferguson is the Senior Network Architect and Vice President of Shamrock Consulting Group, the leader in technical procurement for telecommunications, data communications, data center and cloud services. Since his departure from Biochemical research in 2004, he has built core competencies around enterprise wide area network architecture, high density data center deployments, public and private cloud deployments, and Voice over IP telephony. Ben has designed hundreds of wide area networks for some of the largest companies in the world. When he takes the occasional break from designing networks, he enjoys surfing, golf, working out, trying new restaurants and spending time with his wife Linsey and his dog, Hamilton.