Connecting to Microsoft Azure ExpressRoute

Megaport makes it easy to provision fast, secure, and private connections between your data center and Microsoft Azure and provides dedicated access to Azure private and Microsoft public resources from hundreds of locations worldwide.

Azure ExpressRoute connection overview

Megaport offers two types of connection to ExpressRoute: you can order virtual cross-connections to the Microsoft Cloud through Megaport or you can connect directly to the Microsoft Cloud through point-to-point Ethernet links (ExpressRoute Direct).

This topic describes connecting to Azure through a VXC. For details about a direct connection, see Configuring a Microsoft Azure ExpressRoute Direct Connection.

To get started, watch these overview videos:

Play video   Watch a 13-minute overview video and learn about Megaport with Azure, steps for Port creation, Azure resource manager and ExpressRoute configuration, and VXC creation.

Play video   Watch a 15-minute video that discusses meeting SLAs, configuring redundant connections, and configuring ExpressRoute for end-to-end connectivity.

When connecting to the Microsoft Cloud (Azure) through an ExpressRoute with Megaport, the VXC forms the Layer 2 component of the connection and Layer 3 BGP connectivity is established directly between the customer and Azure.

There are two elements involved with an ExpressRoute connection. The first is your ExpressRoute plan and is billed directly from Microsoft. (Make sure to select the correct region and currency for accurate pricing). The second is the VXC with Megaport to connect to your ExpressRoute location.

Each ExpressRoute subscription includes two Virtual Ports on the Microsoft Cloud side. Microsoft offers an SLA on its ExpressRoute connectivity, but to comply you must deploy ExpressRoute VXCs to each Microsoft virtual port for redundancy.

Megaport supports ExpressRoute access to both peering interfaces: Azure Private and Microsoft (Public) peering. Azure Private does not require approval and is available instantly, but Microsoft (Public) peering requires manual validation of public IP space by Microsoft, and some public endpoints (such as Office 365) require additional validation. Both of these peering interfaces are delivered through a single VXC using 802.1ad configuration. When provisioning an ExpressRoute circuit, you can connect multiple VNETs to a single circuit (up to 10 by default, but more are possible depending on your plan).

The following figure shows a typical ExpressRoute deployment.

ExpressRoute deployment

Note

The VXC connecting to Microsoft contains two “inner” VLANs. These are referred to as the C-Tagged VLANs and are configured in the Azure console. The “outer” VLAN tag is called the S-Tag and is the VLAN assigned to the VXC in the Megaport Portal.

Creating an ExpressRoute connection

To deploy an ExpressRoute connection, you need to choose your ExpressRoute plan and deploy the ExpressRoute circuit in the Azure console. When deployed, you get a service key. Copy the service key and log in to the Megaport Portal.

To create a connection to ExpressRoute

  1. In the Megaport Portal, go to the Services page and select the Port you want to use.
    If you haven’t already created a Port, see Creating a Port.
  2. Add a VXC connection for the Port.
    Click +Connection, click Cloud, and click Azure ExpressRoute.
    Add a connection

  3. Add the ExpressRoute service key into the field in the Microsoft Azure Service Key panel.
    The Portal verifies the key and then displays the available port locations based on the Peering Location chosen when creating the ExpressRoute in the Azure Portal. For example, if your ExpressRoute service is deployed in Peering Location Sydney, you can only select the Sydney targets.

  4. Select the connection point for your first connection.

    Some helpful resource links appear on the configuration screen, including the Azure Resource Manager console and links to tutorial videos.

  5. Specify these connection details:

    • Connection Name – The name of your VXC to be shown in the Megaport Portal.

    • Service Level Reference (optional) – Specify a unique identifying number for the VXC to be used for billing purposes, such as a cost center number or a unique customer ID. The service level reference number appears for each service under the Product section of the invoice. You can also edit this field for an existing service.

    • Rate Limit – This is the speed of your connection in Mbps. It is autopopulated from the configuration in the Azure console.

    • Preferred A-End VLAN – By default Q-in-Q is enabled. Specify an unused VLAN ID for this connection (for ExpressRoute this is the S-Tag for your data center). This must be a unique VLAN ID for this connection and can range from 2 to 4093. Enabling Q-in-Q has the benefit of deploying both Microsoft and private peerings and both primary and secondary Azure ExpressRoute circuits but your routing and switching hardware must support Q-in-Q to be capable of terminating dual tags at the customer end.

  6. Click Next and proceed through the ordering process.

Connecting to ExpressRoute on equipment that does not support Q-in-Q

Q-in-Q is a technology that not all organizations use. If your equipment does not support Q-in-Q, you have these options:

  • You can configure the VXC with a single tag VLAN solution. You configure peering in Azure with the Port VLAN (A-End) and the peer VLAN set in Azure (B-End). Note, you can have only one peering type (Private or Microsoft) per VXC with this option. Two VXCs per ExpressRoute are available, Primary and Secondary.

Single Azure peering VLAN

  • You can remove the Q-in-Q requirement by dedicating a port to Microsoft Azure by untagging the connection (selecting Untag for the preferred A-End VLAN). Megaport will still correctly apply or strip the outer VLAN S-Tag depending on traffic direction. This means you can only deploy a single VXC on this Port, so it does not scale well and is typically a temporary measure, but can be a useful temporary solution.

Untagging a VLAN

Note

For details on Q-in-Q with Megaport VXCs, see Configuring Q-in-Q.

To enable the Azure peering VLAN

  1. Follow steps 1 through 5 in the procedure To create a connection to ExpressRoute.

  2. Under Azure peering VLAN, enable the Configure Single Azure Peering VLAN option.

    Azure peering VLAN

  3. Enter the Peering VLAN tag for the ExpressRoute peering required, from 2 to 4093. Megaport uses this to set a Peering VLAN tag that maps directly back to the ExpressRoute peering VLAN ID on the B-End. The tag must be a valid ExpressRoute VLAN ID, and it must match the VLAN ID of the Azure B-End of the VXC to configure the correct pairing.

  4. Click Next. A summary page appears that includes the monthly cost. Click Back to make changes or click Add VXC.
  5. To deploy a second connection (and this is recommended), you can create a second VXC - enter the same service key, select the other connection target, and enter the same Peering VLAN ID for the ExpressRoute peering configured in step 3.
  6. Click Next and proceed through the ordering process.
  7. Configure the peer in the Azure Portal, matching the C-Tag VLAN ID to the Azure peering VLAN tag entered in the Megaport Portal.

    This figure shows where the VLAN C-Tag is configured in the Azure Portal.
    Azure peering VLAN

  8. Configure your on-premises equipment.

Important

An ExpressRoute service key can only be used with two VXCs. Once you configure a primary and secondary VXC, you cannot reuse the key. The option to reuse the circuit is dimmed and unavailable in the Megaport Portal.

To change an existing Azure peering VLAN

  1. On the Services page, click the gear icon next to the connection in the Megaport Portal.
  2. Change the Azure peering VLAN ID.
  3. Click Save.
  4. Click Next.
  5. Configure the peer in the Azure Portal, matching the C-Tag VLAN ID to the Azure peering VLAN tag entered in the Megaport Portal.

To verify the Azure peering VLAN

  • On the Services page, click the gear icon next to the connection in the Megaport Portal. The Connection Details page shows the Azure peering VLAN value.

Converting an untagged VXC to a tagged VXC

An existing Azure service on an untagged VXC can now be tagged, allowing you to instantly order additional services on the existing Port without adding any more physical Ports.

Important

Converting an untagged VXC to a tagged VXC will cause a service disruption.

To convert an existing untagged VXC to a tagged VXC

  1. On the Services page, click the gear icon next to the connection in the Megaport Portal.
  2. Disable the Untag selection.
  3. Enter the Preferred A-End VLAN tag for the customer Megaport-facing VLAN.
  4. Enable the Configure single Azure peering VLAN option.
  5. Enter the Peering VLAN ID for the ExpressRoute Peering, from 2 to 4093. Megaport uses this to set a Peering VLAN tag that maps directly back to the ExpressRoute peering VLAN ID on the B-End. The tag must be a valid Azure ExpressRoute VLAN ID, and it must match the VLAN ID of the Azure B-End of the VXC to configure the correct pairing.
  6. Click Save.
  7. Click Next.
  8. Configure the peer in the Azure Portal, matching the C-Tag VLAN ID to the Azure peering VLAN tag entered in the Megaport Portal.

Helpful references


Last update: