Connecting to Microsoft Azure ExpressRoute

Megaport makes it easy to provision fast, secure, and private connections between your data center and Microsoft Azure and provides dedicated access to Azure private and Microsoft public resources from hundreds of locations worldwide.

Azure ExpressRoute connection overview

Megaport offers two types of connection to ExpressRoute: you can order virtual cross-connections to the Microsoft Cloud through Megaport or you can connect directly to the Microsoft Cloud through point-to-point Ethernet links (ExpressRoute Direct).

This topic describes connecting to Azure through a VXC. For more information about a direct connection, see Configuring a Microsoft Azure ExpressRoute Direct Connection.

When connecting to the Microsoft Cloud (Azure) through an ExpressRoute with Megaport, the VXC forms the Layer 2 component of the connection and Layer 3 BGP connectivity is established directly between the customer and Azure.

There are two elements involved with an ExpressRoute connection. The first is your ExpressRoute plan and is billed directly from Microsoft. (Make sure to select the correct region and currency for accurate pricing). The second is the VXC with Megaport to connect to your ExpressRoute location.

Each ExpressRoute subscription includes two Virtual Ports on the Microsoft Cloud side. Microsoft offers an SLA on its ExpressRoute connectivity, but to comply you must deploy ExpressRoute VXCs to each Microsoft virtual port for redundancy.

Megaport supports ExpressRoute access to both peering interfaces: Azure Private and Microsoft (Public) peering. Azure Private does not require approval and is available instantly, but Microsoft (Public) peering requires manual validation of public IP space by Microsoft, and some public endpoints (such as Office 365) require additional validation. Both of these peering interfaces are delivered through a single VXC using 802.1ad configuration. When provisioning an ExpressRoute circuit, you can connect multiple VNETs to a single circuit (up to 10 by default, but more are possible depending on your plan).

This image shows a typical ExpressRoute deployment.

ExpressRoute deployment

Note

The VXC connecting to Microsoft contains two “inner” VLANs. These are referred to as the C-Tagged VLANs and are configured in the Azure console. The “outer” VLAN tag is called the S-Tag and is the VLAN assigned to the VXC in the Megaport Portal.

Creating an ExpressRoute connection

To deploy an ExpressRoute connection, you need to choose your ExpressRoute plan and deploy the ExpressRoute circuit in the Azure Portal. When deployed, you get a service key. Copy the service key and log in to the Megaport Portal.

To create a connection to ExpressRoute

In the Megaport Portal, go to the Services page and select the Port you want to use.

If you haven’t already created a Port, see Creating a Port. 1. Add a VXC connection for the Port.
Click +Connection, click Cloud, and click Azure ExpressRoute.
Add the ExpressRoute service key into the field in the Microsoft Azure Service Key panel.

The Portal verifies the key and then displays the available port locations based on the Peering Location chosen when creating the ExpressRoute in the Azure Portal. For example, if your ExpressRoute service is deployed in Peering Location Sydney, you can only select the Sydney targets.
Select the connection point for your first connection.

Some helpful resource links appear on the configuration screen, including the Azure Resource Manager console and links to tutorial videos.
Specify the connection details:
- Connection Name – The name of your VXC to be shown in the Megaport Portal.
- Service Level Reference (optional) – Specify a unique identifying number for the VXC to be used for billing purposes, such as a cost center number or a unique customer ID. The service level reference number appears for each service under the Product section of the invoice. You can also edit this field for an existing service.
  
  Note
  
  Partner-managed accounts can apply a Partner Deal to a service. For more information, see Associating a Deal With a Service.
- Rate Limit – The speed of your connection in Mbps. It is autopopulated from the configuration in the Azure console.
- VXC State – Select Enabled or Shut Down to define the initial state of the connection. For more information, see Shutting Down a VXC for Failover Testing.
  
  Note
  
  If you select Shut Down, traffic will not flow through this service and it will behave as if it was down on the Megaport network. Billing for this service will remain active and you will still be charged for this connection.
- Preferred A-End VLAN – By default Q-in-Q is enabled. Specify an unused VLAN ID for this connection (for ExpressRoute this is the S-Tag for your data center). This must be a unique VLAN ID for this connection and can range from 2 to 4093. Enabling Q-in-Q has the benefit of deploying both Microsoft and private peering and both primary and secondary Azure ExpressRoute circuits but your routing and switching hardware must support Q-in-Q to be capable of terminating dual tags at the customer end.
  
  For clarity, your on-premises device is configured with the inner (C-Tag) and outer (S-Tag) tags. A corresponding outer tag is configured in the Megaport Portal as described above. The inner tag is provisioned in the Microsoft Azure Portal under the ExpressRoute peering VLAN ID.
- Minimum Term – Select No Minimum Term, 12 Months, 24 Months, or 36 Months. Longer terms result in a lower monthly rate. 12 Months is selected by default.
  Take note of the information on the screen to avoid early termination fees (ETF). See VXC Pricing and Contract Terms and VXC, Megaport Internet, and IX Billing for more information.
Click Next.
To deploy a second connection (and this is recommended), repeat these steps, reusing the service key. Adding a second connection ensures that you receive the Azure ExpressRoute SLA. Azure does not provide an SLA for a single connection.
Click Next and proceed through the ordering process.

Connecting to ExpressRoute on equipment that does not support Q-in-Q

Q-in-Q is a technology that not all organizations use. If your equipment does not support Q-in-Q, this section describes your options.

Configure single Azure peering VLAN

You can configure the VXC with a single tag VLAN solution. You configure peering in Azure with the Port VLAN (A-End) and the peer VLAN (B-End). Note that you can have only one peering type (private or Microsoft) per VXC with single Azure peering VLAN, so you need at least two VXCs to use both peering types.

Single Azure peering VLAN

Tip

We recommend using single Azure peering VLAN. This option provides full functionality and the simplest implementation. With single Azure peering VLAN, you can use both private and Microsoft peering with a single ExpressRoute circuit without the need for Q-in-Q capable equipment, an MCR, or an untagged port.

Note

You can reuse an Azure service key multiple times to provision the primary and secondary VXCs and both peerings.

For example, if your environment does not support Q-in-Q but you want to use both private and Microsoft peering, you can provision 4 VXCs with single Azure peering VLAN:

VXC 1 - The primary private peering with B-End VLAN 100.
VXC 2 - The secondary private peering with B-End VLAN 100.
VXC 3 - The primary Microsoft peering with B-End VLAN 200, reusing the primary option.
VXC 4 - The secondary Microsoft peering with B-End VLAN 200, reusing the secondary option.

Other options for connecting to ExpressRoute on equipment that does not support Q-in-Q

You can remove the Q-in-Q requirement by dedicating a Port to Microsoft Azure by untagging the connection (selecting Untag for the preferred A-End VLAN). Megaport will still correctly apply or strip the outer VLAN S-Tag depending on the traffic direction. This means you can only deploy a single VXC on this Port, so it does not scale well and you will not receive the Azure SLA. However, an untagged connection can be useful as a temporary solution.
Deploy a Megaport Cloud Router (MCR) to take care of Q-in-Q for you.

Note

For more information on Q-in-Q, see Configuring Q-in-Q.

Enabling the single Azure peering VLAN

By enabling Azure peering VLAN, you can specify a single Azure peering VLAN that will match with the value that you configure (in step 8) for the selected peering type configuration for the Azure ExpressRoute configuration (via the Microsoft Azure Portal).

To enable the single Azure peering VLAN

Follow steps 1 through 5 in the procedure To create a connection to ExpressRoute.
Under Azure peering VLAN, enable the Configure single Azure peering VLAN option.
Enter the peering VLAN tag for the ExpressRoute peering required, from 2 to 4093. Megaport uses this to set a peering VLAN tag that maps directly back to the ExpressRoute peering VLAN ID on the B-End. The tag must be a valid ExpressRoute VLAN ID, and it must match the VLAN ID of the Azure B-End of the VXC to configure the correct pairing.
Click Next.
A summary page appears that includes the monthly cost.
Click Back to make changes or click Add VXC.
To deploy a second connection (and this is recommended), create a second VXC. Enter the same service key, select the other connection target, and enter the same Peering VLAN ID for the ExpressRoute peering configured in step 3.
Click Next and proceed through the ordering process.
Configure the peer in the Azure Portal, matching the C-Tag VLAN ID to the single Azure peering VLAN tag entered in the Megaport Portal.

This image shows where the VLAN C-Tag is configured in the Azure Portal.
Configure your on-premises equipment.

To change an existing single Azure peering VLAN

On the Services page, click the gear icon next to the connection in the Megaport Portal.
Change the single Azure peering VLAN ID.
Click Save.
Click Next.
Configure the peer in the Azure Portal, matching the C-Tag VLAN ID to the single Azure peering VLAN tag entered in the Megaport Portal.

To verify the single Azure peering VLAN

On the Services page, click the gear icon next to the connection in the Megaport Portal.
The Connection Details page shows the single Azure peering VLAN value.

Converting an untagged VXC to a tagged VXC

An existing Azure service on an untagged VXC can now be tagged, allowing you to instantly order additional services on the existing Port without adding any more physical Ports.

Important

Converting an untagged VXC to a tagged VXC will cause a service disruption.

To convert an existing untagged VXC to a tagged VXC

On the Services page, click the gear icon next to the connection in the Megaport Portal.
Disable the Untag selection.
Enter the Preferred A-End VLAN tag for the customer Megaport-facing VLAN.
Enable the Configure single Azure peering VLAN option.
Enter the Peering VLAN ID for the ExpressRoute Peering, from 2 to 4093.
Megaport uses this to set a Peering VLAN tag that maps directly back to the ExpressRoute peering VLAN ID on the B-End. The tag must be a valid Azure ExpressRoute VLAN ID, and it must match the VLAN ID of the Azure B-End of the VXC to configure the correct pairing.
Click Save.
Click Next.
Configure the peer in the Azure Portal, matching the C-Tag VLAN ID to the single Azure peering VLAN tag entered in the Megaport Portal.

Deleting an ExpressRoute connection

You might need to delete an ExpressRoute connection from time to time. ExpressRoute connections cannot be removed directly from the Megaport Portal if there is active BGP peering on the Azure side. Therefore, follow these steps to successfully delete an ExpressRoute connection.

To delete an ExpressRoute connection

Delete the peering on the ExpressRoute connection in the Azure Portal (Private or Microsoft).
Delete the VXC in the Megaport Portal.
For more information, see Terminating a VXC.
Delete the ExpressRoute connection in the Azure Portal.
This will release the network resources reserved between Megaport and Azure.

Helpful references

Last update: 2024-04-15