Pureport supports private connectivity to Microsoft Azure via the Microsoft Azure Partner program, both for Private Peering to a VNet and Microsoft Peering to connect privately to services normally accessed via the Internet.


In this article we explore connecting via Private Peering to an Azure VNet. 


To use Pureport to connect to Azure via ExpressRoute with Private Peering, perform the steps to set up an ExpressRoute circuit and then provision the Connection in your Pureport Network:

  1. Generate a Service Key in the Azure Portal
  2. Create a new Connection in the Pureport Console
  3. Confirm circuit is up/up on the Azure side
  4. Configure private peering for an ExpressRoute Circuit
  5. Link a VNet to an ExpressRoute circuit


Prerequisites

Before you begin:

  • Ensure that you have access to the Azure portal.
  • Ensure that you have permissions to create new networking resources. Contact your account administrator if you do not have the right permissions.
  • In order to use the ExpressRoute circuit you will need to have an Azure VNet and an Virtual Network Gateway provisioned in your Azure environment.


Creating your Azure ExpressRoute Circuit and Service Key

For complete information, refer to the Azure documentation site.

  1. Sign into the Azure Portal.

  2. To create a new ExpressRoute Circuit, select Create a resource > Networking > ExpressRoute. You can alternatively search for ExpressRoute in the search bar.
    Note: If ExpressRoute is not listed, use the Search field to find the ExpressRoute option.

  3. Complete the fields on the Create ExpressRoute Circuit page. 
  4. Complete each field on the Create ExpressRoute Circuit page. Be aware of the following special fields and values:
    • Circuit Name: give the circuit a descriptive name
    • Provider: Select Equinix
      Note: Although Pureport is the Connectivity Provider, Equinix is the Ethernet Exchange Provider. For complete information, see "ExpressRoute connectivity providers" in the Azure documentation.
    • Peering location: The Azure peering location must match the Pureport location you will choose in the next step via the Pureport console. For a list of supported locations see Pureport Locations and Cloud Regions.
    • Bandwidth: The speed of the circuit. This must match the speed you will select in the next step via the Pureport console.
    • SKU: Standard is adequate for most needs.
    • Billing Model: for most purposes, Metered is a better choice than unlimited. See the ExpressRoute pricing page for more information.
    • Resource Group:  select the appropriate Azure resource group
    • Location: The Azure Region for this connection. In general, this should match the region where the target VNet is deployed. For a list of supported regions, see Pureport Locations and Cloud Regions.

  5. Click Create.


To review the properties of the new circuit:

  1.  Select All Resources.
    Tip: Use the filters to easily find a specific resource.

  2. Select the circuit. The system displays its properties. NOTE: If the Azure portal displays an error message stating "Invalid ExpressRoute state" the circuit is still being provisioned and should be available shortly.


Note: Use the Copy icon to copy your Service Key number to your PC's clipboard. You will need to complete the provisioning process in the Pureport Console.
 



Create an Azure ExpressRoute Connection in the Pureport Console

Use this procedure to create a new connection:

  1. Login to the Pureport Console using an account with an appropriate Role. At a minimum you will need the Create and Update permissions for Networks. For more information on Roles, see the Accounts, Members and Roles article.

  2. In the left navigation bar, select Networks.


  3. Select the network you wish to add the connection to Azure.
    To create a new network for this connection, see Creating a Network.

  4. Select Add Connection... in the upper right of the console or click the location on the network map.


  5. In the New Connection page, select Azure ExpressRoute from the connection Type dropdown.



  6. Select the Pureport location, Cloud region (Select which Azure Cloud Region you specified in the Location field when you created the ExpressRoute circuit above), Peering type and Speed you wish to provision the connection.

    Note:  For connectivity to your Azure VNET, choose a peering type of Private. 



  7. Enter your Azure Service Key (that you copied earlier from the Azure portal) and click Next.

  8. Configure your BGP settings for your new connection.  Azure uses a default ASN of 12076 and can not be changed.  Leave the default settings and click Next.

    Note:  You may optionally modify advanced BGP settings by clicking on the associated "Advanced - <Setting>" at this step.  This is optional and should not be modified unless required.




  9. Optionally, add any CIDR networks you may be connecting. Note, these are only used when setting up a NAT configuration in the next step. Click Next when finished.

     
  10. You may also enable and configure Cloud Grade NAT if desired, as detailed in the Cloud Grade NAT knowledge-base article. Then click Next.


  11. Enter a meaningful Name and Description, then click Add Connection.


Confirm circuit is Enabled on the Azure portal

To review the properties of the circuit that you're interested, return to the Azure portal and check the Provider Status of the circuit.


Confirm that the Provider status is Provisioned.

Circuit and provider status




Configuring Azure Private Peering

Confirm that you have the following items from the Pureport Console Connection Information:

  • Peer ASN
  • Primary Subnet
  • Secondary Subnet
  • VLAN ID
  • Shared Key

All of these values are provided in the Pureport console in the Post-Configuration screen once the provisioning is requested. The values are presented in the same order required for the corresponding configuration screen in the Azure portal by simply expanding the "Via the Azure Portal".  Additionally, clicking on the "Setup ExpressRoute 'Azure Private' Peering" will open a new window and direct you to your ExpressRoute connections in Azure.



Complete the following steps to configure Azure private peering for the circuit. 

Note: Refer to the Azure documentation site for additional information.

  1. In the Azure Portal, select the Azure Private peering row. 
  2. Click the check box to "Enable Peering" and Complete the fields in the Private peering window with the information provided from the Pureport Console, plus the VLAN ID field:
    • Peer ASN - copy and paste from the Pureport console
    • Primary Subnet - copy and paste from the Pureport console
    • Secondary Subnet - copy and paste from the Pureport console
    • VLAN ID  - copy and paste from the Pureport console
    • Shared key - copy and paste from the Pureport console
  3. After entering the information from the Pureport Console, save the configuration.
    The Azure portal will show your new configuration:


To update or delete a peering configuration, please see the Azure documentation site.


Final step:

From here you will move on to Link an Azure virtual network to an Expressroute circuit

For complete information, see:  https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-linkvnet-portal-resource-manager.