Pureport supports private connectivity to Microsoft Azure via the Microsoft Azure Partner program, both for Private Peering to a vNet and Microsoft Peering to connect privately to services normally accessed via the Internet.

In this article we explore connecting via Private Peering to an Azure vNet. 

To use Pureport to connect to Azure via ExpressRoute with Private Peering, perform the steps to set up an ExpressRoute circuit and then provision the Connection in your Pureport Network:

  1. Generate a Service Key in the Azure Portal
  2. Create a new Connection in the Pureport Console
  3. Confirm circuit is up/up on the Azure side
  4. Configure private peering for an ExpressRoute Circuit
  5. Link a VNet to an ExpressRoute circuit


Before you begin:

  • Ensure that you have access to the Azure portal.
  • Ensure that you have permissions to create new networking resources. Contact your account administrator if you do not have the right permissions.
  • In order to use the ExpressRoute circuit you will need to have an Azure vNet and an Virtual Network Gateway provisioned in your Azure environment.

Creating your Azure ExpressRoute Circuit and Service Key

For complete information, refer to the Azure documentation site.

  1. Sign into the Azure Portal.

  2. To create a new ExpressRoute Circuit, select Create a resource > Networking > ExpressRoute. You can alternatively search for ExpressRoute in the search bar.
    Note: If ExpressRoute is not listed, use the Search field to find the ExpressRoute option.

  3. Complete the fields on the Create ExpressRoute Circuit page. 
  4. Complete each field on the Create ExpressRoute Circuit page. Be aware of the following special fields and values:
    • Circuit Name: give the circuit a descriptive name
    • Provider: Select Equinix
      Note: Although Pureport is the Connectivity Provider, Equinix is the Ethernet Exchange Provider. For complete information, see "ExpressRoute connectivity providers" in the Azure documentation.
    • Peering location: The Azure peering location must match the Pureport location you will choose in the next step via the Pureport console. For a list of supported locations see Pureport Locations and Cloud Regions.
    • Bandwidth: The speed of the circuit. This must match the speed you will select in the next step via the Pureport console.
    • SKU: Standard is adequate for most needs.
    • Billing Model: for most purposes, Metered is a better choice than unlimited. See the ExpressRoute pricing page for more information.
    • Resource Group:  select the appropriate Azure resource group
    • Location: The Azure Region for this connection. In general, this should match the region where the target vNet is deployed. For a list of supported regions, see Pureport Locations and Cloud Regions.

  5. Click Create.

To review the properties of the new circuit:

  1.  Select All Resources.
    Tip: Use the filters to easily find a specific resource.

  2. Select the circuit. The system displays its properties. NOTE: If the Azure portal displays an error message stating "Invalid ExpressRoute state" the circuit is still being provisioned and should be available shortly.

Note: Use the Copy icon to copy your Service Key number to your PC's clipboard. You will need to complete the provisioning process in the Pureport Console.

Create an Azure ExpressRoute Connection in the Pureport Console

Use this procedure to create a new connection:

  1. Login to the Pureport Console using an account with an appropriate Role. At a minimum you will need the Create and Update permissions for Networks. For more information on Roles, see the Accounts, Members and Roles article.

  2. In the left navigation bar, select Networks.

  3. Select the network you wish to add the connection to Azure.
    To create a new network for this connection, see Creating a Network.

  4. Select Add Connection... in the upper right of the console or click the location on the network map.

  5. In the New Connection page, select Azure ExpressRoute as the connection Type, then click Next.

  6. Select which Azure Cloud Region you specified in the "Location" field when you created the ExpressRoute circuit above, and click Next.

  7. Select the Pureport location which matches the "Peering Location" you specified in the Azure portal above, and click Next.

  8. Select Peering Type - for connectivity to an Azure vNet, select Private. For connectivity to various Azure public-facing services (Office Dynamics, Azure Storage, etc) choose Microsoft Peering.
  9. Select the Speed of the connection. This must match the bandwidth you selected when creating the ExpressRoute Circuit.
    Microsoft Azure supports only redundant connections via ExpressRoute, so High Availability cannot be disabled for ExpressRoute connections.
  10. Enter your Azure Service Key (that you copied earlier from the Azure portal) and click Next.
  11. Optionally add any CIDR networks you may be connecting. Note, these are only used when subsequently connecting a policy-based VPN to your Pureport network and are completely optional. Click Next when finished. 
  12. You may also enable and configure Cloud Grade NAT if desired, as detailed in the Cloud Grade NAT knowledge-base article. Then click Next.

  13. Enter a meaningful Name and Description, then click Add Connection.

Confirm circuit is Enabled on the Azure portal

To review the properties of the circuit that you're interested, return to the Azure portal and check the Provider Status of the circuit.

Confirm that the Provider status is Provisioned.

Circuit and provider status

Configuring Azure Private Peering

Confirm that you have the following items from the Pureport Console Connection Information:

  • Peer ASN
  • Primary Subnet
  • Secondary Subnet
  • Shared Key

All of these values are provided in the Pureport console and are presented in the same order required for the corresponding configuration screen in the Azure portal:

Complete the following steps to configure Azure private peering for the circuit. 

Note: Refer to the Azure documentation site for additional information.

  1. In the Azure Portal, select the Azure Private peering row. 
  2. Complete the fields in the Private peering window with the information provided from the Pureport Console, plus the VLAN ID field:
    • Peer ASN - copy and paste from the Pureport console
    • Primary Subnet - copy and paste from the Pureport console
    • Secondary Subnet - copy and paste from the Pureport console
    • VLAN ID  - copy and paste from the Pureport console
    • Shared key - copy and paste from the Pureport console
  3. After entering the information from the Pureport Console, save the configuration.
    The Azure portal will show your new configuration:

To update or delete a peering configuration, please see the Azure documentation site.

Final step:

From here you will move on to Link an Azure virtual network to an Expressroute circuit

For complete information, see:  https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-linkvnet-portal-resource-manager.