Pureport supports private connectivity to Microsoft Azure via the Microsoft Azure Partner program, both for Private Peering to a VNet and Microsoft Peering to connect privately to services normally accessed via the Internet.


In this article we explore connecting via Private Peering to an Azure Virtual WAN. 


To use Pureport to connect to Azure via ExpressRoute with Private Peering, perform the steps to set up an ExpressRoute circuit and then provision the Connection in your Pureport Network:

  1. Generate a Service Key in the Azure Portal
  2. Create a new Connection in the Pureport Console
  3. Confirm circuit is up/up on the Azure side
  4. Configure private peering for an ExpressRoute Circuit
  5. Link a Virtual WAN HUB to an ExpressRoute circuit.  


Prerequisites

Before you begin:

  • Ensure that you have access to the Azure portal.
  • Ensure that you have permissions to create new networking resources. Contact your account administrator if you do not have the right permissions.
  • A provisioned Virtual WAN using a Standard SKU. If you do not already have this created, Microsoft's provides a documentation that quickly walks through the steps on how to Create a Virtual WAN
  • A Provisioned Virtual WAN Hub with ExpressRoute enabled.


Creating your Azure ExpressRoute Circuit and Service Key

For complete information, refer to the Azure documentation site.

  1. Sign into the Azure Portal.

  2. To create a new ExpressRoute Circuit, select Create a resource > Networking > ExpressRoute. You can alternatively search for ExpressRoute in the search bar.
    Note: If ExpressRoute is not listed, use the Search field to find the ExpressRoute option.

  3. Complete the fields on the Create ExpressRoute Circuit page.
    Note:  Azure requires that the Premium SKU be used on the ExpressRoute Circuit to support being added to the Virtual WAN Hub. Be sure to Select this SKU at the time of creation on the Circuit.
     
  4. Complete each field on the Create ExpressRoute Circuit page. Be aware of the following special fields and values:
    • Circuit Name: give the circuit a descriptive name
    • Provider: Select Equinix
      Note: Although Pureport is the Connectivity Provider, Equinix is the Ethernet Exchange Provider. For complete information, see "ExpressRoute connectivity providers" in the Azure documentation.
    • Peering location: The Azure peering location must match the Pureport location you will choose in the next step via the Pureport console. For a list of supported locations see Pureport Locations and Cloud Regions.
    • Bandwidth: The speed of the circuit. This must match the speed you will select in the next step via the Pureport console.
    • SKU: Premium is required for Virtual WAN Deployments.
    • Billing Model: for most purposes, Metered is a better choice than unlimited. See the ExpressRoute pricing page for more information.
    • Resource Group:  select the appropriate Azure resource group
    • Location: The Azure Region for this connection. In general, this should match the region where the target VNet is deployed. For a list of supported regions, see Pureport Locations and Cloud Regions.

  5. Click Create.


To review the properties of the new circuit:

  1.  Select All Resources.
    Tip: Use the filters to easily find a specific resource.
  2. Select the circuit. The system displays its properties. NOTE: If the Azure portal displays an error message stating "Invalid ExpressRoute state" the circuit is still being provisioned and should be available shortly.


Note: Use the Copy icon to copy your Service Key number to your PC's clipboard. You will need to complete the provisioning process in the Pureport Console.
 



Create an Azure ExpressRoute Connection in the Pureport Console

Use this procedure to create a new connection:

  1. Login to the Pureport Console using an account with an appropriate Role. At a minimum you will need the Create and Update permissions for Networks. For more information on Roles, see the Accounts, Members and Roles article.

  2. In the left navigation bar, select Networks.


  3. Select the network you wish to add the connection to Azure.
    To create a new network for this connection, see Creating a Network.

  4. Select Add Connection... in the upper right of the console or click the location on the network map.


  5. In the New Connection page, select Azure ExpressRoute from the connection Type dropdown.


  6. Select the Pureport location, Cloud region (Select which Azure Cloud Region you specified in the Location field when you created the ExpressRoute circuit above), Peering type and Speed you wish to provision the connection.

    Note:  For connectivity to your Azure vWAN, choose a peering type of Private. 

  7. Enter your Azure Service Key (that you copied earlier from the Azure portal) and click Next.

  8. Configure your BGP settings for your new connection.  Azure uses a default ASN of 12076 and can not be changed.  Leave the default settings and click Next.

    Note:  You may optionally modify advanced BGP settings by clicking on the associated "Advanced - <Setting>" at this step.  This is optional and should not be modified unless required.


  9. Optionally, add any CIDR networks you may be connecting. Note, these are only used when setting up a NAT configuration in the next step. Click Next when finished.

     
  10. You may also enable and configure Cloud Grade NAT if desired, as detailed in the Cloud Grade NAT knowledge-base article. Then click Next.

  11. Enter a meaningful Name and Description, then click Add Connection.


Confirm circuit is Enabled on the Azure portal

To review the properties of the circuit that you're interested, return to the Azure portal and check the Provider Status of the circuit.


Confirm that the Provider status is Provisioned.

Circuit and provider status




Configuring Azure Private Peering

Confirm that you have the following items from the Pureport Console Connection Information:

  • Peer ASN
  • Primary Subnet
  • Secondary Subnet
  • VLAN ID
  • Shared Key

All of these values are provided in the Pureport console in the Post-Configuration screen once the provisioning is requested. The values are presented in the same order required for the corresponding configuration screen in the Azure portal by simply expanding the "Via the Azure Portal".  Additionally, clicking on the "Setup ExpressRoute 'Azure Private' Peering" will open a new window and direct you to your ExpressRoute connections in Azure.




Complete the following steps to configure Azure private peering for the circuit. 

Note: Refer to the Azure documentation site for additional information.

  1. In the Azure Portal, select the Azure Private peering row. 
  2. Click to the check box to "Enable Peering"and complete the fields in the Private peering window with the information provided from the Pureport Console, plus the VLAN ID field:
    • Peer ASN - copy and paste from the Pureport console
    • Primary Subnet - copy and paste from the Pureport console
    • Secondary Subnet - copy and paste from the Pureport console
    • VLAN ID  - copy and paste from the Pureport console
    • Shared key - copy and paste from the Pureport console
  3. After entering the information from the Pureport Console, save the configuration.
    The Azure portal will show your new configuration:


To update or delete a peering configuration, please see the Azure documentation site.


Attach the ExpressRoute circuit to the vWAN HUB

Next, we will need to attach the provisioned ExpressRoute circuit to the existing Virtual Wan HUB.  If this is not already created, please reference the Microsoft Document on how to Create a Virtual WAN


  1.  In the Azure portal, search for and browse to the Virtual Wan Resources your have provisioned.
  2. Select the Virtual WAN you wish to link the ExpressRoute Circuit too.
  3. Select the HUB provisioned in the Virtual WAN that you wish to connect the Express Route circuit too.
  4. Select ExpressRoute under the connectivity options of your HUB.
  5. You will be presented with a list of ExpressRoute circuits in your account, select the desired ExpressRoute Circuit(s) and click on the "Connect Circuits" option to connect them to your vWAN Hub.
  6. Select Confirm when prompted if you wish to proceed in connecting the circuit to the Hub. 
  7. Once confirmed, Azure will connect your Circuit to the Hub.  This can take several minutes to complete.  Once completed, Refreshing the ExpressRoute list on the Hub will show its connection status updated to "This hub"
  8. You have now successfully attached your ExpressRoute Circuit to your vWAN.


Attach VNET to Virtual WAN Hub

If you have already configured your VWAN and successfully Attached your VNET to the VWAN, you can safely skip this section. If not, you will need to proceed in attaching your VNET to you VWAN to enable end to end connectivity.


  1. In the Azure portal, search for and browse to the Virtual Wan Resources your have provisioned.
  2. Select the Virtual Network Connections under the Connectivity section. 
  3. A list of connections on your Virtual WAN will be shown, select "Add Connection" to create a connection to create a new connection to your VNET. 
  4. Complete the Add Connection Wizard choosing your VNET, Hub, and Routing information. 
  5. Select Create, Azure will provision your connection which can take several minutes to complete.  Once complete, you will find your VNET information listed on your Virtual Network Connections. 
  6. You have now successfully connected your VNET to your VWAN.  Connectivity will now be available over the ExpressRoute circuit and VWAN to your VNET.


Final step:

From here you will want to customize your VWAN configuration to meet the needs of your network.  As there are many options and configurations available, please reference https://docs.microsoft.com/en-us/azure/virtual-wan/ for guidance on these customizations.