Pureport supports private connectivity to Microsoft Azure via the Microsoft Azure Partner program, both for Private Peering to a vNet and Microsoft Peering to connect privately to services normally accessed via the Internet.


In this article we explore connecting via Private Peering to an Azure Virtual WAN. 


To use Pureport to connect to Azure via ExpressRoute with Private Peering, perform the steps to set up an ExpressRoute circuit and then provision the Connection in your Pureport Network:

  1. Generate a Service Key in the Azure Portal
  2. Create a new Connection in the Pureport Console
  3. Confirm circuit is up/up on the Azure side
  4. Configure private peering for an ExpressRoute Circuit
  5. Link a Virtual WAN HUB to an ExpressRoute circuit.  


Prerequisites

Before you begin:

  • Ensure that you have access to the Azure portal.
  • Ensure that you have permissions to create new networking resources. Contact your account administrator if you do not have the right permissions.
  • A provisioned Virtual WAN using a Standard SKU. If you do not already have this created, Microsoft's provides a documentation that quickly walks through the steps on how to Create a Virtual WAN
  • A Provisioned Virtual WAN Hub with ExpressRoute enabled.


Creating your Azure ExpressRoute Circuit and Service Key

For complete information, refer to the Azure documentation site.

  1. Sign into the Azure Portal.

  2. To create a new ExpressRoute Circuit, select Create a resource > Networking > ExpressRoute. You can alternatively search for ExpressRoute in the search bar.
    Note: If ExpressRoute is not listed, use the Search field to find the ExpressRoute option.

  3. Complete the fields on the Create ExpressRoute Circuit page.
    Note:  Azure requires that the Premium SKU be used on the ExpressRoute Circuit to support being added to the Virtual WAN Hub. Be sure to Select this SKU at the time of creation on the Circuit.
     
  4. Complete each field on the Create ExpressRoute Circuit page. Be aware of the following special fields and values:
    • Circuit Name: give the circuit a descriptive name
    • Provider: Select Equinix
      Note: Although Pureport is the Connectivity Provider, Equinix is the Ethernet Exchange Provider. For complete information, see "ExpressRoute connectivity providers" in the Azure documentation.
    • Peering location: The Azure peering location must match the Pureport location you will choose in the next step via the Pureport console. For a list of supported locations see Pureport Locations and Cloud Regions.
    • Bandwidth: The speed of the circuit. This must match the speed you will select in the next step via the Pureport console.
    • SKU: Premium is required for Virtual WAN Deployments.
    • Billing Model: for most purposes, Metered is a better choice than unlimited. See the ExpressRoute pricing page for more information.
    • Resource Group:  select the appropriate Azure resource group
    • Location: The Azure Region for this connection. In general, this should match the region where the target vNet is deployed. For a list of supported regions, see Pureport Locations and Cloud Regions.

  5. Click Create.


To review the properties of the new circuit:

  1.  Select All Resources.
    Tip: Use the filters to easily find a specific resource.
  2. Select the circuit. The system displays its properties. NOTE: If the Azure portal displays an error message stating "Invalid ExpressRoute state" the circuit is still being provisioned and should be available shortly.


Note: Use the Copy icon to copy your Service Key number to your PC's clipboard. You will need to complete the provisioning process in the Pureport Console.
 



Create an Azure ExpressRoute Connection in the Pureport Console

Use this procedure to create a new connection:

  1. Login to the Pureport Console using an account with an appropriate Role. At a minimum you will need the Create and Update permissions for Networks. For more information on Roles, see the Accounts, Members and Roles article.

  2. In the left navigation bar, select Networks.


  3. Select the network you wish to add the connection to Azure.
    To create a new network for this connection, see Creating a Network.

  4. Select Add Connection... in the upper right of the console or click the location on the network map.


  5. In the New Connection page, select Azure ExpressRoute as the connection Type, then click Next.
  6. Select which Azure Cloud Region you specified in the "Location" field when you created the ExpressRoute circuit above, and click Next.
  7. Select the Pureport location which matches the "Peering Location" you specified in the Azure portal above, and click Next.


  8. Select Peering Type - for connectivity to an Azure vNet, select Private. For connectivity to various Azure public-facing services (Office Dynamics, Azure Storage, etc) choose Microsoft Peering.
  9. Select the Speed of the connection. This must match the bandwidth you selected when creating the ExpressRoute Circuit.
    Microsoft Azure supports only redundant connections via ExpressRoute, so High Availability cannot be disabled for ExpressRoute connections.
     
  10. Enter your Azure Service Key (that you copied earlier from the Azure portal) and click Next.
  11. Optionally add any CIDR networks you may be connecting. Note, these are only used when subsequently connecting a policy-based VPN to your Pureport network and are completely optional. Click Next when finished. 
  12. You may also enable and configure Cloud Grade NAT if desired, as detailed in the Cloud Grade NAT knowledge-base article. Then click Next.
  13. Enter a meaningful Name and Description, then click Add Connection.


Confirm circuit is Enabled on the Azure portal

To review the properties of the circuit that you're interested, return to the Azure portal and check the Provider Status of the circuit.


Confirm that the Provider status is Provisioned.

Circuit and provider status




Configuring Azure Private Peering

Confirm that you have the following items from the Pureport Console Connection Information:

  • Peer ASN
  • Primary Subnet
  • Secondary Subnet
  • VLAN ID
  • Shared Key

All of these values are provided in the Pureport console and are presented in the same order required for the corresponding configuration screen in the Azure portal:




Complete the following steps to configure Azure private peering for the circuit. 

Note: Refer to the Azure documentation site for additional information.

  1. In the Azure Portal, select the Azure Private peering row. 
  2. Complete the fields in the Private peering window with the information provided from the Pureport Console, plus the VLAN ID field:
    • Peer ASN - copy and paste from the Pureport console
    • Primary Subnet - copy and paste from the Pureport console
    • Secondary Subnet - copy and paste from the Pureport console
    • VLAN ID  - copy and paste from the Pureport console
    • Shared key - copy and paste from the Pureport console
  3. After entering the information from the Pureport Console, save the configuration.
    The Azure portal will show your new configuration:


To update or delete a peering configuration, please see the Azure documentation site.


Attach the ExpressRoute circuit to the vWAN HUB

Next, we will need to attach the provisioned ExpressRoute circuit to the existing Virtual Wan HUB.  If this is not already created, please reference the Microsoft Document on how to Create a Virtual WAN


  1.  In the Azure portal, search for and browse to the Virtual Wan Resources your have provisioned.
  2. Select the Virtual WAN you wish to link the ExpressRoute Circuit too.
  3. Select the HUB provisioned in the Virtual WAN that you wish to connect the Express Route circuit too.
  4. Select ExpressRoute under the connectivity options of your HUB.
  5. You will be presented with a list of ExpressRoute circuits in your account, select the desired ExpressRoute Circuit(s) and click on the "Connect Circuits" option to connect them to your vWAN Hub.
  6. Select Confirm when prompted if you wish to proceed in connecting the circuit to the Hub. 
  7. Once confirmed, Azure will connect your Circuit to the Hub.  This can take several minutes to complete.  Once completed, Refreshing the ExpressRoute list on the Hub will show its connection status updated to "This hub"
  8. You have now successfully attached your ExpressRoute Circuit to your vWAN.


Attach vNET to Virtual WAN Hub

If you have already configured your vWAN and successfully Attached your vNET to the vWAN, you can safely skip this section. If not, you will need to proceed in attaching your vNET to you vWAN to enable end to end connectivity.


  1. In the Azure portal, search for and browse to the Virtual Wan Resources your have provisioned.
  2. Select the Virtual Network Connections under the Connectivity section. 
  3. A list of connections on your Virtual WAN will be shown, select "Add Connection" to create a connection to create a new connection to your vNET. 
  4. Complete the Add Connection Wizard choosing your vNET, Hub, and Routing information. 
  5. Select Create, Azure will provision your connection which can take several minutes to complete.  Once complete, you will find your vNET information listed on your Virtual Network Connections. 
  6. You have now successfully connected your vNET to your vWAN.  Connectivity will now be available over the ExpressRoute circuit and vWAN to your vNET.


Final step:

From here you will want to customize your vWAN configuration to meet the needs of your network.  As there are many options and configurations available, please reference https://docs.microsoft.com/en-us/azure/virtual-wan/ for guidance on these customizations.