Skip to content

Connecting to Microsoft Azure ExpressRoute

Megaport ONE makes it easy to provision fast, secure, and private connections between your data center and Microsoft Azure and provides dedicated access to Azure private and Microsoft public resources from hundreds of locations worldwide.

Azure ExpressRoute connection overview

Megaport ONE offers two types of connection to ExpressRoute: you can order virtual cross-connections to the Microsoft Cloud through Megaport ONE or you can connect directly to the Microsoft Cloud through point-to-point Ethernet links (ExpressRoute Direct).

This topic describes connecting to Azure through a VXC. For details about a direct connection, see Configuring a Microsoft Azure ExpressRoute Direct Connection.

When connecting to the Microsoft Cloud (Azure) through an ExpressRoute with Megaport ONE, the VXC forms the Layer 2 component of the connection and Layer 3 BGP connectivity is established directly between the customer and Azure.

There are two elements involved with an ExpressRoute connection. The first is your ExpressRoute plan and is billed directly from Microsoft. (Make sure to select the correct region and currency for accurate pricing). The second is the VXC with Megaport ONE to connect to your ExpressRoute location.

Each ExpressRoute subscription includes two Virtual ports on the Microsoft Cloud side. Microsoft offers an SLA on its ExpressRoute connectivity, but to comply you must deploy ExpressRoute VXCs to each Microsoft virtual port for redundancy.

Megaport ONE supports ExpressRoute access to both peering interfaces: Azure Private and Microsoft (Public) peering. Azure Private does not require approval and is available instantly, but Microsoft (Public) peering requires manual validation of public IP space by Microsoft, and some public endpoints (such as Office 365) require additional validation. Both of these peering interfaces are delivered through a single VXC using 802.1ad configuration. When provisioning an ExpressRoute circuit, you can connect multiple VNETs to a single circuit (up to 10 by default, but more are possible depending on your plan).

This figure shows a typical ExpressRoute deployment.

ExpressRoute deployment

Note

The VXC connecting to Microsoft contains two “inner” VLANs. These are referred to as the C-Tagged VLANs and are configured in the Azure console. The “outer” VLAN tag is called the S-Tag and is the VLAN assigned to the VXC in the Megaport ONE Portal.

Creating an ExpressRoute connection

To deploy an ExpressRoute connection, you need to choose your ExpressRoute plan and deploy the ExpressRoute circuit in the Azure Portal. When deployed, you get a service key. Copy the service key and log in to the Megaport ONE Portal.

To create a connection to ExpressRoute

  1. In the Megaport ONE Portal, choose Networking > Services.
  2. Select the Port you want to use.
    If you haven’t already created a Port, see Creating a Port.
  3. Click Actions and select Add Connection.
    Add Connection
  4. Specify the General connection details:

    • Connection Type – Choose Cloud Virtual Cross Connect.
    • Cloud Provider – Choose Microsoft Azure.
      Azure peering VLAN
  5. Specify the Azure Configuration details:

    • Azure ExpressRoute Service Key – Add the ExpressRoute service key. The Portal verifies the key and then displays the available port locations based on the Peering Location chosen when creating the ExpressRoute in the Azure Portal. For example, if your ExpressRoute service is deployed in Peering Location Sydney, you can only select the Sydney targets. Note that you can reuse an Azure service key multiple times to provision the primary and secondary VXCs and both peerings.
    • Available Azure Ports – Choose the Azure connection point for your first connection.
      Azure configuration details
  6. Specify the Connection Details:

    • VXC Name – The name of your VXC to be shown in the Megaport ONE Portal.

    • Rate Limit – This is the speed of your connection in Mbps. It is autopopulated from the configuration in the Azure console.

    • A-End VLAN – By default Q-in-Q is enabled. Specify an unused VLAN ID for this connection (for ExpressRoute this is the S-Tag for your data center). This must be a unique VLAN ID for this connection and can range from 2 to 4093. Enabling Q-in-Q has the benefit of deploying both Microsoft and private peering and both primary and secondary Azure ExpressRoute circuits but your routing and switching hardware must support Q-in-Q to be capable of terminating dual tags at the customer end.

      For clarity, your on-premises device is configured with the inner (C-Tag) and outer (S-Tag) tags. A corresponding outer tag is configured in the Megaport ONE Portal as described above. The inner tag is provisioned in the Microsoft Azure Portal under the ExpressRoute peering VLAN ID.

    • Single Azure peering VLAN (optional) – Click Enabled to configure the VXC with a single tag VLAN solution. For information on the benefits of single Azure peering, see Configure single Azure peering VLAN. To learn how to configure single Azure peering, see Enabling the single Azure peering VLAN. Azure peering VLAN

  7. Specify billing information for the connection:

    • Service Level Reference (optional) – Specify a unique identifying number for the VXC to be used for billing purposes, such as a cost center number or a unique customer ID. The service level reference number appears for each service under the Product section of the invoice. You can also edit this field for an existing service.

      Note

      Partner managed accounts can apply a Partner Deal to a service. - Promo Code – If you have a promo code, enter it and click Add Code.

  8. Click Create Connection.

  9. Review the connection details and click Confirm.

  10. To deploy a second VXC (and this is recommended), repeat these steps reusing the service key. Adding a second connection ensures that you receive the Azure ExpressRoute SLA. Azure does not provide an SLA for a single connection.

Connecting to ExpressRoute on equipment that does not support Q-in-Q

Q-in-Q is a technology that not all organizations use. If your equipment does not support Q-in-Q, this section describes your options.

Configure single Azure peering VLAN

You can configure the VXC with a single tag VLAN solution. You configure peering in Azure with the Port VLAN (A-End) and the peer VLAN (B-End). Note that you can have only one peering type (private or Microsoft) per VXC with single Azure peering VLAN, so you need at least two VXCs to use both peering types.

Single Azure peering VLAN

Tip

We recommend using single Azure peering VLAN. This option provides full functionality and the simplest implementation. With single Azure peering VLAN, you can use both private and Microsoft peering with a single ExpressRoute circuit without the need for Q-in-Q capable equipment, an MCR, or an untagged port.

Note

You can reuse an Azure service key multiple times to provision the primary and secondary VXCs and both peerings.

For example, if your environment does not support Q-in-Q but you want to use both private and Microsoft peering, you can provision 4 VXCs with single Azure peering VLAN:

  • VXC 1 - The primary private peering with B-End VLAN 100.
  • VXC 2 - The secondary private peering with B-End VLAN 100.
  • VXC 3 - The primary Microsoft peering with B-End VLAN 200, reusing the primary option.
  • VXC 4 - The secondary Microsoft peering with B-End VLAN 200, reusing the secondary option.

Other options for connecting to ExpressRoute on equipment that does not support Q-in-Q

  • You can remove the Q-in-Q requirement by dedicating a Port to Microsoft Azure by untagging the connection (click Untag for the preferred A-End VLAN). Megaport ONE will still correctly apply or strip the outer VLAN S-Tag depending on the traffic direction. This means you can only deploy a single VXC on this Port, so it does not scale well and you will not receive the Azure SLA. However, an untagged connection can be useful as a temporary solution.

    Untagging a VLAN

  • Deploy a Megaport Cloud Router (MCR) to take care of Q-in-Q for you.

Note

For details on Q-in-Q, see Configuring Q-in-Q.

Enabling the single Azure peering VLAN

By enabling Azure peering VLAN, you can specify a single Azure peering VLAN that will match with the value that you configure (in step 8) for the selected peering type configuration for the Azure ExpressRoute configuration (via the Microsoft Azure Portal).

To enable the single Azure peering VLAN

  1. Follow steps 1 through 6 in the procedure To create a connection to ExpressRoute.

  2. Specify the Azure Configuration details:

    • Azure ExpressRoute Service Key – Add the ExpressRoute service key. The Portal verifies the key and then displays the available port locations based on the Peering Location chosen when creating the ExpressRoute in the Azure Portal. For example, if your ExpressRoute service is deployed in Peering Location Sydney, you can only select the Sydney targets. Note that you can reuse an Azure service key multiple times to provision the primary and secondary VXCs and both peerings.
    • Azure Location / B-End – Select the connection point for your first connection.
    • Single Azure peering VLAN – Click Enabled, then enter the peering VLAN tag for the ExpressRoute peering required, from 2 to 4093. Megaport ONE uses this to set a peering VLAN tag that maps directly back to the ExpressRoute peering VLAN ID on the B-End. The tag must be a valid ExpressRoute VLAN ID, and it must match the VLAN ID of the Azure B-End of the VXC to configure the correct pairing. Azure peering VLAN
  3. Specify the connection and billing details as described in step 8 in the procedure To create a connection to ExpressRoute.

  4. To deploy a second connection (and this is recommended), create a second VXC. Enter the same service key, select the other connection target, and enter the same Peering VLAN ID for the ExpressRoute peering configured in step 2.

  5. Configure the peer in the Azure Portal, matching the C-Tag VLAN ID to the single Azure peering VLAN tag entered in the Megaport ONE Portal.

    This figure shows where the VLAN C-Tag is configured in the Azure Portal.
    Azure peering VLAN

  6. Configure your on-premises equipment.

To change an existing single Azure peering VLAN

  1. In the Megaport ONE Portal, choose Networking > Services.
  2. Click the Gear icon Gear icon next to the connection and select Edit.
  3. Select the VXC Configuration tab.
  4. Under Azure ExpressRoute Configuration, click Edit.
  5. Click the Gear icon Gear icon next to the peer to edit, and select Edit Peer.
  6. Under VLAN, change the single Azure peering VLAN ID.
    Azure peering VLAN
  7. Click Confirm.
  8. Click Save.
  9. Configure the peer in the Azure Portal, matching the C-Tag VLAN ID to the single Azure peering VLAN tag entered in the Megaport ONE Portal.

To verify the single Azure peering VLAN

  1. In the Megaport ONE Portal, choose Networking > Services.
  2. Click the Gear icon Gear icon next to the connection and select Edit.
  3. Select the VXC Configuration tab.
    The Configuration tab shows the single Azure peering VLAN value.

Converting an untagged VXC to a tagged VXC

An existing Azure service on an untagged VXC can now be tagged, allowing you to instantly order additional services on the existing Port without adding any more physical Ports.

Important

Converting an untagged VXC to a tagged VXC will cause a service disruption.

To convert an existing untagged VXC to a tagged VXC

  1. In the Megaport ONE Portal, choose Networking > Services.
  2. Click the Gear icon Gear icon next to the Azure connection and select Edit.
  3. In the VXC Configuration tab, click Edit in the first section.
  4. Click Untag VLAN to enable tagging.
  5. Enter the A-End VLAN tag for the customer Megaport ONE-facing VLAN.
  6. Enable the Configure single Azure peering VLAN option.
  7. Enter the Peering VLAN ID for the ExpressRoute Peering, from 2 to 4093.
    Megaport ONE uses this to set a Peering VLAN tag that maps directly back to the ExpressRoute peering VLAN ID on the B-End. The tag must be a valid Azure ExpressRoute VLAN ID, and it must match the VLAN ID of the Azure B-End of the VXC to configure the correct pairing.
  8. Click Save.
  9. Click Next.
  10. Configure the peer in the Azure Portal, matching the C-Tag VLAN ID to the single Azure peering VLAN tag entered in the Megaport ONE Portal.

Helpful references


Last update: 2023-01-21