Technical Lab: Configure Microsoft Peering
Questionsβ
Question 1 β Multiple Choiceβ
A company uses an ExpressRoute circuit to connect its on-premises network to Azure. The network team needs to ensure that traffic destined for Microsoft Teams and SharePoint Online travels exclusively through the circuit, without passing through the public internet. Private peering is already configured for VNet access.
Which statement correctly describes what must be configured to meet this requirement?
A) Private peering must be extended with a static route pointing to Microsoft 365 public prefixes.
B) A second dedicated ExpressRoute circuit must be created, as private peering and Microsoft peering cannot coexist on the same circuit.
C) Microsoft peering must be configured on the same circuit, with an associated Route Filter containing the BGP communities of the desired services.
D) Microsoft peering must be configured, and the Route Filter is optional when the circuit already has active private peering.
Question 2 β Technical Scenarioβ
An engineer configures Microsoft peering on a new ExpressRoute circuit using the following configuration block:
Peering Type : MicrosoftPeering
PeerASN : 64512
PrimaryPeerAddress : 198.51.100.0/30
SecondaryPeerAddress: 198.51.100.4/30
VlanId : 150
MicrosoftPeeringConfig:
AdvertisedPublicPrefixes: 10.10.0.0/24
CustomerASN : 64512
RoutingRegistryName : ARIN
After applying the configuration, the peering enters the ValidationNeeded state and doesn't progress. What is the most likely cause?
A) ASN 64512 belongs to the private range and cannot be used in Microsoft peering, which requires registered public ASNs.
B) The prefix 10.10.0.0/24 is a private RFC 1918 address and cannot be advertised as a public prefix in Microsoft peering.
C) VLAN ID 150 is below the minimum value required by Microsoft peering, which requires IDs starting from 200.
D) The RoutingRegistryName field is filled with an invalid value; only RIPE and APNIC are accepted by Microsoft.
Question 3 β True or Falseβ
When Microsoft peering is in the Provisioned state and a Route Filter is associated with the peering, routes for services included in the Route Filter rules are immediately advertised by Microsoft, without requiring any circuit or BGP session restart.
True or False?
Question 4 β Multiple Choiceβ
When configuring Microsoft peering, the engineer needs to define the IP addresses of the primary and secondary links between the customer router and the Microsoft Edge. The table below describes four proposed configurations:
| Option | PrimaryPeerAddress | SecondaryPeerAddress |
|---|---|---|
| A | 192.168.1.0/30 | 192.168.1.4/30 |
| B | 203.0.113.0/29 | 203.0.113.8/29 |
| C | 203.0.113.0/30 | 203.0.113.4/30 |
| D | 203.0.113.0/30 | 203.0.113.0/30 |
Which option correctly meets the Microsoft peering configuration requirements?
A) Option A
B) Option B
C) Option C
D) Option D
Question 5 β Technical Scenarioβ
An organization has Microsoft peering provisioned and functional, with a Route Filter configured to receive routes from Azure Storage (12076:5030 for the desired region) and Exchange Online (12076:5010). After a security review, the team decides that Azure Storage traffic should return to using the public internet, but Exchange Online should continue through ExpressRoute.
The engineer removes the 12076:5030 rule from the existing Route Filter. What will be the resulting behavior?
A) Azure Storage will become inaccessible until a static route is manually added to the on-premises router.
B) The Microsoft peering BGP session will automatically restart, causing temporary interruption for Exchange Online as well.
C) Azure Storage routes will no longer be advertised by the circuit; Azure Storage traffic will use the default available path, such as the public internet.
D) Removing a Route Filter rule requires the peering to be deprovisioned and recreated, making the operation unavailable during the process.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: C
Microsoft peering is the correct mechanism for routing traffic from Microsoft public services, such as Microsoft 365 and PaaS services, through the ExpressRoute circuit. It can coexist with private peering on the same circuit, as each peering type is an independent BGP session with distinct VLAN ID.
The Route Filter is not optional in Microsoft peering: without it associated with the peering, Microsoft doesn't advertise any service routes, making option D incorrect. Option A is technically unfeasible because private peering only operates with RFC 1918 addresses and has no visibility of public prefixes. Option B represents a common misconception about the coexistence capability of peering types on the same circuit.
Answer Key β Question 2β
Answer: B
The ValidationNeeded state indicates that Microsoft couldn't validate the advertised prefix. The prefix 10.10.0.0/24 belongs to the private address space defined by RFC 1918 and therefore cannot be advertised as a public prefix in Microsoft peering. The AdvertisedPublicPrefixes field requires public IP address blocks that the customer owns and has registered in an IRR.
Option A is incorrect because private ASNs can be used in the PeerASN field in certain scenarios; the most critical restriction falls on the advertised prefixes. Option C is incorrect because there is no specific minimum VLAN ID range for Microsoft peering. Option D is incorrect because Microsoft accepts multiple IRRs, including ARIN, RIPE, APNIC, RADB, and others.
Answer Key β Question 3β
Answer: True
Associating a Route Filter to an already provisioned peering is a control plane operation that updates Microsoft's BGP advertisement policy without requiring circuit or BGP session restart. Routes corresponding to communities included in the Route Filter rules begin to be propagated in the next BGP update, which occurs automatically and transparently.
This behavior is relevant in practice because it allows adding or removing services routed through ExpressRoute non-disruptively, which is a significant operational advantage compared to other configuration changes that require reprovisioning.
Answer Key β Question 4β
Answer: C
Microsoft peering requires /30 subnets for the primary and secondary link addresses, and the two blocks must be distinct from each other and belong to public address space.
Option A uses RFC 1918 addresses, which is invalid for Microsoft peering. Option B uses /29 blocks, which contain more addresses than necessary for a point-to-point link and don't meet the expected format. Option D uses the same block for both primary and secondary links, which would cause addressing conflicts and prevent proper establishment of redundant BGP sessions. Only option C combines public addresses, /30 prefix, and distinct blocks for each link.
Answer Key β Question 5β
Answer: C
Removing a BGP community rule from the Route Filter instructs Microsoft to stop advertising routes for that service to the circuit. With the Azure Storage route absent from the BGP table received by the on-premises router, traffic destined for Azure Storage will follow the default available path, which in this case is the public internet. This is exactly the behavior desired by the team.
Option A is incorrect because the loss of BGP advertisement doesn't make the service inaccessible; traffic simply uses another path. Option B is incorrect because modifying rules in a Route Filter doesn't restart the BGP session; it's an incremental policy update. Option D is incorrect because Route Filters are mutable and can have rules added or removed without needing to recreate the peering.