Technical Lab: Configure Azure private peering
Questionsβ
Question 1 β Multiple Choiceβ
A network team is configuring Azure private peering on an ExpressRoute circuit. The circuit has already been provisioned by the provider, and the team needs to define the BGP routing parameters. When configuring the peering, which combination of information is mandatory?
A) An IPv4 /30 block, a private ASN for the customer side, and the VLAN ID assigned by the provider.
B) An IPv4 /29 block, Microsoft's public ASN, and a mandatory MD5 secret.
C) An IPv6 /126 prefix, a 32-bit ASN, and the circuit service key.
D) An IPv4 /30 block, the Azure-reserved ASN 65515, and the VLAN ID assigned by the provider.
Question 2 β Technical Scenarioβ
An engineer configured Azure private peering on an ExpressRoute circuit and associated an ExpressRoute Virtual Network Gateway to the VNet. However, VMs inside the VNet cannot reach on-premises servers via ExpressRoute. The engineer confirms that the circuit is in Provisioned state and the peering appears as Enabled in the portal.
Which step, often forgotten after peering configuration, is likely missing?
A) Private peering requires Azure private DNS to be configured before any connectivity can be established.
B) The connection between the Virtual Network Gateway and the ExpressRoute circuit has not been created yet.
C) BGP needs to be manually enabled on the gateway subnet before routing will work.
D) Private peering requires the VNet to be in the same region as the ExpressRoute circuit for the connection to be accepted.
Question 3 β True or Falseβ
In Azure private peering, it is possible to reuse the same /30 address block on two distinct ExpressRoute circuits belonging to the same subscription, as long as the circuits are in different regions.
Question 4 β Technical Scenarioβ
A company has two ExpressRoute circuits configured with Azure private peering, both connected to the same VNet through an ExpressRoute Gateway with FastPath functionality enabled. The team observes that traffic from a specific branch office always prefers one of the circuits, even when the other would have lower latency. No routing policies have been explicitly configured on the Azure side.
What is the most likely explanation for this behavior?
A) FastPath ignores BGP metrics and always routes through the circuit with the lowest contracted bandwidth.
B) The gateway selects the circuit based on the order of connection creation, always prioritizing the oldest one.
C) The on-premises router is advertising the branch prefix with a shorter AS path through one of the circuits, influencing selection on the Azure side.
D) Azure private peering uses round-robin between redundant circuits when no policy is configured, and the observed behavior is temporary.
Question 5 β Multiple Choiceβ
When configuring Azure private peering, an administrator wants to use a private ASN for the on-premises peer side. Which of the statements below correctly describes an actual restriction applicable to ASN selection?
A) Azure reserves the range 64512 to 65514 exclusively for internal use; the customer must use ASNs outside this range.
B) Certain private ASNs are reserved by Microsoft and cannot be used by the customer side, including 65515.
C) Azure private peering mandatorily requires an IANA-registered public ASN to ensure routing uniqueness.
D) 32-bit ASNs are not supported in Azure private peering; only 16-bit ASNs are accepted.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: A
Azure private peering requires three core elements in configuration: an IPv4 /30 block (which provides exactly two usable addresses, one for each side of the BGP session), an ASN for the customer peer (which can be public or private, but does not belong to Microsoft), and the VLAN ID that the provider assigned to the circuit to separate traffic at the link layer.
The main conceptual error represented by the distractors lies in confusion about prefix size and ASN ownership. The /29 is excessive for a point-to-point BGP session. Microsoft's public ASN (AS 8075) and ASN 65515, reserved internally to Azure, are never configured by the customer. The MD5 secret is optional, not mandatory. IPv6 and 32-bit ASNs are supported, but do not replace IPv4 requirements in the standard configuration context described.
Answer Key β Question 2β
Answer: B
The ExpressRoute architecture separates two distinct planes: peering configuration (which defines BGP routing on the circuit) and the connection (which links the circuit to a specific Virtual Network Gateway). The peering being Enabled means only that BGP is configured on the circuit side; without the connection, the VNet gateway has no way to exchange routes with the circuit, and traffic never crosses.
The other distractors represent common conceptual errors: private DNS is not a prerequisite for layer 3 connectivity; BGP on the gateway is automatically managed by Azure; and private peering supports VNets in different regions from the circuit via Global Reach or ExpressRoute Premium, with location not being an absolute blocker.
Answer Key β Question 3β
Answer: False
The /30 blocks used in Azure private peering must be unique across all circuits in the same subscription, regardless of region. Azure validates this uniqueness during configuration and rejects the creation of a peering that reuses an already-in-use prefix. This restriction exists because BGP session addresses are propagated internally and conflicts would cause routing ambiguity. The fact that circuits are in different regions does not isolate the address spaces for this purpose.
Answer Key β Question 4β
Answer: C
Azure private peering uses BGP for route selection. When two circuits advertise the same prefix, the AS path length attribute is one of the tiebreaker criteria: shorter paths are preferred. If the on-premises router advertises the branch prefix through a circuit with fewer AS hops, Azure selects that circuit consistently, without any explicit configuration on the Azure side.
FastPath changes the data plane (reduces latency by bypassing traffic from the gateway to the VNet), but does not interfere with BGP route selection. The order of connection creation is not a route selection criterion. Azure does not use round-robin between redundant circuits; it follows normal BGP attributes (AS path, LOCAL_PREF, MED).
Answer Key β Question 5β
Answer: B
Microsoft reserves a specific set of private ASNs that cannot be used by the customer side in Azure private peering. ASN 65515 is the most relevant example from this set, as it is used internally by Azure for the BGP session with the gateway. Using an ASN reserved by Microsoft would cause routing conflict and the configuration would be rejected.
Option A is wrong because the range 64512 to 65514 is precisely the private ASN space available for customer use, not reserved to Azure. Option C is wrong because private ASNs are explicitly allowed. Option D is wrong because 32-bit ASNs (4-byte ASN) are supported in Azure private peering.