ExpressRoute and someone else's public IP

jwilk71 21 Reputation points
2020-12-02T15:30:18.243+00:00

This may be a silly question, but I'm fairly new to ExpressRoute. My question is regarding Microsoft Peering and public IP addresses, particularly this snippet from the FAQ:

If your ExpressRoute circuit is enabled for Azure Microsoft peering, you can access the public IP address ranges used in Azure over the circuit. Azure Microsoft peering will provide access to services currently hosted on Azure (with geo-restrictions depending on your circuit's SKU). To validate availability for a specific service, you can check the documentation for that service to see if there is a reserved range published for that service. Then, look up the IP ranges of the target service and compare with the ranges listed in the Azure IP Ranges and Service Tags – Public Cloud XML file. Alternatively, you can open a support ticket for the service in question for clarification.

I read this to mean that this situation would be true: If I have an ExpressRoute set up for my subscription, and if I want to access someone else's Azure service via its public IPs (e.g. a public web site behind a load balancer), I can do so without any of my traffic going through the public internet. Is this correct unless I have some geo-restriction that would prevent it? Is any Azure resource with a public IP address, no matter who owns it, directly accessible through my ExpressRoute?

Or maybe I'm completely misreading the FAQ, and it's only talking about public IPs for services provided by Microsoft (e.g. M365, SQL, etc.)?

Thanks!

Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
322 questions
0 comments
Accepted answer
  1. SaiKishor-MSFT 17,181 Reputation points
    2020-12-03T22:34:23.51+00:00

    @jwilk71

    It is possible for any one with Azure ExpressRoute connectivity and Microsoft peering to connect to - Azure Public IP addresses for IaaS (Virtual Machines, Virtual Network Gateways, Load Balancers, etc.) directly over Express Route as given in the FAQ. The XML file may not have the jwilk.eastus website but the site's public IP should be in the IP ranges given in that document. Therefore, whatever you are trying to achieve is possible using Microsoft peering and you do not have to use Public Peering. Please let me know if you have any more questions and we will be glad to answer. Thank you!

    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. SaiKishor-MSFT 17,181 Reputation points
    2020-12-03T00:45:52.85+00:00

    @jwilk71 The Azure public peering path(which is deprecated) enables you to connect to all services hosted in Azure over their public IP addresses. These include services listed in the ExpessRoute FAQ and any services hosted by ISVs on Microsoft Azure. Connectivity to Microsoft Azure services on public peering is always initiated from your network into the Microsoft network. However, The Microsoft peering path lets you connect to Microsoft cloud services. The list of services includes Microsoft 365 services, such as Exchange Online, SharePoint Online, Skype for Business, and Microsoft Teams. Microsoft supports bi-directional connectivity on the Microsoft peering. As mentioned in the faq to validate availability for a specific service, you can check the documentation for that service to see if there is a reserved range published for that service. Then, look up the IP ranges of the target service and compare with the ranges listed in the Azure IP Ranges and Service Tags – Public Cloud XML file.

    Please let me know if you have any further questions. Thank you!

    0 comments
  2. jwilk71 21 Reputation points
    2020-12-03T15:15:00.837+00:00

    @SaiKishor-MSFT Thanks for the reply. I might still be a little hazy, and let me try to give a better example of what I am pondering to see how it should work. Let's say:

    1. I have a web service that's with a static public IP at, say, jwilk.eastus.cloudapp.azure.com.
    2. I have multiple partners with their own Azure ExpressRoute connectivity.
    3. The partners would like to access jwilk.eastus without their traffic going out on the public internet.

    Based on your comments, are you indicating this scenario is no longer possible without using the deprecated public peering?

    jwilk.eastus obviously isn't listed in the Public Cloud XML file, but according to the FAQ Microsoft Peering also includes support for:

    • Azure Public IP addresses for IaaS (Virtual Machines, Virtual Network Gateways, Load Balancers, etc.)
    • Most of the other Azure services are also supported. Please check directly with the service that you want to use to verify support.

    What have I missed? And is there a better way to approach this?

    Thanks again!
    (I tried to post this as a comment to your answer, but it wouldn't take - even after I got it under 1000 characters)