Skip to content

Governance Policies Azure Networking Expressroute

Jump to bottom
Joshua Davis edited this page Apr 5, 2026 · 2 revisions

Expressroute

Governance policies for Expressroute

Domain: azure-networking

Patterns

Name Description
ExpressRoute circuit with private peering and gateway Premium ExpressRoute circuit with private peering and zone-redundant gateway

Anti-Patterns

Description Instead
Do not use ExpressRoute without a redundant circuit or VPN failover Configure a secondary ExpressRoute circuit or S2S VPN as backup
Do not expose ExpressRoute service keys in source control Store service keys in Key Vault and reference via secure parameters

References

Checks (4)

Check Severity Description
AZ-ER-001 Required Deploy ExpressRoute circuit with Premium tier for cross-region connectivity or large route tables
AZ-ER-002 Required Deploy ExpressRoute Gateway with ErGw2AZ or higher SKU for zone redundancy
AZ-ER-003 Required Configure private peering with BFD enabled for fast failover
AZ-ER-004 Recommended Enable diagnostic settings for ExpressRoute circuit and gateway

AZ-ER-001

Deploy ExpressRoute circuit with Premium tier for cross-region connectivity or large route tables

Severity: Required
Rationale: Standard tier limits to 4000 routes and single geopolitical region; Premium required for global reach
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

  • Microsoft.Network/expressRouteCircuits

Companion Resources

Resource Name Purpose
Microsoft.Network/virtualNetworkGateways ergw ExpressRoute gateway with ErGw2AZ or higher
Microsoft.Network/connections erc-connection ExpressRoute connection to gateway
Microsoft.Network/expressRouteCircuits/peerings private-peering Private peering configuration
Microsoft.Insights/diagnosticSettings diag-udr Route logs to Log Analytics

AZ-ER-002

Deploy ExpressRoute Gateway with ErGw2AZ or higher SKU for zone redundancy

Severity: Required
Rationale: AZ SKUs provide zone redundancy; ErGw1Az has limited throughput for production workloads
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

  • Microsoft.Network/expressRouteCircuits

Companion Resources

Resource Name Purpose
Microsoft.Network/publicIPAddresses pip-gw Standard SKU static for ER gateway
Microsoft.Network/virtualNetworks/subnets GatewaySubnet GatewaySubnet with /27 or larger

AZ-ER-003

Configure private peering with BFD enabled for fast failover

Severity: Required
Rationale: BFD detects link failures in sub-second intervals vs BGP hold timer defaults of 180 seconds
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

  • Microsoft.Network/expressRouteCircuits

Companion Resources

Resource Name Purpose
Microsoft.Network/expressRouteCircuits erc Parent circuit

AZ-ER-004

Enable diagnostic settings for ExpressRoute circuit and gateway

Severity: Recommended
Rationale: Monitor BGP route advertisements, circuit availability, and throughput metrics
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent

Targets

  • Microsoft.Network/expressRouteCircuits

Companion Resources

Resource Name Purpose
Microsoft.OperationalInsights/workspaces log-analytics Log Analytics workspace

Home

Getting Started

Stages

Interfaces

Configuration

Agent System

Features

Quality

Help

Governance

Policies — Azure

AI Services

Compute

Data Services

Identity

Management

Messaging

Monitoring

Networking

Security

Storage

Web & App

Policies — Well-Architected

Reliability

Security

Cost Optimization

Operational Excellence

Performance Efficiency

Integration

Anti-Patterns
Standards

Application

IaC

Principles

Transforms

Clone this wiki locally