expressRouteGateways
Summary
Details
Connect ExpressRoute gateway with circuits from diverse peering locations
Impact: High Category: High Availability
APRL GUID: 9987c813-d687-4163-a511-95f31bc5e536
Description:
For improved reliability, each ExpressRoute gateway should connect to at least two circuits, with each circuit sourced from a different peering location. This setup ensures diverse connectivity paths, enhancing resilience and minimizing service disruption risks.
Potential Benefits:
Enhanced resilience through diverse connectivity paths
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// under-development
Monitor health for ExpressRoute gateway
Impact: High Category: Monitoring and Alerting
APRL GUID: 17e8d380-e4b4-41a1-9b37-2e4df9fd5125
Description:
Set up monitoring and alerts for ExpressRoute Gateway. Create alert rule for ensuring promptly response to critical events such as exceeding packets per second, exceeding BGP routes prefixes, Gateway overutilization and high frequency in route changes.
Potential Benefits:
Detection and mitigation to avoid disruptions.
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find what Express Route Gateways do not have Monitoring Enabled on a Virtual Hub
resources
| where type =~ "Microsoft.Network/expressRouteGateways"
| extend ergwId = tolower(tostring(id)), ergwName = name, ergwTags = tags, ergwLocation = location, vhubId = tolower(tostring(properties.virtualHub.id))
| join kind=leftouter (
resources
| where type =~ "microsoft.insights/metricalerts"
| mv-expand scope = properties.scopes
| where scope has "Microsoft.Network/expressRouteGateways"
| extend scope = tolower(tostring(scope))
| project scope
) on $left.ergwId == $right.scope
| where strlen(scope) == 0
| join kind=leftouter (
resources
| where type =~ "Microsoft.Network/virtualHubs"
| where ['kind'] != 'RouteServer'
| extend vhubId = tolower(tostring(id)), vhubName = name, vwanId = tolower(tostring(properties.virtualWan.id))
) on $left.vhubId == $right.vhubId
| join kind=leftouter (
resources
| where type =~ "Microsoft.Network/virtualWans"
| extend vwanId = tolower(tostring(id)), vwanName = name
) on $left.vwanId == $right.vwanId
| project recommendationId = "17e8d380-e4b4-41a1-9b37-2e4df9fd5125", name, id, tags, param1=strcat("vHub Name: ", vhubName), param2=strcat("vWAN Name: ", vwanName)
Avoid using ExpressRoute circuits for VNet to VNet communication
Impact: Medium Category: High Availability
APRL GUID: 560a76a7-8f64-4ce3-ad27-d174468861a1
Description:
Avoid using ExpressRoute circuits for VNet to VNet communication. Use Virtual WAN to connect VNets in different regions. This feature is enabled at the ExpressRoute circuit level but reflected in the Virtual WAN resource.
Potential Benefits:
Shortest path between VNETs. Disables hairpinning at MSEE
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find what Express Route Gateways have allow Non Virtual Wan Traffic enabled
resources
| where type =~ "Microsoft.Network/expressRouteGateways"
| where properties.allowNonVirtualWanTraffic == "true"
| extend ergwId = tolower(tostring(id)), ergwName = name, ergwTags = tags, ergwLocation = location, vhubId = tolower(tostring(properties.virtualHub.id))
| join kind=leftouter (
resources
| where type =~ "Microsoft.Network/virtualHubs"
| where ['kind'] != 'RouteServer'
| extend vhubId = tolower(tostring(id)), vhubName = name, vwanId = tolower(tostring(properties.virtualWan.id))
) on $left.vhubId == $right.vhubId
| join kind=leftouter (
resources
| where type =~ "Microsoft.Network/virtualWans"
| extend vwanId = tolower(tostring(id)), vwanName = name
) on $left.vwanId == $right.vwanId
| project recommendationId = "560a76a7-8f64-4ce3-ad27-d174468861a1", name, id, tags, param1=strcat("vHub Name: ", vhubName), param2=strcat("vWAN Name: ", vwanName)