Governance Policies Azure Networking Expressroute - Azure/az-prototype GitHub Wiki
Governance policies for Expressroute
Domain: azure-networking
| Name | Description |
|---|---|
| ExpressRoute circuit with private peering and gateway | Premium ExpressRoute circuit with private peering and zone-redundant gateway |
| Description | Instead |
|---|---|
| Do not use ExpressRoute without a redundant circuit or VPN failover | Configure a secondary ExpressRoute circuit or S2S VPN as backup |
| Do not expose ExpressRoute service keys in source control | Store service keys in Key Vault and reference via secure parameters |
| Check | Severity | Description |
|---|---|---|
| AZ-ER-001 | Required | Deploy ExpressRoute circuit with Premium tier for cross-region connectivity or large route tables |
| AZ-ER-002 | Required | Deploy ExpressRoute Gateway with ErGw2AZ or higher SKU for zone redundancy |
| AZ-ER-003 | Required | Configure private peering with BFD enabled for fast failover |
| AZ-ER-004 | Recommended | Enable diagnostic settings for ExpressRoute circuit and gateway |
Deploy ExpressRoute circuit with Premium tier for cross-region connectivity or large route tables
Severity: Required
Rationale: Standard tier limits to 4000 routes and single geopolitical region; Premium required for global reach
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/expressRouteCircuits
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/virtualNetworkGateways | ergw | ExpressRoute gateway with ErGw2AZ or higher |
| Microsoft.Network/connections | erc-connection | ExpressRoute connection to gateway |
| Microsoft.Network/expressRouteCircuits/peerings | private-peering | Private peering configuration |
| Microsoft.Insights/diagnosticSettings | diag-udr | Route logs to Log Analytics |
Deploy ExpressRoute Gateway with ErGw2AZ or higher SKU for zone redundancy
Severity: Required
Rationale: AZ SKUs provide zone redundancy; ErGw1Az has limited throughput for production workloads
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/expressRouteCircuits
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/publicIPAddresses | pip-gw | Standard SKU static for ER gateway |
| Microsoft.Network/virtualNetworks/subnets | GatewaySubnet | GatewaySubnet with /27 or larger |
Configure private peering with BFD enabled for fast failover
Severity: Required
Rationale: BFD detects link failures in sub-second intervals vs BGP hold timer defaults of 180 seconds
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/expressRouteCircuits
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/expressRouteCircuits | erc | Parent circuit |
Enable diagnostic settings for ExpressRoute circuit and gateway
Severity: Recommended
Rationale: Monitor BGP route advertisements, circuit availability, and throughput metrics
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.Network/expressRouteCircuits
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.OperationalInsights/workspaces | log-analytics | Log Analytics workspace |