How to Improve Your Microsoft ExpressRoute Resilience with Megaport Connectivity

By Paul McGuinness, Head of Solutions Europe

Improve ExpressRoute reliability with these deployment models and strategies for stronger cloud resilience, powered by Megaport.

Every year, businesses become even more reliant on their network for the success of their entire operations. For the 350,000+ companies using Microsoft Azure, building resilient, reliable network connectivity to this service is essential.

Microsoft’s private Azure ExpressRoute offers private, low-latency connections to Azure, and when paired with Megaport’s scalable, flexible infrastructure, it becomes even more robust. ExpressRoute has become one of the top global cloud interconnects used by Megaport customers, with Azure adoption accelerating faster than any other cloud provider in the Megaport ecosystem.

Let’s explore how to architect high-resilience ExpressRoute environments using Megaport.

Microsoft Azure connectivity options

Before exploring this topic further, it’s important to understand all the ways organizations can connect to Microsoft Azure. The connectivity method chosen will depend on your organization’s performance, security, and resilience needs.

The public internet offers the simplest and most cost-effective option, suitable for general workloads but with variable latency and reliability. For secure tunneling over the internet, site-to-site VPNs extend on-premises networks into Azure for branch or backup connectivity, while point-to-site VPNs provide individual users and small teams encrypted access.

For enterprises requiring predictable performance and stronger SLAs, ExpressRoute delivers private, dedicated connectivity via a network provider, making it ideal for mission-critical and compliance-driven workloads.

Azure Virtual WAN integrates VPN, SD-WAN, and ExpressRoute into a Microsoft-managed global networking service, ideal for large, distributed enterprises looking to deploy connectivity and optimize traffic routing worldwide.

Together, these options offer network teams a spectrum of connectivity paths, from flexible internet-based access to enterprise-grade, globally resilient private networking.

What is Microsoft ExpressRoute and why is it so widely used by enterprises?

Microsoft ExpressRoute is a dedicated, private connection between your on-premises infrastructure and Microsoft cloud services like Azure, Microsoft 365, and Dynamics 365.

Unlike typical internet-based connectivity, ExpressRoute typically runs over a partner’s network to deliver lower latency, higher reliability, and tighter security. Organizations use ExpressRoute to bypass the public internet, achieving more predictable performance and compliance for workloads including business-critical applications and large-scale data migrations.

ExpressRoute is available in two models: ExpressRoute (partner) and ExpressRoute Direct.

You can use ExpressRoute Direct to connect directly to the Microsoft global backbone through 100 Gbps or 10 Gbps peering sites worldwide. Setting up circuits with ExpressRoute Direct can be challenging and expensive, making the partner model more popular. But where ExpressRoute Direct excels is in delivering high-capacity connectivity designed for large-scale workloads.

Connecting to ExpressRoute through a partner like is so popular because it provides enterprises with a simpler, faster, and more flexible way to access private connectivity without having to build and manage their own physical infrastructure to Microsoft’s edge.

Partners already have established interconnections with Microsoft’s global network at multiple peering locations, which means organizations can provision ExpressRoute circuits quickly (often on-demand) and scale bandwidth as needed.

Enterprises connecting to ExpressRoute via a partner also enjoy benefits like:

• reduced upfront costs
• the simplicity of going through a single carrier
• the ability to easily integrate Azure connectivity into existing data centers, branch offices, or hybrid WANs
• improved agility alongside the same reliability and performance benefits of private cloud connectivity

ExpressRoute Gateways for zone resilience

While this blog explores ExpressRoute interconnect resilience levels, regions and availability zones are also vital to your application design.

To maximize resilience, Microsoft recommends deploying ExpressRoute Virtual Network Gateways as zone-redundant across availability zones within a region. These zones are physically separate, with independent power, cooling, and networking, protecting connectivity from zone-level failures.

Zone-redundant gateways improve your Azure network’s scalability, availability, and reliability for mission-critical workloads, ensuring that equipment failures or disasters in a single data center don’t disrupt your access to Azure services.

Understanding ExpressRoute resilience levels

When planning connectivity to Microsoft Azure, it’s important to understand the different levels of ExpressRoute resilience (referred to by Azure as “resiliency”) and how to select the right option for your workload requirements.

Standard resiliency

Standard resiliency is the most basic option and provides a single circuit with dual connections to Microsoft edge devices in the same location. This setup offers some redundancy through active-active routing, but it remains vulnerable to failures at the Microsoft peering site.

A common question I hear from customers is why it’s considered a single circuit when there are two physical links. The answer is that in ExpressRoute standard resiliency, you are provisioned with one logical circuit, and that circuit includes two physical connections (primary and secondary) to Microsoft Enterprise Edge (MSEE) routers in the same site. Microsoft treats these links as components of a single circuit rather than separate circuits.

Up until early 2024 this was the only available method for ExpressRoute deployment, so customers would use multiple circuits in different peering locations to prevent dependence on a single location. ExpressRoute Metro was introduced to solve this problem and give users more connectivity design options (more on this below).

With Megaport, standard resiliency can be achieved by deploying two Virtual Cross Connects (VXCs) to dual MSEEs from one or two Megaport Ports deployed in either the same Megaport enabled data center or in separate Megaport enabled data centers.

As per Microsoft’s guidance, the standard model does not protect against location-wide outages.

High resiliency (ExpressRoute Metro)

For organizations seeking stronger fault tolerance, high resiliency (ExpressRoute Metro) offers greater protection by establishing dual-homed links into two separate peering sites within the same metro area. This design safeguards against the loss of a single edge location so traffic can continue flowing even in the event of a localized outage.

With Megaport, this is typically delivered by connecting VXCs from one or more Ports into MSEEs across different data centers for flexibility and added assurance against site-level failures.

Microsoft is constantly deploying ExpressRoute Metro in more locations; you can view the current deployment list here. For your critical workloads, we highly recommend you consider high resiliency at a minimum.

Maximum resiliency

Enterprises after the highest possible availability should explore maximum resiliency, which is designed for mission-critical workloads where downtime is not an option. This model deploys four separate circuits across two peering sites, eliminating any single point of failure.

Megaport supports this approach by enabling enterprises to deploy four Ports with VXCs spread across MSEEs in dual metro locations. This architecture is ideal for businesses requiring ultra-high uptime, such as those in finance, healthcare, or global-scale digital services.

ExpressRoute SLAs

So, what does all of this mean in regards to SLAs for Microsoft ExpressRoute?

As you may have guessed, Microsoft ExpressRoute service levels and service credits available to you depend on the level of resiliency deployed.

Service credits for a multi-circuit or site architecture are only applicable if simultaneous outages on both circuits and/or sites lead to a complete loss of connectivity to the connected gateway.

To meet SLA requirements, customers must establish a BGP peer (Layer 3) on each MSEE router. Both peers are active, giving customers control over routing.

Customers often ask me if it’s possible to connect via a single provisioned peer, and the answer is yes; the single peer will be fully functional, however it will not be covered by the Azure ExpressRoute SLA.

The Microsoft SLA, on the other hand, extends from the Azure edge/peer location’s MSEE router across the Microsoft network. Customers can choose to terminate both connections/peers on a single device or split them across two devices. As long as both peers are established with each MSEE, the Microsoft SLA applies.

Here are the current service credits based on uptime percentage for each configuration:

At least two dedicated circuits in a 2+ site configuration to an ER gateway

Maximum

Dedicated circuit in a metro site configuration to an ER gateway

High

Dedicated circuit in a single site configuration to an ER gateway

Standard

Get started

Choosing the right ExpressRoute resiliency level is crucial for maintaining continuous operations and for meeting your specific business requirements.

Whether you opt for standard, high, or maximum resiliency, Megaport provides the flexible, on-demand connectivity needed to optimize your ExpressRoute environment. By leveraging Megaport’s global network, you can design a highly available, secure, and scalable connection to Microsoft Azure, ensuring your critical applications and data remain accessible even in the face of unforeseen disruptions.

To discuss your design, reach out to your Megaport Solutions Architect or book a free demo call. We’ll help you simplify the complex details around the different Microsoft ExpressRoute peerings, VLAN options, and more.