Use of public IP pool allocated to an Organization in Microsoft Azure

Question

Dear Experts,

Background : My organization has a public /24 IP pool allocated by RIPE. This subnet is currently utilized in our Data Center and advertised to our ISP, who then further advertises it to the rest of the world. Additionally, we have some applications hosted in the Azure environment, with ExpressRoute being used to connect Azure and our Data Center.

Query 1 : Our plan is to divide the /24 subnet into two pieces of /25. First /25 subnet will be used in the Data Center environment, while the second /25 subnet will be utilized in the Azure environment. Is it possible to leverage Azure WAN services to advertise the /24 subnet to the rest of the world, and will stop advertising to our current ISP ? All traffic intended for this /24 pool first arrives at Azure. Then, based on the IP, if it belongs to the first /25 subnet, it remains in Azure; if it belongs to the second /25 subnet, it is routed via ExpressRoute to the Data Center.

Query 2 : If Azure advertises this /24 pool, which AS number will Azure attach to advertise to the rest of the world?

Looking forward to your expert advices in this regard.

Answer 1

@Prashant Chaudhary ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I take it that you would like to use BYOIP feature of Azure. Please correct me if I am wrong.

Per your verbatim, first thing to note here is,

• A custom IPv4 Prefix must be between /21 and /24
• See : Limitations
• So, I am afraid you cannot use a /25 range.

To answer your questions,

Query 1:

Part1:

• Addresses from a custom IP address prefix can be used in the same way as Azure owned public IP address prefixes. Addresses from a custom IP address prefix can be associated to Azure resources.
• ExpressRoute has nothing to do with this.
• Let's say you use an IP from this custom prefix and associate to an Azure service, this service will advertise it's IP as the one owned by you.
• Only this IP is advertised via Azure WAN and only traffic to this IP is processed by the respective Azure service.
• For any other IP, it is directly advertised by your OnPrem and the OnPrem will directly receive traffic on that IP
  i.e., Azure will not interact with the other IPs and hence, ExpressRoute will not at all come into picture.
• "if it belongs to the second /25 subnet, it is routed via ExpressRoute to the Data Center." - this statement is wrong.

Part2:

Wrt ISP,

• "will stop advertising to our current ISP"
• You must work with your ISP to do this. This is recommended as Advertising this same range to the Internet from a location other than Microsoft at the same time could potentially create BGP routing instability or traffic loss

Query 2:

Wrt ASN,

• The ownership of the IP prefix is still with you
• Azure only advertises this IP Prefix.
• A Route Origin Authorization (ROA) document that authorizes Microsoft to advertise the address range must be filled out by the customer on the appropriate Routing Internet Registry (RIR) website or via their API.
• For this ROA: The Origin AS must be listed as 8075 for the Public Cloud. (If the range will be onboarded to the US Gov Cloud, the Origin AS must be listed as 8070.)
• This is a requirement to be configured from your end : Requirements and prefix readiness

See : Commission the custom IP address prefix

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

---

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.