Tutorial: Peer on-premises environments to Azure VMware Solution

After you deploy your Azure VMware Solution private cloud, connect it to your on-premises environment. ExpressRoute Global Reach connects your on-premises environment to your Azure VMware Solution private cloud. The ExpressRoute Global Reach connection is established between the private cloud ExpressRoute circuit and an existing ExpressRoute connection to your on-premises environments.

Diagram illustrating ExpressRoute Global Reach connecting on-premises network to Azure VMware Solution private cloud.


You can connect through VPN, but that's out of scope for this quick start guide.

In this article, you'll:

  • Create an ExpressRoute auth key in the on-premises ExpressRoute circuit
  • Peer the private cloud with your on-premises ExpressRoute circuit
  • Verify on-premises network connectivity

Once you've completed this section, follow the next steps provided at the end of this tutorial.


  • Review the documentation on how to enable connectivity in different Azure subscriptions.

  • A separate, functioning ExpressRoute circuit for connecting on-premises environments to Azure, which is circuit 1 for peering.

  • Ensure that all gateways, including the ExpressRoute provider's service, support 4-byte Autonomous System Number (ASN). Azure VMware Solution uses 4-byte public ASNs for advertising routes.


If advertising a default route to Azure (, ensure a more specific route containing your on-premises networks is advertised in addition to the default route to enable management access to Azure VMware Solution. A single route will be discarded by Azure VMware Solution's management network to ensure successful operation of the service.

Create an ExpressRoute auth key in the on-premises ExpressRoute circuit

The circuit owner creates an authorization, which creates an authorization key to be used by a circuit user to connect their virtual network gateways to the ExpressRoute circuit. An authorization is valid for only one connection.


Each connection requires a separate authorization.

  1. From ExpressRoute circuits in the left navigation, under Settings, select Authorizations.

  2. Enter the name for the authorization key and select Save.

    Screenshot of selecting Authorizations and entering a name for the authorization key.

    Once created, the new key appears in the list of authorization keys for the circuit.

  3. Copy the authorization key and the ExpressRoute ID. You'll use them in the next step to complete the peering.

Peer private cloud to on-premises

Now that you've created an authorization key for the private cloud ExpressRoute circuit, you can peer it with your on-premises ExpressRoute circuit. The peering is done from the on-premises ExpressRoute circuit in the Azure portal. You'll use the resource ID (ExpressRoute circuit ID) and authorization key of your private cloud ExpressRoute circuit to finish the peering.

  1. From the private cloud, under Manage, select Connectivity > ExpressRoute Global Reach > Add.

    Screenshot of the ExpressRoute Global Reach tab in the Azure VMware Solution private cloud.

  2. Enter the ExpressRoute ID and the authorization key created in the previous section.

    Screenshot of the dialog for entering ExpressRoute ID and authorization key.

  3. Select Create. The new connection shows in the on-premises cloud connections list.


You can delete or disconnect a connection from the list by selecting More.

Screenshot showing how to disconnect or delete an on-premises connection in Azure VMware Solution interface.

Verify on-premises network connectivity

In your on-premises edge router, you should now see where the ExpressRoute connects the NSX-T Data Center network segments and the Azure VMware Solution management segments.


Everyone has a different environment, and some will need to allow these routes to propagate back into the on-premises network.

Next steps

Continue to the next tutorial to install VMware HCX add-on in your Azure VMware Solution private cloud.