Using NaaS Manager, you can add a Lumen® Ethernet On‑Demand connection between two Microsoft Azure Gov locations. To add the connection, you'll need ExpressRoute service keys from Microsoft (which you receive when you create an ExpressRoute circuit using the Azure portal). Be sure to have that information handy to type in (or copy/paste). Microsoft Azure Gov provides two EVCs to make the connection (which NaaS Manager will create when you build the connection). You'll only be billed for one; the other is for redundancy.
Azure Gov also requires Q‑in‑Q style tagging (known as double‑stacked tags or 802.1ad) at the NNI. This provides layer‑2 flexibility by allowing multiple VLAN tags to be inserted into a single frame. Inner VLAN tags (C‑Tags) that identify your traffic are inserted inside of the outer VLAN tags (S‑Tags) provided by the service provider. The S‑Tag becomes a single VLAN that carries multiple VLANs within it. A single VXC carries the bundled VLAN tags between the two network endpoints.
For Ethernet On‑Demand connections to Microsoft Azure Gov, your equipment must support 802.1ad (Q‑in‑Q). We recommend configuring your router for Q‑in‑Q before creating your Ethernet On‑Demand connection in NaaS Manager. Q‑in‑Q can be difficult to set up. Use the example below to set up Q‑in‑Q.
Here’s an example below with a Cisco router.
You’ll assign the outer tag in NaaS Manager and the inner tag in the Azure portal (peering VLAN).
‘Primary EVC VLAN – 100 - NaaS Manager
‘Secondary EVC VLAN – 200 - NaaS Manager
‘Private Peering – VLAN 300 - Azure portal
‘MSFT Peering – VLAN 400 - Azure portal
interface GigabitEthernet0/1.100300
encapsulation dot1Q 100 second-dot1q 300 ‘Azure Private primary peer
description "Cloud Connect"
ip address xxx.xxx.xxx.xxx 255.255.255.252
interface GigabitEthernet0/1.200300
encapsulation dot1Q 200 second-dot1q 300 ‘Azure Private secondary peer
description "Cloud Connect"
ip address xxx.xxx.xxx.xxx 255.255.255.252
interface GigabitEthernet0/1.100400
encapsulation dot1Q 100 second-dot1q 400 ‘MSFT primary peer
description "Cloud Connect"
ip address xxx.xxx.xxx.xxx 255.255.255.252
interface GigabitEthernet0/1.200400
encapsulation dot1Q 200 second-dot1q 400 ‘MSFT secondary peer
description "Cloud Connect"
ip address xxx.xxx.xxx.xxx 255.255.255.252
There are three steps to successfully create and use your Ethernet On‑Demand connection to Azure:
Note: You can only use a service key that isn't assigned to an active connection. The ExpressRoute service key is a unique service key and is different from the service key for your cloud service from Azure.
To create an ExpressRoute circuit in the Azure Gov portal:
To create the connection in NaaS Manager:
The NaaS Manager Overview lists connection options.
To finish provisioning the ExpressRoute circuit:
Explore NaaS solutions
Explore NaaS Manager