Menu Close

Public IP validation for Microsoft Peering on an ExpressRoute circuit

For Microsoft Peering over an ExpressRoute circuit, you must use public IP addresses that you own for setting up BGP sessions with the Microsoft Enterprise Edge routers. As per Microsoft, “it must be able to verify the ownership of the IP addresses through Routing Internet Registries and Internet Routing Registries.”  As per the Microsoft Peering creation docs, you have the option to specify the Routing registry name (e.g. ARIN, RIPE) so that Microsoft may validate your ownership of your advertised public prefixes (IP address ranges) and ASN. As per the Microsoft documentation, “If you are getting the public prefixes from another entity and if the assignment is not recorded with the routing registry, the automatic validation will not complete and will require manual validation“. If the automatic validation fails, you will see the message ‘Validation needed‘.

I verified my Organization’s ownership of public prefixes and ASN in ARIN and confirmed that all was OK. I also checked other Internet Routing Registries such as RADb and observed that my Organization’s public prefix was attributed to some Chinese entity. However, I didn’t care about it as I was explicitly specifying “ARIN” as the Routing registry name in my peering creation command. However, lo and behold, execution of the peering creation command resulted in the status of “Validation needed”, indicating that automatic validation had failed. I was miffed as I had to raise a Support ticket with Microsoft to determine why automatic validation had failed when I had confirmed the required data in ARIN.

As per Microsoft Support, their validation of customers’ public prefixes and ASNs is performed across multiple Internet Routing registries and if there is any discrepancy, they would rather err on the side of caution and perform a manual validation with the customer via a Support ticket. Unsurprisingly then, the RADb entry (which is still wrong!) caused the automatic validation to fail.

Well, that’s fair enough (due diligence) on Microsoft’s part, but then it is misleading to offer us the option of specifying the routing registry when creating the Microsoft peering connection and referencing that routing registry for validation in their documentation. Since I specified “ARIN”, I expected a validation against only ARIN. Microsoft Support acknowledged (Support request ID 120012921001175) that they could provide more clarity about this peering creation process and would provide feedback to their documentation team. This isn’t a huge issue, but more clarity will provide a better end-user experience.

VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)
Print Friendly, PDF & Email
(Visited 87 times, 1 visits today)

Leave a Reply

Your email address will not be published. Required fields are marked *