Separate O365 IP addresses from regional Azure IP address ranges
I have an ExpressRoute with Public, Private and MS Peering. Currently Office 365 services are routed via the Public peering.
When I activate a BGP community via route filter for MS peering (in my case the community 12076:51009 for Azure Central US), any users accessing 365 services from the Azure Central US region lose all connectivity. This is because the O365 services (such as login.microsoftonline.com or portal.office.com) are served out of Azure datacentres and the ranges overlap.
Office 365 services must be authorised over MS peering, and the process is unnecessarily complicated and opaque. Until I manage to get this authorised I cannot use MS peering without significant risk of users losing connectivity.
The only way I can see to avoid this would be to authorise O365 services in a more expeditious manner (especially given that traffic is already flowing over ExpressRoute), or to remove the O365 IP addresses from the ranges advertised over the MS peering.
Office 365 utilizes the Microsoft global Azure datacenter presence to provide Office 365 relates services to customers across the world. We are working to ensure long-term that the IP addresses are properly allocated to a given service and will align them to ensure that they do not overlap.
If there are any issues with the current setup where some traffic does traverse the ExpressRoute public peering path, please raise a support request and one of engineers can review.