![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 66%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE%3C/text%3E%3C/svg%3E)
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
399 questions
@Evan ,
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
Your observation is correct.
See : Why are certain ports opened on my ExpressRoute gateway
They're required for Azure infrastructure communication. Azure certificates help protect them by locking them down. Without proper certificates, external entities, including the customers of those gateways, can't cause any effect on those endpoints. A virtual network gateway is fundamentally a multihomed device. One network adapter taps into the customer private network, and one network adapter faces the public network. Azure infrastructure entities can't tap into customer private networks for compliance reasons, so they need to use public endpoints for infrastructure communication. An Azure security audit periodically scans the public endpoints.
I am afraid the usage of the port is internal and is mostly for management purpose only, and hence cannot be documented or shared in a public forum.
Also, it is quite possible that the ports open are dynamic and may change periodically.
As mentioned in the FAQ Section, without proper certificates, external entities, including the customers of those gateways, can't cause any effect on those endpoints.
Thanks,
Kapil
Please Accept an answer if correct.
Original posters help the community find answers faster by identifying the correct answer.