create resiliency insights and validation

Author: duongau

articles/expressroute/TOC.yml

@@ -221,6 +221,10 @@
         href: use-s2s-vpn-as-backup-for-expressroute-privatepeering.md
   - name: Evaluate ExpressRoute circuit resiliency
     href: evaluate-circuit-resiliency.md
+  - name: Resiliency Insights
+    href: resiliency-insights.md
+  - name: Resiliency Validation
+    href: resiliency-validation.md
 - name: Security
   items:
   - name: Security baseline

articles/expressroute/media/resiliency-insights/resiliency-insights.png

@@ -0,0 +1,95 @@
+---
+title: Resiliency Insight for ExpressRoute virtual network gateway (preview)
+description: Learn about the resiliency features of ExpressRoute gateway and how they can help you maintain connectivity to your on-premises network.
+services: expressroute
+author: duongau
+ms.service: azure-expressroute
+ms.topic: conceptual
+ms.date: 03/24/2025
+ms.author: duau
+ms.custom: ai-usage
+---
+
+# Resiliency Insight for ExpressRoute virtual network gateway (preview)
+
+ExpressRoute enables private connections between your on-premises networks and Azure workloads. These connections are established through a virtual network gateway, which acts as the entry point to Microsoft's network. The virtual network gateway plays a critical role in the ExpressRoute architecture by providing routing and forwarding capabilities that ensure secure and reliable connectivity between your on-premises network and Azure. 
+
+In this article, we explore the resiliency insight feature of the ExpressRoute virtual network gateway and explain how the resiliency index score can help you evaluate the reliability of your ExpressRoute connectivity.
+
+:::image type="content" source="media/resiliency-insights/resiliency-insights.png" alt-text="Screenshot of the Resiliency Insights feature, accessible under the monitoring section in the left-hand menu of the ExpressRoute gateway resource.":::
+
+> [!IMPORTANT]
+> **Azure ExpressRoute Resiliency Insight** is currently in PREVIEW.  
+> Refer to the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for the legal terms applicable to Azure features in beta, preview, or other prerelease stages.
+
+## Resiliency index
+
+The resiliency index score is a metric designed to assess the reliability of your ExpressRoute connection. It's calculated based on four key factors that contribute to the resiliency of your ExpressRoute virtual network gateway: route resiliency, resiliency validation tests, gateway zone redundancy, and advisory recommendations. Each factor is evaluated to produce an overall resiliency index score, which ranges from 0 to 100. A higher score reflects a more resilient ExpressRoute connection, while a lower score highlights potential areas for improvement that could affect the reliability of your connection.
+
+| Scoring Criteria | Weight |
+|-------------------|--------|
+| [Route resiliency](#route) (Advertising routes through multi-site ExpressRoute circuits) | 20% |
+| [Zone redundant virtual network gateway](#redundancy) | 10% |
+| [Resiliency recommendation](#recommendation) | 10% |
+| [Resiliency validation readiness test score](#readiness) | Route score multiplier |
+
+## Route set
+
+A route set represents a group of routes advertised from your on-premises network to the ExpressRoute virtual network gateway. These routes are shared across one or more connections within a common set of ExpressRoute circuits. By analyzing the route sets associated with your gateway, you can evaluate the resiliency of your ExpressRoute connections and identify potential areas for improvement.
+
+The Resiliency Insights topology provides a detailed view of your route sets, helping you determine if they're site-resilient. It also highlights issues such as Private peering BGP (Border Gateway Protocol) session failures at any peering location or uneven route advertisement across ExpressRoute connections. By expanding the route sets, you can trace how routes propagate through each circuit and connection at the peering location.
+
+## Understanding the resiliency index scores
+
+### <a name="route"></a> Route resiliency score
+
+Route resiliency is a key factor in assessing the reliability of your ExpressRoute connection. Advertising routes through multiple ExpressRoute circuits at different peering locations creates redundant paths for your traffic. This redundancy minimizes the effect of circuit failures or maintenance events at a single site, ensuring uninterrupted access to your Azure resources.
+
+- Advertising routes through two distinct peering locations: **20%**.
+- Advertising routes through ExpressRoute Metro: **10%**.
+- Advertising routes through a single peering location: **5%**.
+
+The route resiliency score is **zero** in both high-resiliency (ExpresRoute Metro) and standard-resiliency configurations if there's a link failure between the Microsoft Enterprise Edge (MSEE) and the provider edge (PE) router.
+
+### <a name="redundancy"></a> Zone redundant virtual network gateway score
+
+The zone redundancy feature enhances the reliability of the virtual network gateway by deploying it across multiple failure zones. This configuration ensures higher resiliency for your ExpressRoute connection, maintaining connectivity between your on-premises network and Azure resources.
+
+- **Standard** and **High-Performance** SKUs:  **0%**.
+- **Ultra Performance** SKUs: **2%**.
+- **ErGW1Az, ErGW2Az, ErGW3Az** SKUs:
+    - Zonal deployment: **8%**.
+    - Zone-redundant deployment: **10%**.
+- **ErGWScale** SKU:
+    - Up to four instances (two scale units): **8%**.
+    - More than four instances: **10%**.
+
+### <a name="recommendation"></a> Resiliency recommendation score
+
+Advisor recommendations provide actionable insights to improve the reliability of your ExpressRoute connection. Implementing these recommendations can enhance the resiliency of your connection and ensure uninterrupted access to Azure resources.
+
+If no advisory recommendations are provided, the resiliency score for this category is **10%**.
+
+> [!NOTE]
+> Recommendations to deploy a zone redundant gateway or a multi-site ExpressRoute circuit are already factored into the overall resiliency index score. As a result, they don't affect the advisory recommendations score directly.
+
+### <a name = "readiness"></a> Resiliency validation readiness test score
+
+ExpressRoute maximum resiliency circuits are defined as a pair of two standard circuits configured in two different peering locations. Any extra circuits would further enhance the resiliency, but these circuits aren't scored. For the resiliency validation multiplier to take effect, you must run the [Resiliency Validation](resiliency-validation.md) test on both peering locations. 
+
+The following multipliers are applied to the route resiliency score based on the results of the Resiliency Validation test:
+
+- Resiliency tests conducted within the last 30 days: multiplier of **4**.
+- Tests conducted 31–60 days ago: multiplier of **3**.
+- Tests conducted 61–90 days ago: multiplier of **2**.
+- Tests conducted over 90 days ago: multiplier of **1**.
+
+> [!IMPORTANT]
+> If resiliency validation is completed for only one of the two peering locations, the multiplier applied to the route resiliency score is reduced by **half**.
+
+The resiliency index score provides a comprehensive assessment of the reliability of your ExpressRoute connection. By understanding the key factors that influence this score, you can identify opportunities to enhance the resiliency of your connection. Implementing the recommendations and best practices outlined in this article help you strengthen your ExpressRoute setup, ensuring consistent and reliable connectivity between your on-premises network and Azure resources.
+
+## Next steps
+
+- Learn more about [ExpressRoute virtual network gateway](expressroute-about-virtual-network-gateways.md).
+- Learn about [Zone redundancy for ExpressRoute virtual network gateway](../vpn-gateway/about-zone-redundant-vnet-gateways.md?toc=%2Fazure%2Fexpressroute%2Ftoc.json).

articles/expressroute/media/resiliency-validation/resiliency-validation.png

@@ -0,0 +1,146 @@
+---
+title: Azure ExpressRoute Gateway Resiliency Validation (preview)
+description: This article helps you understand the Azure ExpressRoute Gateway Resiliency Validation feature and how to use it.
+services: expressroute
+author: duongau
+ms.service: azure-expressroute
+ms.topic: conceptual
+ms.date: 03/24/2025
+ms.author: duau
+ms.custom: ai-usage
+---
+
+# Azure ExpressRoute Gateway Resiliency Validation (preview)
+
+Ensuring uninterrupted connectivity to Azure workloads through ExpressRoute is essential for maintaining business continuity. We're committed to providing you with new capabilities to help maintain a resilient network. The *gateway resiliency validation* feature assesses how resilient your network is by testing a failure scenario and validating the failover mechanisms. By proactively testing your network resiliency, you can ensure that your workloads remain available and can recover quickly from disruptions. 
+
+Another key aspect of this feature is the ability to identify misconfigurations and provide insights about your ExpressRoute connections from the ExpressRoute gateway perspective. This proactive approach allows you to validate the network behavior before major changes are implemented while also ensuring that your network is prepared for unexpected events.
+
+> [!IMPORTANT]
+> **Azure ExpressRoute Resiliency Validation** is currently in PREVIEW.
+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+
+## Key features
+
+- **Simulate circuit failover** - Connections are disconnected temporarily from the gateway of interest to the selected ExpressRoute circuit to simulate a failover from one peering location to another.
+- **Route redundancy** - Insights into duplicate routes are provided for all prefixes received from the selected peering location.
+- **Traffic visualization** - Visualize traffic going through the ExpressRoute gateway and all connections to an ExpressRoute circuit during testing.
+- **Test history** - Detailed information of previously conducted tests.
+
+### Common use cases
+
+- Facilitate in identifying and solving potential problems within your network to enhance the overall reliability and resiliency of your network infrastructure.
+
+- Essential for high availability and disaster recovery (HA/DR) procedures and migration validation. It ensures your systems are prepared for unplanned events and maintains seamless operations by validating maintenance behavior at the workload level.
+
+- Serves as a prerequisite for migrating from one ExpressRoute peering location to another, ensuring network resiliency before implementing major changes.
+
+### Limitations
+
+- The Resiliency Validation feature is available only for ExpressRoute gateways connected to ExpressRoute circuits in at least two distinct peering locations.
+- The **Route List** tab can only be refreshed once per hour.
+- This feature isn't supported for Virtual WAN or ExpressRoute Metro.
+- You can't run the Resiliency Validation test if there are any ongoing tests or if any of the circuits are currently undergoing maintenance.
+
+## Prerequisites
+
+- To participate in the preview, contact the [**ExpressRoute PM**](mailto:[email protected]) team.
+- Ensure that you have an ExpressRoute circuit in at least two distinct peering locations and an ExpressRoute gateway connected to those circuits.
+
+## Using the gateway resiliency validation
+
+The gateway resiliency validation can be accessed from any ExpressRoute gateway resource by navigating to the **Monitoring** section in the left-hand menu.
+
+:::image type="content" source="media/resiliency-validation/resiliency-validation.png" alt-text="Screenshot of the Resiliency Validation feature, accessible under the monitoring section in the left-hand menu of the ExpressRoute gateway resource.":::
+
+The dashboard provides a detailed overview of all ExpressRoute circuits connected to the ExpressRoute virtual network gateway, categorized by peering location. It displays the most recent test status, the timestamp of the last test conducted, the results of the latest test, and an action button to initiate a new test.
+
+> [!WARNING]
+> During the test, the ExpressRoute circuit disconnects from the ExpressRoute gateway, causing a temporary loss of connectivity for nonredundant routes. Ensure your routing policies are configured to support traffic failover.
+
+### Starting the test
+
+1. Navigate to the desired peering location and select the **Start new test** button.
+
+1. Review the autopopulated configuration, which includes:
+
+    - Gateway name
+    - Peering location
+    - Route redundancy information
+    - Traffic details
+    - Status of all connections to the ExpressRoute gateway
+
+1. Ensure that all critical routes are marked as redundant by reviewing the **Route List** tab.
+
+    :::image type="content" source="media/resiliency-validation/route-list.png" alt-text="Screenshot showing the Route List tab with details of redundant and nonredundant routes.":::
+
+1. Confirm that the circuits listed on this page aren't undergoing maintenance by selecting the first checkbox.
+
+1. Acknowledge that you reviewed the **Route List** tab and that all critical routes are marked as redundant by selecting the second checkbox.
+
+1. Enter the name of the gateway to confirm that you're aware of the potential effect of the test on your network.
+
+1. Select **Start Simulation** to initiate the test.
+
+    :::image type="content" source="media/resiliency-validation/start-test.png" alt-text="Screenshot showing the Resiliency Validation testing page.":::
+
+1. The resiliency validation status shows as **In progress**.
+
+### During the test
+
+1. Navigate to the **Test Status** tab to validate connectivity to your Azure workloads through each redundant connection. Review the traffic flow graph for the ExpressRoute gateway, which displays the average bits per second traffic flow. The tab also provides ingress and egress traffic information for connected and disconnected peering locations.
+
+    :::image type="content" source="media/resiliency-validation/test-status.png" alt-text="Screenshot of the traffic flow graph for an ExpressRoute gateway and the traffic data on the connections to the gateway.":::
+
+1. Validate connectivity from your on-premises network to your Azure workloads through the redundant connection by sending data packets. Tools like [iPerf](https://iperf.fr/) can be used for this purpose.
+
+1. Select the **Stop Simulation** button to end the test. Confirm if the test was completed successfully when prompted.
+
+1. Once confirmed, connectivity for all connections to the ExpressRoute gateway gets restored.
+
+1. You can view the test result by selecting **View** under the *Test History* column on the dashboard for the selected peering location.
+
+## Frequently asked questions
+
+1.	Can control the gateway validation tests other than the Azure portal?
+
+    Yes, you can use REST API to start and stop the Gateway resiliency validation tests.  
+
+2.	What happens if I don't terminate a test?
+
+    The tests continue to run indefinitely.
+
+3.	What metrics or alerts are available to monitor during the test?
+
+    The purpose of configuring redundant connections is to ensure network resilience during outages. If a single circuit is utilized at more than 50% of its bandwidth, packet drops might occur. During validation tests, the **Test Status** tab helps monitor traffic through the connections. You should expect [alerts](monitor-expressroute.md#alerts) if they're configured, providing an opportunity to validate their effectiveness.
+
+    For more information, see [Circuit utilization](monitor-expressroute-reference.md#category-circuit-traffic) or [Connection traffic](monitor-expressroute-reference.md#category-traffic) for metrics you can set up alerts on.
+
+4. Can I control traffic on demand using the gateway resiliency validation tool?
+
+    Yes, the gateway resiliency validation tool allows you to control traffic on demand. This is useful for testing different traffic scenarios and ensuring your network can handle various failovers. It can also be used to validate connectivity after successful site migrations before disconnecting the redundant circuit.
+
+5.	Are there specific Role-Based Access Controls (RBAC) policies for this feature?
+
+    Yes, there are specific RBAC policies to ensure that only authorized users with contributor access to the gateway can initiate downtime.
+
+6.	When can I run this feature in a Virtual WAN setup or other resiliency models?
+
+    For feedback or other requests, contact the [**ExpressRoute PM**](mailto:[email protected]).
+
+7.	Does this feature work with FastPath and Private Link?
+
+    For FastPath, although the data path bypasses the gateway, the gateway still manages control plane activities like route management. During a disconnect between the ExpressRoute circuit and the ExpressRoute gateway, routes are withdrawn from the gateway. However, connectivity for the failover connection to FastPath and Private Link is maintained during the failover.
+
+8.	Is packet loss expected during this activity?
+
+    During the failover simulation, a brief connectivity disruption occurs as BGP (Border Gateway Protocol) reestablishes. Performance tests using iPerf on TCP (Transmission Control Protocol) up to 500 Mbps show no packet loss. However, in a real outage scenario, some packet loss occurs until the traffic successfully fails over.
+
+9.	How long does it take to fail over?
+
+    Once the simulation start, it can take up to 15 seconds for the traffic to fail over.
+
+## Next steps
+
+- Learn more about the [ExpressRoute gateway](expressroute-about-virtual-network-gateways.md) and how to [monitor ExpressRoute circuits](monitor-expressroute.md).
+- Learn about [ExpressRoute Resiliency Insights](resiliency-insights.md).