Merge pull request #278350 from AbdullahBell/patch-127

prmerger-automator[bot] · web-flow · commit fb96c70abfe7 · 2024-06-20T13:49:45.000Z
ExpressRoute: ExpressRoute NAT requirements
diff --git a/articles/expressroute/expressroute-nat.md b/articles/expressroute/expressroute-nat.md
@@ -5,7 +5,7 @@ services: expressroute
 author: duongau
 ms.service: expressroute
 ms.topic: conceptual
-ms.date: 06/30/2023
+ms.date: 06/14/2024
 ms.author: duau
 ---
 
@@ -27,7 +27,7 @@ The Microsoft peering path lets you connect to Microsoft cloud services. The lis
 * IP addresses used for the Microsoft peering setup and other ExpressRoute circuits must not be advertised to Microsoft through the BGP session. There's no restriction on the length of the NAT IP prefix advertised through this peering.
   
   > [!IMPORTANT]
-  > The NAT IP pool advertised to Microsoft must not be advertised to the Internet. This will break connectivity to other Microsoft services.
+  > The NAT IP pool advertised to Microsoft must not be advertised to the Internet. This will break connectivity to other Microsoft services. We advise against a public IP address from the range assigned to primary or secondary link. Instead, you should use a different range of public IP addresses that has been assigned to you and registered in a Regional Internet Registry (RIR) or Internet Routing Registry (IRR). Depending on your call volume, this range can be as small as a single IP address (represented as '/32' for IPv4 or '/128' for IPv6).
   > 
 
 ### Traffic originating from Microsoft destined to your network
@@ -44,7 +44,7 @@ You must ensure that traffic is entering the Azure Microsoft peering path with v
 There are no restrictions on the length of the NAT IP prefix advertised through this peering. You must monitor the NAT pool and ensure that you aren't starved of NAT sessions.
 
 > [!IMPORTANT]
-> The NAT IP pool advertised to Microsoft must not be advertised to the Internet. This will break connectivity to other Microsoft services.
+> The NAT IP pool advertised to Microsoft must not be advertised to the Internet. This will break connectivity to other Microsoft services. We advise against a public IP address from the range assigned to primary or secondary link. Instead, you should use a different range of public IP addresses that has been assigned to you and registered in a Regional Internet Registry (RIR) or Internet Routing Registry (IRR). Depending on your call volume, this range can be as small as a single IP address (represented as '/32' for IPv4 or '/128' for IPv6).
 > 
 
 ## Next steps
