I want to configure public peering using an ExpressRoute circuit to use Azure AD Connect without having this traffic go through the public Internet.
However, as far as I understand, configuring public peering means that all* Azure-bound traffic on public IP addresses will now traverse my ExpressRoute circuit, instead of my normal route to the Internet. This poses at least two problems:
1) Any monitoring configured on my current web proxy for Internet traffic is now bypassed for Azure traffic.
2) (more importantly) The complete picture of current data flows from on-premises to services hosted on Azure datacenters is currently unknown. For this reason, I don't know how to configure my firewall in between Azure and on-prem for ExpressRoute traffic to avoid any outages.
As far as I know, there is no way to "split" traffic bound to public Azure services when using public peering (split to have some traffic through ExpressRoute, and other traffic through normal Internet-bound routes).What can I do about the problems above?
*All Azure-bound traffic except for explictly excluded Azure services (CDN, Traffic Manager, etc.)