I handled a support request today on this, which I assume is yours. Just to summarize for future cases - ExpressRoute uses a virtual private network in Azure, isolating the VMs from the rest of the cloud.

In a virtual private network, you will likely have to run BYOS images, and provide your own subscription-based updates.

I provided a list of IPs for our infrastructure as well, for whitelisting; if you are able to configure routing to allow traffic to those IPs, and your VMs are assigned public IPs from the Azure pools, you can use the Azure gallery images directly.