| title | description | services | documentationcenter | author | manager | editor | tags | ms.assetid | ms.service | ms.devlang | ms.topic | ms.tgt_pltfrm | ms.workload | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Link a virtual network to an ExpressRoute circuit: CLI: Azure| Microsoft Docs |
This document provides an overview of how to link virtual networks (VNets) to ExpressRoute circuits by using the Resource Manager deployment model and CLI. |
expressroute |
na |
cherylmc |
timlit |
azure-resource-manager |
expressroute |
na |
article |
na |
infrastructure-services |
07/25/2017 |
anzaman,cherylmc |
This article helps you link virtual networks (VNets) to Azure ExpressRoute circuits using CLI. To link using Azure CLI, the virtual networks must be created using the Resource Manager deployment model. They can either be in the same subscription, or part of another subscription. If you want to use a different method to connect your VNet to an ExpressRoute circuit, you can select an article from the following list:
[!div class="op_single_selector"]
-
You need the latest version of the command-line interface (CLI). For more information, see Install Azure CLI 2.0.
-
You need to review the prerequisites, routing requirements, and workflows before you begin configuration.
-
You must have an active ExpressRoute circuit.
- Follow the instructions to create an ExpressRoute circuit and have the circuit enabled by your connectivity provider.
- Ensure that you have Azure private peering configured for your circuit. See the configure routing article for routing instructions.
- Ensure that Azure private peering is configured. The BGP peering between your network and Microsoft must be up so that you can enable end-to-end connectivity.
- Ensure that you have a virtual network and a virtual network gateway created and fully provisioned. Follow the instructions to Configure a virtual network gateway for ExpressRoute. Be sure to use
--gateway-type ExpressRoute.
-
You can link up to 10 virtual networks to a standard ExpressRoute circuit. All virtual networks must be in the same geopolitical region when using a standard ExpressRoute circuit.
-
If you enable the ExpressRoute premium add-on, you can link a virtual network outside of the geopolitical region of the ExpressRoute circuit, or connect a larger number of virtual networks to your ExpressRoute circuit. For more information about the premium add-on, see the FAQ.
You can connect a virtual network gateway to an ExpressRoute circuit by using the example. Make sure that the virtual network gateway is created and is ready for linking before you run the command.
az network vpn-connection create --name ERConnection --resource-group ExpressRouteResourceGroup --vnet-gateway1 VNet1GW --express-route-circuit2 MyCircuit
You can share an ExpressRoute circuit across multiple subscriptions. The figure below shows a simple schematic of how sharing works for ExpressRoute circuits across multiple subscriptions.
Each of the smaller clouds within the large cloud is used to represent subscriptions that belong to different departments within an organization. Each of the departments within the organization can use their own subscription for deploying their services--but they can share a single ExpressRoute circuit to connect back to your on-premises network. A single department (in this example: IT) can own the ExpressRoute circuit. Other subscriptions within the organization can use the ExpressRoute circuit.
Note
Connectivity and bandwidth charges for the dedicated circuit will be applied to the ExpressRoute Circuit Owner. All virtual networks share the same bandwidth.
The 'Circuit Owner' is an authorized Power User of the ExpressRoute circuit resource. The Circuit Owner can create authorizations that can be redeemed by 'Circuit Users'. Circuit Users are owners of virtual network gateways that are not within the same subscription as the ExpressRoute circuit. Circuit Users can redeem authorizations (one authorization per virtual network).
The Circuit Owner has the power to modify and revoke authorizations at any time. When an authorization is revoked, all link connections are deleted from the subscription whose access was revoked.
To create an authorization
The Circuit Owner creates an authorization, which creates an authorization key that can be used by a Circuit User to connect their virtual network gateways to the ExpressRoute circuit. An authorization is valid for only one connection.
The following example shows how to create an authorization:
az network express-route auth create --circuit-name MyCircuit -g ExpressRouteResourceGroup -n MyAuthorization
The response contains the authorization key and status:
"authorizationKey": "0a7f3020-541f-4b4b-844a-5fb43472e3d7",
"authorizationUseStatus": "Available",
"etag": "W/\"010353d4-8955-4984-807a-585c21a22ae0\"",
"id": "/subscriptions/81ab786c-56eb-4a4d-bb5f-f60329772466/resourceGroups/ExpressRouteResourceGroup/providers/Microsoft.Network/expressRouteCircuits/MyCircuit/authorizations/MyAuthorization1",
"name": "MyAuthorization1",
"provisioningState": "Succeeded",
"resourceGroup": "ExpressRouteResourceGroup"
To review authorizations
The Circuit Owner can review all authorizations that are issued on a particular circuit by running the following example:
az network express-route auth list --circuit-name MyCircuit -g ExpressRouteResourceGroup
To add authorizations
The Circuit Owner can add authorizations by using the following example:
az network express-route auth create --circuit-name MyCircuit -g ExpressRouteResourceGroup -n MyAuthorization1
To delete authorizations
The Circuit Owner can revoke/delete authorizations to the user by running the following example:
az network express-route auth delete --circuit-name MyCircuit -g ExpressRouteResourceGroup -n MyAuthorization1
The Circuit User needs the peer ID and an authorization key from the Circuit Owner. The authorization key is a GUID.
Get-AzureRmExpressRouteCircuit -Name "MyCircuit" -ResourceGroupName "MyRG"
To redeem a connection authorization
The Circuit User can run the following example to redeem a link authorization:
az network vpn-connection create --name ERConnection --resource-group ExpressRouteResourceGroup --vnet-gateway1 VNet1GW --express-route-circuit2 MyCircuit --authorization-key "^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"
To release a connection authorization
You can release an authorization by deleting the connection that links the ExpressRoute circuit to the virtual network.
For more information about ExpressRoute, see the ExpressRoute FAQ.