| title | description | documentationcenter | services | author | manager | editor | tags | ms.assetid | ms.service | ms.devlang | ms.topic | ms.tgt_pltfrm | ms.workload | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
How to configure routing for an Azure ExpressRoute circuit: CLI | Microsoft Docs |
This article helps you create and provision the private, public and Microsoft peering of an ExpressRoute circuit. This article also shows you how to check the status, update, or delete peerings for your circuit. |
na |
expressroute |
cherylmc |
timlt |
azure-resource-manager |
expressroute |
na |
article |
na |
infrastructure-services |
10/11/2017 |
cherylmc |
This article helps you create and manage routing configuration for an ExpressRoute circuit in the Resource Manager deployment model using CLI. You can also check the status, update, or delete and deprovision peerings for an ExpressRoute circuit. If you want to use a different method to work with your circuit, select an article from the following list:
[!div class="op_single_selector"]
- Before beginning, install the latest version of the CLI commands (2.0 or later). For information about installing the CLI commands, see Install Azure CLI 2.0.
- Make sure that you have reviewed the prerequisites, routing requirements, and workflow pages before you begin configuration.
- You must have an active ExpressRoute circuit. Follow the instructions to Create an ExpressRoute circuit and have the circuit enabled by your connectivity provider before you proceed. The ExpressRoute circuit must be in a provisioned and enabled state for you to be able to run the commands in this article.
These instructions only apply to circuits created with service providers offering Layer 2 connectivity services. If you are using a service provider that offers managed Layer 3 services (typically an IPVPN, like MPLS), your connectivity provider will configure and manage routing for you.
You can configure one, two, or all three peerings (Azure private, Azure public, and Microsoft) for an ExpressRoute circuit. You can configure peerings in any order you choose. However, you must make sure that you complete the configuration of each peering one at a time. For more information about routing domains and peerings, see ExpressRoute routing domains.
This section helps you create, get, update, and delete the Microsoft peering configuration for an ExpressRoute circuit.
Important
Microsoft peering of ExpressRoute circuits that were configured prior to August 1, 2017 will have all service prefixes advertised through the Microsoft peering, even if route filters are not defined. Microsoft peering of ExpressRoute circuits that are configured on or after August 1, 2017 will not have any prefixes advertised until a route filter is attached to the circuit. For more information, see Configure a route filter for Microsoft peering.
[!INCLUDE Premium]
- Install the latest version of Azure CLI. Use the latest version of the Azure Command-line Interface (CLI).* Review the prerequisites and workflows before you begin configuration.
az login
Select the subscription for which you want to create ExpressRoute circuit.
az account set --subscription "<subscription ID>"
-
Create an ExpressRoute circuit. Follow the instructions to create an ExpressRoute circuit and have it provisioned by the connectivity provider. If your connectivity provider offers managed Layer 3 services, you can ask your connectivity provider to enable Microsoft peering for you. In that case, you won't need to follow instructions listed in the next sections. However, if your connectivity provider does not manage routing for you, after creating your circuit, continue your configuration using the next steps.
-
Check the ExpressRoute circuit to make sure it is provisioned and also enabled. Use the following example:
az network express-route list
The response is similar to the following example:
"allowClassicOperations": false,
"authorizations": [],
"circuitProvisioningState": "Enabled",
"etag": "W/\"1262c492-ffef-4a63-95a8-a6002736b8c4\"",
"gatewayManagerEtag": null,
"id": "/subscriptions/81ab786c-56eb-4a4d-bb5f-f60329772466/resourceGroups/ExpressRouteResourceGroup/providers/Microsoft.Network/expressRouteCircuits/MyCircuit",
"location": "westus",
"name": "MyCircuit",
"peerings": [],
"provisioningState": "Succeeded",
"resourceGroup": "ExpressRouteResourceGroup",
"serviceKey": "1d05cf70-1db5-419f-ad86-1ca62c3c125b",
"serviceProviderNotes": null,
"serviceProviderProperties": {
"bandwidthInMbps": 200,
"peeringLocation": "Silicon Valley",
"serviceProviderName": "Equinix"
},
"serviceProviderProvisioningState": "Provisioned",
"sku": {
"family": "UnlimitedData",
"name": "Standard_MeteredData",
"tier": "Standard"
},
"tags": null,
"type": "Microsoft.Network/expressRouteCircuits]
- Configure Microsoft peering for the circuit. Make sure that you have the following information before you proceed.
- A /30 subnet for the primary link. This must be a valid public IPv4 prefix owned by you and registered in an RIR / IRR.
- A /30 subnet for the secondary link. This must be a valid public IPv4 prefix owned by you and registered in an RIR / IRR.
- A valid VLAN ID to establish this peering on. Ensure that no other peering in the circuit uses the same VLAN ID.
- AS number for peering. You can use both 2-byte and 4-byte AS numbers.
- Advertised prefixes: You must provide a list of all prefixes you plan to advertise over the BGP session. Only public IP address prefixes are accepted. If you plan to send a set of prefixes, you can send a comma-separated list. These prefixes must be registered to you in an RIR / IRR.
- Optional - Customer ASN: If you are advertising prefixes that are not registered to the peering AS number, you can specify the AS number to which they are registered.
- Routing Registry Name: You can specify the RIR / IRR against which the AS number and prefixes are registered.
- Optional - An MD5 hash if you choose to use one.
Run the following example to configure Microsoft peering for your circuit:
az network express-route peering create --circuit-name MyCircuit --peer-asn 100 --primary-peer-subnet 123.0.0.0/30 -g ExpressRouteResourceGroup --secondary-peer-subnet 123.0.0.4/30 --vlan-id 300 --peering-type MicrosoftPeering --advertised-public-prefixes 123.1.0.0/24
You can get configuration details by using the following example:
az network express-route peering show -g ExpressRouteResourceGroup --circuit-name MyCircuit --name AzureMicrosoftPeering
The output is similar to the following example:
{
"azureAsn": 12076,
"etag": "W/\"2e97be83-a684-4f29-bf3c-96191e270666\"",
"gatewayManagerEtag": "18",
"id": "/subscriptions/9a0c2943-e0c2-4608-876c-e0ddffd1211b/resourceGroups/ExpressRouteResourceGroup/providers/Microsoft.Network/expressRouteCircuits/MyCircuit/peerings/AzureMicrosoftPeering",
"lastModifiedBy": "Customer",
"microsoftPeeringConfig": {
"advertisedPublicPrefixes": [
""
],
"advertisedPublicPrefixesState": "",
"customerASN": ,
"routingRegistryName": ""
}
"name": "AzureMicrosoftPeering",
"peerAsn": ,
"peeringType": "AzureMicrosoftPeering",
"primaryAzurePort": "",
"primaryPeerAddressPrefix": "",
"provisioningState": "Succeeded",
"resourceGroup": "ExpressRouteResourceGroup",
"routeFilter": null,
"secondaryAzurePort": "",
"secondaryPeerAddressPrefix": "",
"sharedKey": null,
"state": "Enabled",
"stats": null,
"vlanId": 100
}
You can update any part of the configuration. The advertised prefixes of the circuit are being updated from 123.1.0.0/24 to 124.1.0.0/24 in the following example:
az network express-route peering update --circuit-name MyCircuit -g ExpressRouteResourceGroup --peering-type MicrosoftPeering --advertised-public-prefixes 124.1.0.0/24
az network express-route peering update -g ExpressRouteResourceGroup --circuit-name MyCircuit --peering-type MicrosoftPeering --ip-version ipv6 --primary-peer-subnet 2002:db00::/126 --secondary-peer-subnet 2003:db00::/126 --advertised-public-prefixes 2002:db00::/126
You can remove your peering configuration by running the following example:
az network express-route peering delete -g ExpressRouteResourceGroup --circuit-name MyCircuit --name MicrosoftPeering
This section helps you create, get, update, and delete the Azure private peering configuration for an ExpressRoute circuit.
- Install the latest version of Azure CLI. You must use the latest version of the Azure Command-line Interface (CLI).* Review the prerequisites and workflows before you begin configuration.
az login
Select the subscription you want to create ExpressRoute circuit
az account set --subscription "<subscription ID>"
-
Create an ExpressRoute circuit. Follow the instructions to create an ExpressRoute circuit and have it provisioned by the connectivity provider. If your connectivity provider offers managed Layer 3 services, you can ask your connectivity provider to enable Azure private peering for you. In that case, you won't need to follow instructions listed in the next sections. However, if your connectivity provider does not manage routing for you, after creating your circuit, continue your configuration using the next steps.
-
Check the ExpressRoute circuit to make sure it is provisioned and also enabled. Use the following example:
az network express-route show --resource-group ExpressRouteResourceGroup --name MyCircuit
The response is similar to the following example:
"allowClassicOperations": false,
"authorizations": [],
"circuitProvisioningState": "Enabled",
"etag": "W/\"1262c492-ffef-4a63-95a8-a6002736b8c4\"",
"gatewayManagerEtag": null,
"id": "/subscriptions/81ab786c-56eb-4a4d-bb5f-f60329772466/resourceGroups/ExpressRouteResourceGroup/providers/Microsoft.Network/expressRouteCircuits/MyCircuit",
"location": "westus",
"name": "MyCircuit",
"peerings": [],
"provisioningState": "Succeeded",
"resourceGroup": "ExpressRouteResourceGroup",
"serviceKey": "1d05cf70-1db5-419f-ad86-1ca62c3c125b",
"serviceProviderNotes": null,
"serviceProviderProperties": {
"bandwidthInMbps": 200,
"peeringLocation": "Silicon Valley",
"serviceProviderName": "Equinix"
},
"serviceProviderProvisioningState": "Provisioned",
"sku": {
"family": "UnlimitedData",
"name": "Standard_MeteredData",
"tier": "Standard"
},
"tags": null,
"type": "Microsoft.Network/expressRouteCircuits]
- Configure Azure private peering for the circuit. Make sure that you have the following items before you proceed with the next steps:
- A /30 subnet for the primary link. The subnet must not be part of any address space reserved for virtual networks.
- A /30 subnet for the secondary link. The subnet must not be part of any address space reserved for virtual networks.
- A valid VLAN ID to establish this peering on. Ensure that no other peering in the circuit uses the same VLAN ID.
- AS number for peering. You can use both 2-byte and 4-byte AS numbers. You can use a private AS number for this peering. Ensure that you are not using 65515.
- Optional - An MD5 hash if you choose to use one.
Use the following example to configure Azure private peering for your circuit:
az network express-route peering create --circuit-name MyCircuit --peer-asn 100 --primary-peer-subnet 10.0.0.0/30 -g ExpressRouteResourceGroup --secondary-peer-subnet 10.0.0.4/30 --vlan-id 200 --peering-type AzurePrivatePeering
If you choose to use an MD5 hash, use the following example:
az network express-route peering create --circuit-name MyCircuit --peer-asn 100 --primary-peer-subnet 10.0.0.0/30 -g ExpressRouteResourceGroup --secondary-peer-subnet 10.0.0.4/30 --vlan-id 200 --peering-type AzurePrivatePeering --SharedKey "A1B2C3D4"
Important
Ensure that you specify your AS number as peering ASN, not customer ASN.
You can get configuration details by using the following example:
az network express-route peering show -g ExpressRouteResourceGroup --circuit-name MyCircuit --name AzurePrivatePeering
The output is similar to the following example:
{
"azureAsn": 12076,
"etag": "W/\"2e97be83-a684-4f29-bf3c-96191e270666\"",
"gatewayManagerEtag": "18",
"id": "/subscriptions/9a0c2943-e0c2-4608-876c-e0ddffd1211b/resourceGroups/ExpressRouteResourceGroup/providers/Microsoft.Network/expressRouteCircuits/MyCircuit/peerings/AzurePrivatePeering",
"ipv6PeeringConfig": null,
"lastModifiedBy": "Customer",
"microsoftPeeringConfig": null,
"name": "AzurePrivatePeering",
"peerAsn": 7671,
"peeringType": "AzurePrivatePeering",
"primaryAzurePort": "",
"primaryPeerAddressPrefix": "",
"provisioningState": "Succeeded",
"resourceGroup": "ExpressRouteResourceGroup",
"routeFilter": null,
"secondaryAzurePort": "",
"secondaryPeerAddressPrefix": "",
"sharedKey": null,
"state": "Enabled",
"stats": null,
"vlanId": 100
}
You can update any part of the configuration using the following example. In this example, the VLAN ID of the circuit is being updated from 100 to 500.
az network express-route peering update --vlan-id 500 -g ExpressRouteResourceGroup --circuit-name MyCircuit --name AzurePrivatePeering
You can remove your peering configuration by running the following example:
Warning
You must ensure that all virtual networks are unlinked from the ExpressRoute circuit before running this example.
az network express-route peering delete -g ExpressRouteResourceGroup --circuit-name MyCircuit --name AzurePrivatePeering
This section helps you create, get, update, and delete the Azure public peering configuration for an ExpressRoute circuit.
- Install the latest version of Azure CLI. You must use the latest version of the Azure Command-line Interface (CLI).* Review the prerequisites and workflows before you begin configuration.
az login
Select the subscription for which you want to create ExpressRoute circuit.
az account set --subscription "<subscription ID>"
-
Create an ExpressRoute circuit. Follow the instructions to create an ExpressRoute circuit and have it provisioned by the connectivity provider. If your connectivity provider offers managed Layer 3 services, you can ask your connectivity provider to enable Azure public peering for you. In that case, you won't need to follow instructions listed in the next sections. However, if your connectivity provider does not manage routing for you, after creating your circuit, continue your configuration using the next steps.
-
Check the ExpressRoute circuit to ensure it is provisioned and also enabled. Use the following example:
az network express-route list
The response is similar to the following example:
"allowClassicOperations": false,
"authorizations": [],
"circuitProvisioningState": "Enabled",
"etag": "W/\"1262c492-ffef-4a63-95a8-a6002736b8c4\"",
"gatewayManagerEtag": null,
"id": "/subscriptions/81ab786c-56eb-4a4d-bb5f-f60329772466/resourceGroups/ExpressRouteResourceGroup/providers/Microsoft.Network/expressRouteCircuits/MyCircuit",
"location": "westus",
"name": "MyCircuit",
"peerings": [],
"provisioningState": "Succeeded",
"resourceGroup": "ExpressRouteResourceGroup",
"serviceKey": "1d05cf70-1db5-419f-ad86-1ca62c3c125b",
"serviceProviderNotes": null,
"serviceProviderProperties": {
"bandwidthInMbps": 200,
"peeringLocation": "Silicon Valley",
"serviceProviderName": "Equinix"
},
"serviceProviderProvisioningState": "Provisioned",
"sku": {
"family": "UnlimitedData",
"name": "Standard_MeteredData",
"tier": "Standard"
},
"tags": null,
"type": "Microsoft.Network/expressRouteCircuits]
- Configure Azure public peering for the circuit. Make sure that you have the following information before you proceed further.
- A /30 subnet for the primary link. This must be a valid public IPv4 prefix.
- A /30 subnet for the secondary link. This must be a valid public IPv4 prefix.
- A valid VLAN ID to establish this peering on. Ensure that no other peering in the circuit uses the same VLAN ID.
- AS number for peering. You can use both 2-byte and 4-byte AS numbers.
- Optional - An MD5 hash if you choose to use one.
Run the following example to configure Azure public peering for your circuit:
az network express-route peering create --circuit-name MyCircuit --peer-asn 100 --primary-peer-subnet 12.0.0.0/30 -g ExpressRouteResourceGroup --secondary-peer-subnet 12.0.0.4/30 --vlan-id 200 --peering-type AzurePublicPeering
If you choose to use an MD5 hash, use the following example:
az network express-route peering create --circuit-name MyCircuit --peer-asn 100 --primary-peer-subnet 12.0.0.0/30 -g ExpressRouteResourceGroup --secondary-peer-subnet 12.0.0.4/30 --vlan-id 200 --peering-type AzurePublicPeering --SharedKey "A1B2C3D4"
Important
Ensure that you specify your AS number as peering ASN, not customer ASN.
You can get configuration details using the following example:
az network express-route peering show -g ExpressRouteResourceGroup --circuit-name MyCircuit --name AzurePublicPeering
The output is similar to the following example:
{
"azureAsn": 12076,
"etag": "W/\"2e97be83-a684-4f29-bf3c-96191e270666\"",
"gatewayManagerEtag": "18",
"id": "/subscriptions/9a0c2943-e0c2-4608-876c-e0ddffd1211b/resourceGroups/ExpressRouteResourceGroup/providers/Microsoft.Network/expressRouteCircuits/MyCircuit/peerings/AzurePublicPeering",
"lastModifiedBy": "Customer",
"microsoftPeeringConfig": null,
"name": "AzurePublicPeering",
"peerAsn": 7671,
"peeringType": "AzurePublicPeering",
"primaryAzurePort": "",
"primaryPeerAddressPrefix": "",
"provisioningState": "Succeeded",
"resourceGroup": "ExpressRouteResourceGroup",
"routeFilter": null,
"secondaryAzurePort": "",
"secondaryPeerAddressPrefix": "",
"sharedKey": null,
"state": "Enabled",
"stats": null,
"vlanId": 100
}
You can update any part of the configuration using the following example. In this example, the VLAN ID of the circuit is being updated from 200 to 600.
az network express-route peering update --vlan-id 600 -g ExpressRouteResourceGroup --circuit-name MyCircuit --name AzurePublicPeering
You can remove your peering configuration by running the following example:
az network express-route peering delete -g ExpressRouteResourceGroup --circuit-name MyCircuit --name AzurePublicPeering
Next step, Link a VNet to an ExpressRoute circuit.
- For more information about ExpressRoute workflows, see ExpressRoute workflows.
- For more information about circuit peering, see ExpressRoute circuits and routing domains.
- For more information about working with virtual networks, see Virtual network overview.