Επεξεργασία

Κοινή χρήση μέσω


Connect a virtual network to an ExpressRoute circuit using PowerShell (classic)

This article helps you link virtual networks (VNets) to Azure ExpressRoute circuits using PowerShell. A single VNet can be linked to up to four ExpressRoute circuits. Use the steps in this article to create a new link to each ExpressRoute circuit you're connecting to. The ExpressRoute circuits can be in the same subscription, different subscriptions, or a mix of both. This article applies to virtual networks created using the classic deployment model.

You can link up to 10 virtual networks to an ExpressRoute circuit. All virtual networks must be in the same geopolitical region. You can link a larger number of virtual networks to your ExpressRoute circuit, or link virtual networks that are in other geopolitical regions if you enable the ExpressRoute premium add-on. Check the FAQ for more details about the premium add-on.

Important

As of March 1, 2017, you can't create new ExpressRoute circuits in the classic deployment model.

  • You can move an existing ExpressRoute circuit from the classic deployment model to the Resource Manager deployment model without experiencing any connectivity down time. For more information, see Move an existing circuit.
  • You can connect to virtual networks in the classic deployment model by setting allowClassicOperations to TRUE.

Use the following links to create and manage ExpressRoute circuits in the Resource Manager deployment model:

About Azure deployment models

Azure currently works with two deployment models: Resource Manager and classic. The two models are not completely compatible with each other. Before you begin, you need to know which model that you want to work in. For information about the deployment models, see Understanding deployment models. If you are new to Azure, we recommend that you use the Resource Manager deployment model.

Configuration prerequisites

  • Review the prerequisites, routing requirements, and workflows before you begin configuration.
  • You must have an active ExpressRoute circuit.
    • Follow the instructions to create an ExpressRoute circuit and have your connectivity provider enable the circuit.
    • Ensure that you have Azure private peering configured for your circuit. See the Configure routing article for routing instructions.
    • Ensure that Azure private peering is configured and the BGP peering between your network and Microsoft is up so that you can enable end-to-end connectivity.
    • You must have a virtual network and a virtual network gateway created and fully provisioned. Follow the instructions to configure a virtual network for ExpressRoute.

Download the latest PowerShell cmdlets

Install the latest versions of the Azure Service Management (SM) PowerShell modules and the ExpressRoute module. You can't use the Azure CloudShell environment to run SM modules.

  1. Use the instructions in the Installing the Service Management module article to install the Azure Service Management Module. If you have the Az or RM module already installed, be sure to use '-AllowClobber'.

  2. Import the installed modules. When using the following example, adjust the path to reflect the location and version of your installed PowerShell modules.

    Import-Module 'C:\Program Files\WindowsPowerShell\Modules\Azure\5.3.0\Azure.psd1'
    Import-Module 'C:\Program Files\WindowsPowerShell\Modules\Azure\5.3.0\ExpressRoute\ExpressRoute.psd1'
    
  3. To sign in to your Azure account, open your PowerShell console with elevated rights and connect to your account. Use the following example to help you connect using the Service Management module:

    Add-AzureAccount
    

Connect a virtual network in the same subscription to a circuit

You can link a virtual network to an ExpressRoute circuit by using the following cmdlet. Make sure that the virtual network gateway is created and is ready for linking before you run the cmdlet.

New-AzureDedicatedCircuitLink -ServiceKey "*****************************" -VNetName "MyVNet"
Provisioned

You can remove a virtual network link to an ExpressRoute circuit by using the following cmdlet. Make sure that the current subscription is selected for the given virtual network.

Remove-AzureDedicatedCircuitLink -ServiceKey "*****************************" -VNetName "MyVNet"

Connect a virtual network in a different subscription to a circuit

You can share an ExpressRoute circuit across multiple subscriptions. The following figure shows a simple schematic of how sharing works for ExpressRoute circuits across multiple subscriptions.

Each of the smaller clouds within the large cloud is used to represent subscriptions that belong to different departments within an organization. Each of the departments within the organization can use their own subscription for deploying their services--but the departments can share a single ExpressRoute circuit to connect back to your on-premises network. A single department (in this example: IT) can own the ExpressRoute circuit. Other subscriptions within the organization can use the ExpressRoute circuit.

Note

Connectivity and bandwidth charges for the dedicated circuit will be applied to the ExpressRoute circuit owner. All virtual networks share the same bandwidth.

Cross-subscription connectivity

Administration

The circuit owner is the administrator/coadministrator of the subscription in which the ExpressRoute circuit is created. The circuit owner can authorize administrators/coadministrators of other subscriptions, referred to as circuit users, to use the dedicated circuit that they own. Circuit users who are authorized to use the organization's ExpressRoute circuit can link the virtual network in their subscription to the ExpressRoute circuit after they're authorized.

The circuit owner has the power to modify and revoke authorizations at any time. Revoking an authorization results in all links being deleted from the subscription whose access was revoked.

Note

Circuit owner is not an built-in RBAC role or defined on the ExpressRoute resource. The definition of the circuit owner is any role with the following access:

  • Microsoft.Network/expressRouteCircuits/authorizations/write
  • Microsoft.Network/expressRouteCircuits/authorizations/read
  • Microsoft.Network/expressRouteCircuits/authorizations/delete

This includes the built-in roles such as Contributor, Owner and Network Contributor. Detailed description for the different built-in roles.

Circuit owner operations

Creating an authorization

The circuit owner authorizes the administrators of other subscriptions to use the specified circuit. In the following example, the administrator of the circuit (Contoso IT) enables the administrator of another subscription (Dev-Test) to link up to two virtual networks to the circuit. The Contoso IT administrator enables this authorization by specifying the Dev-Test Microsoft ID. The cmdlet doesn't send email to the specified Microsoft ID. The circuit owner needs to explicitly notify the other subscription owner that the authorization is complete.

New-AzureDedicatedCircuitLinkAuthorization -ServiceKey "**************************" -Description "Dev-Test Links" -Limit 2 -MicrosoftIds 'devtest@contoso.com'

Return:

Description         : Dev-Test Links
Limit               : 2
LinkAuthorizationId : **********************************
MicrosoftIds        : devtest@contoso.com
Used                : 0

Reviewing authorizations

The circuit owner can review all authorizations that are issued on a particular circuit by running the following cmdlet:

Get-AzureDedicatedCircuitLinkAuthorization -ServiceKey: "**************************"

Return:

Description         : EngineeringTeam
Limit               : 3
LinkAuthorizationId : ####################################
MicrosoftIds        : engadmin@contoso.com
Used                : 1

Description         : MarketingTeam
Limit               : 1
LinkAuthorizationId : @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
MicrosoftIds        : marketingadmin@contoso.com
Used                : 0

Description         : Dev-Test Links
Limit               : 2
LinkAuthorizationId : &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
MicrosoftIds        : salesadmin@contoso.com
Used                : 2

Updating authorizations

The circuit owner can modify authorizations by using the following cmdlet:

Set-AzureDedicatedCircuitLinkAuthorization -ServiceKey "**************************" -AuthorizationId "&&&&&&&&&&&&&&&&&&&&&&&&&&&&"-Limit 5

Return:

Description         : Dev-Test Links
Limit               : 5
LinkAuthorizationId : &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
MicrosoftIds        : devtest@contoso.com
Used                : 0

Deleting authorizations

The circuit owner can revoke/delete authorizations to the user by running the following cmdlet:

Remove-AzureDedicatedCircuitLinkAuthorization -ServiceKey "*****************************" -AuthorizationId "###############################"

Circuit user operations

Reviewing authorizations

The circuit user can review authorizations by using the following cmdlet:

Get-AzureAuthorizedDedicatedCircuit

Return:

Bandwidth                        : 200
CircuitName                      : ContosoIT
Location                         : Washington DC
MaximumAllowedLinks              : 2
ServiceKey                       : &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
ServiceProviderName              : equinix
ServiceProviderProvisioningState : Provisioned
Status                           : Enabled
UsedLinks                        : 0

Redeeming link authorizations

The circuit user can run the following cmdlet to redeem a link authorization:

New-AzureDedicatedCircuitLink –servicekey "&&&&&&&&&&&&&&&&&&&&&&&&&&" –VnetName 'SalesVNET1'

Return:

State VnetName
----- --------
Provisioned SalesVNET1

Run this command in the newly linked subscription for the virtual network:

New-AzureDedicatedCircuitLink -ServiceKey "*****************************" -VNetName "MyVNet"

Next steps

For more information about ExpressRoute, see the ExpressRoute FAQ.