title | description | services | author | ms.service | ms.topic | ms.date | ms.author |
---|---|---|---|---|---|---|---|
Azure ExpressRoute: Link a VNet to a circuit: classic |
This document provides an overview of how to link virtual networks (VNets) to ExpressRoute circuits by using the classic deployment model and PowerShell. |
expressroute |
duongau |
azure-expressroute |
how-to |
06/30/2023 |
duau |
[!div class="op_single_selector"]
This article helps you link virtual networks (VNets) to Azure ExpressRoute circuits using PowerShell. A single VNet can be linked to up to four ExpressRoute circuits. Use the steps in this article to create a new link to each ExpressRoute circuit you're connecting to. The ExpressRoute circuits can be in the same subscription, different subscriptions, or a mix of both. This article applies to virtual networks created using the classic deployment model.
You can link up to 10 virtual networks to an ExpressRoute circuit. All virtual networks must be in the same geopolitical region. You can link a larger number of virtual networks to your ExpressRoute circuit, or link virtual networks that are in other geopolitical regions if you enable the ExpressRoute premium add-on. Check the FAQ for more details about the premium add-on.
[!INCLUDE expressroute-classic-end-include]
About Azure deployment models
[!INCLUDE vpn-gateway-classic-rm]
- Review the prerequisites, routing requirements, and workflows before you begin configuration.
- You must have an active ExpressRoute circuit.
- Follow the instructions to create an ExpressRoute circuit and have your connectivity provider enable the circuit.
- Ensure that you have Azure private peering configured for your circuit. See the Configure routing article for routing instructions.
- Ensure that Azure private peering is configured and the BGP peering between your network and Microsoft is up so that you can enable end-to-end connectivity.
- You must have a virtual network and a virtual network gateway created and fully provisioned. Follow the instructions to configure a virtual network for ExpressRoute.
[!INCLUDE classic powershell install instructions]
You can link a virtual network to an ExpressRoute circuit by using the following cmdlet. Make sure that the virtual network gateway is created and is ready for linking before you run the cmdlet.
New-AzureDedicatedCircuitLink -ServiceKey "*****************************" -VNetName "MyVNet"
Provisioned
You can remove a virtual network link to an ExpressRoute circuit by using the following cmdlet. Make sure that the current subscription is selected for the given virtual network.
Remove-AzureDedicatedCircuitLink -ServiceKey "*****************************" -VNetName "MyVNet"
You can share an ExpressRoute circuit across multiple subscriptions. The following figure shows a simple schematic of how sharing works for ExpressRoute circuits across multiple subscriptions.
Each of the smaller clouds within the large cloud is used to represent subscriptions that belong to different departments within an organization. Each of the departments within the organization can use their own subscription for deploying their services--but the departments can share a single ExpressRoute circuit to connect back to your on-premises network. A single department (in this example: IT) can own the ExpressRoute circuit. Other subscriptions within the organization can use the ExpressRoute circuit.
Note
Connectivity and bandwidth charges for the dedicated circuit will be applied to the ExpressRoute circuit owner. All virtual networks share the same bandwidth.
The circuit owner is the administrator/coadministrator of the subscription in which the ExpressRoute circuit is created. The circuit owner can authorize administrators/coadministrators of other subscriptions, referred to as circuit users, to use the dedicated circuit that they own. Circuit users who are authorized to use the organization's ExpressRoute circuit can link the virtual network in their subscription to the ExpressRoute circuit after they're authorized.
The circuit owner has the power to modify and revoke authorizations at any time. Revoking an authorization results in all links being deleted from the subscription whose access was revoked.
Note
Circuit owner is not an built-in RBAC role or defined on the ExpressRoute resource. The definition of the circuit owner is any role with the following access:
- Microsoft.Network/expressRouteCircuits/authorizations/write
- Microsoft.Network/expressRouteCircuits/authorizations/read
- Microsoft.Network/expressRouteCircuits/authorizations/delete
This includes the built-in roles such as Contributor, Owner and Network Contributor. Detailed description for the different built-in roles.
Creating an authorization
The circuit owner authorizes the administrators of other subscriptions to use the specified circuit. In the following example, the administrator of the circuit (Contoso IT) enables the administrator of another subscription (Dev-Test) to link up to two virtual networks to the circuit. The Contoso IT administrator enables this authorization by specifying the Dev-Test Microsoft ID. The cmdlet doesn't send email to the specified Microsoft ID. The circuit owner needs to explicitly notify the other subscription owner that the authorization is complete.
New-AzureDedicatedCircuitLinkAuthorization -ServiceKey "**************************" -Description "Dev-Test Links" -Limit 2 -MicrosoftIds '[email protected]'
Return:
Description : Dev-Test Links
Limit : 2
LinkAuthorizationId : **********************************
MicrosoftIds : devtest@contoso.com
Used : 0
Reviewing authorizations
The circuit owner can review all authorizations that are issued on a particular circuit by running the following cmdlet:
Get-AzureDedicatedCircuitLinkAuthorization -ServiceKey: "**************************"
Return:
Description : EngineeringTeam
Limit : 3
LinkAuthorizationId : ####################################
MicrosoftIds : engadmin@contoso.com
Used : 1
Description : MarketingTeam
Limit : 1
LinkAuthorizationId : @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
MicrosoftIds : marketingadmin@contoso.com
Used : 0
Description : Dev-Test Links
Limit : 2
LinkAuthorizationId : &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
MicrosoftIds : salesadmin@contoso.com
Used : 2
Updating authorizations
The circuit owner can modify authorizations by using the following cmdlet:
Set-AzureDedicatedCircuitLinkAuthorization -ServiceKey "**************************" -AuthorizationId "&&&&&&&&&&&&&&&&&&&&&&&&&&&&"-Limit 5
Return:
Description : Dev-Test Links
Limit : 5
LinkAuthorizationId : &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
MicrosoftIds : devtest@contoso.com
Used : 0
Deleting authorizations
The circuit owner can revoke/delete authorizations to the user by running the following cmdlet:
Remove-AzureDedicatedCircuitLinkAuthorization -ServiceKey "*****************************" -AuthorizationId "###############################"
Reviewing authorizations
The circuit user can review authorizations by using the following cmdlet:
Get-AzureAuthorizedDedicatedCircuit
Return:
Bandwidth : 200
CircuitName : ContosoIT
Location : Washington DC
MaximumAllowedLinks : 2
ServiceKey : &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
ServiceProviderName : equinix
ServiceProviderProvisioningState : Provisioned
Status : Enabled
UsedLinks : 0
Redeeming link authorizations
The circuit user can run the following cmdlet to redeem a link authorization:
New-AzureDedicatedCircuitLink –servicekey "&&&&&&&&&&&&&&&&&&&&&&&&&&" –VnetName 'SalesVNET1'
Return:
State VnetName
----- --------
Provisioned SalesVNET1
Run this command in the newly linked subscription for the virtual network:
New-AzureDedicatedCircuitLink -ServiceKey "*****************************" -VNetName "MyVNet"
For more information about ExpressRoute, see the ExpressRoute FAQ.