Add IPv6 support for private peering using Azure PowerShell
This article describes how to add IPv6 support to connect via ExpressRoute to your resources in Azure using Azure PowerShell.
Working with Azure PowerShell
The steps and examples in this article use Azure PowerShell Az modules. To install the Az modules locally on your computer, see Install Azure PowerShell. To learn more about the new Az module, see Introducing the new Azure PowerShell Az module. PowerShell cmdlets are updated frequently. If you are not running the latest version, the values specified in the instructions may fail. To find the installed versions of PowerShell on your system, use the Get-Module -ListAvailable Az cmdlet.
You can use Azure Cloud Shell to run most PowerShell cmdlets and CLI commands, instead of installing Azure PowerShell or CLI locally. Azure Cloud Shell is a free interactive shell that has common Azure tools preinstalled and is configured to use with your account. To run any code contained in this article on Azure Cloud Shell, open a Cloud Shell session, use the Copy button on a code block to copy the code, and paste it into the Cloud Shell session with Ctrl+Shift+V on Windows and Linux, or Cmd+Shift+V on macOS. Pasted text is not automatically executed, press Enter to run code.
There are a few ways to launch the Cloud Shell:
| Option | Link |
|---|---|
| Click Try It in the upper right corner of a code block. |  |
| Open Cloud Shell in your browser. |  |
| Click the Cloud Shell button on the menu in the upper right of the Azure portal. |  |
Add IPv6 Private Peering to your ExpressRoute circuit
Create an ExpressRoute circuit or use an existing circuit. Retrieve the circuit by running the Get-AzExpressRouteCircuit command:
$ckt = Get-AzExpressRouteCircuit -Name "ExpressRouteARMCircuit" -ResourceGroupName "ExpressRouteResourceGroup"Retrieve the private peering configuration for the circuit by running Get-AzExpressRouteCircuitPeeringConfig:
Get-AzExpressRouteCircuitPeeringConfig -Name "AzurePrivatePeering" -ExpressRouteCircuit $cktAdd an IPv6 Private Peering to your existing IPv4 Private Peering configuration. Provide a pair of /126 IPv6 subnets that you own for your primary link and secondary links. From each of these subnets, you assign the first usable IP address to your router as Microsoft uses the second usable IP for its router.
Note
The peer ASN and VlanId should match those in your IPv4 Private Peering configuration.
Set-AzExpressRouteCircuitPeeringConfig -Name "AzurePrivatePeering" -ExpressRouteCircuit $ckt -PeeringType AzurePrivatePeering -PeerASN 100 -PrimaryPeerAddressPrefix "3FFE:FFFF:0:CD30::/126" -SecondaryPeerAddressPrefix "3FFE:FFFF:0:CD30::4/126" -VlanId 200 -PeerAddressType IPv6 Set-AzExpressRouteCircuit -ExpressRouteCircuit $cktAfter the configuration is saved successfully, get the circuit again by running the Get-AzExpressRouteCircuit command. The response should look similar to the following example:
Name : ExpressRouteARMCircuit ResourceGroupName : ExpressRouteResourceGroup Location : eastus Id : /subscriptions/***************************/resourceGroups/ExpressRouteResourceGroup/providers/Microsoft.Network/expressRouteCircuits/ExpressRouteARMCircuit Etag : W/"################################" ProvisioningState : Succeeded Sku : { "Name": "Standard_MeteredData", "Tier": "Standard", "Family": "MeteredData" } CircuitProvisioningState : Enabled ServiceProviderProvisioningState : Provisioned ServiceProviderNotes : ServiceProviderProperties : { "ServiceProviderName": "Equinix", "PeeringLocation": "Washington DC", "BandwidthInMbps": 50 } ExpressRoutePort : null BandwidthInGbps : Stag : 29 ServiceKey : ************************************** Peerings : [ { "Name": "AzurePrivatePeering", "Etag": "W/\"facc8972-995c-4861-a18d-9a82aaa7167e\"", "Id": "/subscriptions/***************************/resourceGroups/ExpressRouteResourceGroup/providers/Microsoft.Network/expressRouteCircuits/ExpressRouteARMCircuit/peerings/AzurePrivatePeering", "PeeringType": "AzurePrivatePeering", "State": "Enabled", "AzureASN": 12076, "PeerASN": 100, "PrimaryPeerAddressPrefix": "192.168.15.16/30", "SecondaryPeerAddressPrefix": "192.168.15.20/30", "PrimaryAzurePort": "", "SecondaryAzurePort": "", "VlanId": 200, "ProvisioningState": "Succeeded", "GatewayManagerEtag": "", "LastModifiedBy": "Customer", "Ipv6PeeringConfig": { "State": "Enabled", "PrimaryPeerAddressPrefix": "3FFE:FFFF:0:CD30::/126", "SecondaryPeerAddressPrefix": "3FFE:FFFF:0:CD30::4/126" }, "Connections": [], "PeeredConnections": [] }, ] Authorizations : [] AllowClassicOperations : False GatewayManagerEtag :
Update your connection to an existing virtual network
To use IPv6 Private Peering with your existing Azure resources, follow these steps:
Retrieve the virtual network that your ExpressRoute circuit is connected to.
$vnet = Get-AzVirtualNetwork -Name "VirtualNetwork" -ResourceGroupName "ExpressRouteResourceGroup"Add an IPv6 address space to your virtual network.
$vnet.AddressSpace.AddressPrefixes.add("ace:daa:daaa:deaa::/64") Set-AzVirtualNetwork -VirtualNetwork $vnetAdd IPv6 address space to your gateway subnet. The gateway IPv6 subnet should be /64 or larger.
Set-AzVirtualNetworkSubnetConfig -Name GatewaySubnet -VirtualNetwork $vnet -AddressPrefix "10.0.0.0/26", "ace:daa:daaa:deaa::/64" Set-AzVirtualNetwork -VirtualNetwork $vnetIf you have an existing zone-redundant gateway, run the following to enable IPv6 connectivity (note that it can take up to 1 hour for changes to reflect). Otherwise, create the virtual network gateway using any SKU. If you plan to use FastPath, use UltraPerformance or ErGw3AZ (note that this feature is only available for circuits using ExpressRoute Direct).
$gw = Get-AzVirtualNetworkGateway -Name "GatewayName" -ResourceGroupName "ExpressRouteResourceGroup" Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw
Note
If you have an existing gateway that is not zone-redundant (meaning it is Standard, High Performance, or Ultra Performance SKU), you will need to delete and recreate the gateway using any SKU and a Standard, Static public IP address.
Create a connection to a new virtual network
To connect to a new set of Azure resources using your IPv6 Private Peering, apply the following steps:
Create a dual-stack virtual network with both IPv4 and IPv6 address space. For more information, see Create a virtual network.
Create the virtual network gateway using any SKU. If you plan to use FastPath, use UltraPerformance or ErGw3AZ (note that this feature is only available for circuits using ExpressRoute Direct).
Limitations
While IPv6 support is available for connections to deployments in global Azure regions, it doesn't support the following use cases:
- Connections to existing ExpressRoute gateways that aren't zone-redundant. Newly created ExpressRoute gateways of any SKU (both zone-redundant and not) using a Standard, Static IP address can be used for dual-stack ExpressRoute connections
- Use of ExpressRoute with virtual WAN
- FastPath with non-ExpressRoute Direct circuits
- FastPath with circuits in the following peering locations: Dubai
- Coexistence with VPN Gateway for IPv6 traffic. You can still configure coexistence with VPN Gateway in a dual-stack virtual network, but VPN Gateway only supports IPv4 traffic.
- It isn't possible to connect a dual-stack ExpressRoute Virtual Network Gateway to an ExpressRoute Circuit that only has IPv4 enabled on the Private Peering. IPv6 must also be enabled on the ExpressRoute Circuit. You must also configure IPv6 on your on-premises CPE device.
Next steps
To troubleshoot ExpressRoute problems, see the following articles:
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for