Connect a virtual network to an ExpressRoute circuit using PowerShell (classic)
This article will help you link virtual networks (VNets) to Azure ExpressRoute circuits by using the classic deployment model and PowerShell. Virtual networks can either be in the same subscription or can be part of another subscription.
As of March 1, 2017, you can't create new ExpressRoute circuits in the classic deployment model.
- You can move an existing ExpressRoute circuit from the classic deployment model to the Resource Manager deployment model without experiencing any connectivity down time. For more information, see Move an existing circuit.
- You can connect to virtual networks in the classic deployment model by setting allowClassicOperations to TRUE.
Use the following links to create and manage ExpressRoute circuits in the Resource Manager deployment model:
About Azure deployment models
Azure currently works with two deployment models: Resource Manager and classic. The two models are not completely compatible with each other. Before you begin, you need to know which model that you want to work in. For information about the deployment models, see Understanding deployment models. If you are new to Azure, we recommend that you use the Resource Manager deployment model.
- You need the latest version of the Azure PowerShell modules. You can download the latest PowerShell modules from the PowerShell section of the Azure Downloads page. Follow the instructions in How to install and configure Azure PowerShell for step-by-step guidance on how to configure your computer to use the Azure PowerShell modules.
- You need to review the prerequisites, routing requirements, and workflows before you begin configuration.
- You must have an active ExpressRoute circuit.
- Follow the instructions to create an ExpressRoute circuit and have your connectivity provider enable the circuit.
- Ensure that you have Azure private peering configured for your circuit. See the Configure routing article for routing instructions.
- Ensure that Azure private peering is configured and the BGP peering between your network and Microsoft is up so that you can enable end-to-end connectivity.
- You must have a virtual network and a virtual network gateway created and fully provisioned. Follow the instructions to configure a virtual network for ExpressRoute.
You can link up to 10 virtual networks to an ExpressRoute circuit. All virtual networks must be in the same geopolitical region. You can link a larger number of virtual networks to your ExpressRoute circuit, or link virtual networks that are in other geopolitical regions if you enabled the ExpressRoute premium add-on. Check the FAQ for more details on the premium add-on.
A single VNet can be linked to up to four ExpressRoute circuits. Use the process below to create a new link to each ExpressRoute circuit you are connecting to. The ExpressRoute circuits can be in the same subscription, different subscriptions, or a mix of both.
Connect a virtual network in the same subscription to a circuit
You can link a virtual network to an ExpressRoute circuit by using the following cmdlet. Make sure that the virtual network gateway is created and is ready for linking before you run the cmdlet.
New-AzureDedicatedCircuitLink -ServiceKey "*****************************" -VNetName "MyVNet" Provisioned
Connect a virtual network in a different subscription to a circuit
You can share an ExpressRoute circuit across multiple subscriptions. The following figure shows a simple schematic of how sharing works for ExpressRoute circuits across multiple subscriptions.
Each of the smaller clouds within the large cloud is used to represent subscriptions that belong to different departments within an organization. Each of the departments within the organization can use their own subscription for deploying their services--but the departments can share a single ExpressRoute circuit to connect back to your on-premises network. A single department (in this example: IT) can own the ExpressRoute circuit. Other subscriptions within the organization can use the ExpressRoute circuit.
Connectivity and bandwidth charges for the dedicated circuit will be applied to the ExpressRoute circuit owner. All virtual networks share the same bandwidth.
The circuit owner is the administrator/coadministrator of the subscription in which the ExpressRoute circuit is created. The circuit owner can authorize administrators/coadministrators of other subscriptions, referred to as circuit users, to use the dedicated circuit that they own. Circuit users who are authorized to use the organization's ExpressRoute circuit can link the virtual network in their subscription to the ExpressRoute circuit after they are authorized.
The circuit owner has the power to modify and revoke authorizations at any time. Revoking an authorization will result in all links being deleted from the subscription whose access was revoked.
Circuit owner operations
Creating an authorization
The circuit owner authorizes the administrators of other subscriptions to use the specified circuit. In the following example, the administrator of the circuit (Contoso IT) enables the administrator of another subscription (Dev-Test) to link up to two virtual networks to the circuit. The Contoso IT administrator enables this by specifying the Dev-Test Microsoft ID. The cmdlet doesn't send email to the specified Microsoft ID. The circuit owner needs to explicitly notify the other subscription owner that the authorization is complete.
New-AzureDedicatedCircuitLinkAuthorization -ServiceKey "**************************" -Description "Dev-Test Links" -Limit 2 -MicrosoftIds 'firstname.lastname@example.org' Description : Dev-Test Links Limit : 2 LinkAuthorizationId : ********************************** MicrosoftIds : email@example.com Used : 0
The circuit owner can review all authorizations that are issued on a particular circuit by running the following cmdlet:
Get-AzureDedicatedCircuitLinkAuthorization -ServiceKey: "**************************" Description : EngineeringTeam Limit : 3 LinkAuthorizationId : #################################### MicrosoftIds : firstname.lastname@example.org Used : 1 Description : MarketingTeam Limit : 1 LinkAuthorizationId : @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ MicrosoftIds : email@example.com Used : 0 Description : Dev-Test Links Limit : 2 LinkAuthorizationId : &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& MicrosoftIds : firstname.lastname@example.org Used : 2
The circuit owner can modify authorizations by using the following cmdlet:
Set-AzureDedicatedCircuitLinkAuthorization -ServiceKey "**************************" -AuthorizationId "&&&&&&&&&&&&&&&&&&&&&&&&&&&&"-Limit 5 Description : Dev-Test Links Limit : 5 LinkAuthorizationId : &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& MicrosoftIds : email@example.com Used : 0
The circuit owner can revoke/delete authorizations to the user by running the following cmdlet:
Remove-AzureDedicatedCircuitLinkAuthorization -ServiceKey "*****************************" -AuthorizationId "###############################"
Circuit user operations
The circuit user can review authorizations by using the following cmdlet:
Get-AzureAuthorizedDedicatedCircuit Bandwidth : 200 CircuitName : ContosoIT Location : Washington DC MaximumAllowedLinks : 2 ServiceKey : &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& ServiceProviderName : equinix ServiceProviderProvisioningState : Provisioned Status : Enabled UsedLinks : 0
Redeeming link authorizations
The circuit user can run the following cmdlet to redeem a link authorization:
New-AzureDedicatedCircuitLink –servicekey "&&&&&&&&&&&&&&&&&&&&&&&&&&" –VnetName 'SalesVNET1' State VnetName ----- -------- Provisioned SalesVNET1
Run this command in the newly linked subscription for the virtual network:
New-AzureDedicatedCircuitLink -ServiceKey "*****************************" -VNetName "MyVNet"
For more information about ExpressRoute, see the ExpressRoute FAQ.