Tutorial: Create an ExpressRoute association using Azure Virtual WAN
This tutorial shows you how to use Virtual WAN to connect to your resources in Azure over an ExpressRoute circuit. For more information about Virtual WAN and Virtual WAN resources, see the Virtual WAN Overview.
In this tutorial, you learn how to:
- Create a virtual WAN
- Create a hub and a gateway
- Connect a VNet to a hub
- Connect a circuit to a hub gateway
- Test connectivity
- Change a gateway size
- Advertise a default route
Verify that you have met the following criteria before beginning your configuration:
You have a virtual network that you want to connect to. Verify that none of the subnets of your on-premises networks overlap with the virtual networks that you want to connect to. To create a virtual network in the Azure portal, see the Quickstart.
Your virtual network does not have any virtual network gateways. If your virtual network has a gateway (either VPN or ExpressRoute), you must remove all gateways. This configuration requires that virtual networks are connected instead, to the Virtual WAN hub gateway.
Obtain an IP address range for your hub region. The hub is a virtual network that is created and used by Virtual WAN. The address range that you specify for the hub cannot overlap with any of your existing virtual networks that you connect to. It also cannot overlap with your address ranges that you connect to on-premises. If you are unfamiliar with the IP address ranges located in your on-premises network configuration, coordinate with someone who can provide those details for you.
The ExpressRoute circuit must be a Premium or Standard circuit in order to connect to the hub gateway.
If you don't have an Azure subscription, create a free account.
Create a virtual WAN
From a browser, navigate to the Azure portal and sign in with your Azure account.
Navigate to the Virtual WAN page. In the portal, click +Create a resource. Type Virtual WAN into the search box and select Enter.
Select Virtual WAN from the results. On the Virtual WAN page, click Create to open the Create WAN page.
On the Create WAN page, on the Basics tab, fill in the following fields:
- Subscription - Select the subscription that you want to use.
- Resource Group - Create new or use existing.
- Resource group location - Choose a resource location from the dropdown. A WAN is a global resource and does not live in a particular region. However, you must select a region in order to more easily manage and locate the WAN resource that you create.
- Name - Type the name that you want to call your WAN.
- Type - Select Standard. You can't create an ExpressRoute gateway using the Basic SKU.
After you finish filling out the fields, select Review +Create.
Once validation passes, select Create to create the virtual WAN.
Create a virtual hub and gateway
A virtual hub is a virtual network that is created and used by Virtual WAN. It can contain various gateways, such as VPN and ExpressRoute. In this section, you will create an ExpressRoute gateway for your virtual hub. You can either create the gateway when you create a new virtual hub, or you can create the gateway in an existing hub by editing it.
ExpressRoute gateways are provisioned in units of 2 Gbps. 1 scale unit = 2 Gbps with support up to 10 scale units = 20 Gbps. It takes about 30 minutes for a virtual hub and gateway to fully create.
To create a new virtual hub and a gateway
Create a new virtual hub. Once a hub is created, you'll be charged for the hub, even if you don't attach any sites.
Locate the Virtual WAN that you created. On the Virtual WAN page, under the Connectivity section, select Hubs.
On the Hubs page, select +New Hub to open the Create virtual hub page.
On the Create virtual hub page Basics tab, complete the following fields:
- Region (previously referred to as Location)
- Hub private address space. The minimum address space is /24 to create a hub, which implies anything range from /25 to /32 will produce an error during creation.
Select the ExpressRoute tab.
On the ExpressRoute tab, complete the following fields:
- Select Yes to create an ExpressRoute gateway.
- Select the Gateway scale units value from the dropdown.
Select Review + Create to validate.
Select Create to create the hub. After 30 minutes, Refresh to view the hub on the Hubs page. Select Go to resource to navigate to the resource.
To create a gateway in an existing hub
You can also create a gateway in an existing hub by editing it.
Navigate to the virtual hub that you want to edit and select it.
On the Edit virtual hub page, select the checkbox Include ExpressRoute gateway.
Select Confirm to confirm your changes. It takes about 30 minutes for the hub and hub resources to fully create.
To view a gateway
Once you have created an ExpressRoute gateway, you can view gateway details. Navigate to the hub, select ExpressRoute, and view the gateway.
Connect your VNet to the hub
In this section, you create the peering connection between your hub and a VNet. Repeat these steps for each VNet that you want to connect.
On the page for your virtual WAN, click Virtual network connection.
On the virtual network connection page, click +Add connection.
On the Add connection page, fill in the following fields:
- Connection name - Name your connection.
- Hubs - Select the hub you want to associate with this connection.
- Subscription - Verify the subscription.
- Virtual network - Select the virtual network you want to connect to this hub. The virtual network cannot have an already existing virtual network gateway (neither VPN, nor ExpressRoute).
Connect your circuit to the hub gateway
Once the gateway is created, you can connect an ExpressRoute circuit to it. ExpressRoute Standard or Premium circuits that are in ExpressRoute Global Reach-supported locations can connect to a Virtual WAN ExpressRoute gateway and enjoy all Virtual WAN transit capabilities (VPN-to-VPN, VPN, and ExpressRoute transit). ExpressRoute Standard and Premium circuits that are in non-Global Reach locations can connect to Azure resources, but will not be able to use Virtual WAN transit capabilities. ExpressRoute Local is also supported with Azure Virtual WAN hubs.
To connect the circuit to the hub gateway
In the portal, go to the Virtual hub -> Connectivity -> ExpressRoute page. If you have access in your subscription to an ExpressRoute circuit, you will see the circuit you want to use in the list of circuits. If you don’t see any circuits, but have been provided with an authorization key and peer circuit URI, you can redeem and connect a circuit. See To connect by redeeming an authorization key.
Select the circuit.
Select Connect circuit(s).
To connect by redeeming an authorization key
Use the authorization key and circuit URI you were provided in order to connect.
On the ExpressRoute page, click +Redeem authorization key
On the Redeem authorization key page, fill in the values.
Select Add to add the key.
View the circuit. A redeemed circuit only shows the name (without the type, provider and other information) because it is in a different subscription than that of the user.
To test connectivity
After the circuit connection is established, the hub connection status will indicate 'this hub', implying the connection is established to the hub ExpressRoute gateway. Wait approximately 5 minutes before you test connectivity from a client behind your ExpressRoute circuit, for example, a VM in the VNet that you created earlier.
If you have sites connected to a Virtual WAN VPN gateway in the same hub as the ExpressRoute gateway, you can have bidirectional connectivity between VPN and ExpressRoute end points. Dynamic routing (BGP) is supported. The ASN of the gateways in the hub is fixed and cannot be edited at this time.
To change the size of a gateway
If you want to change the size of your ExpressRoute gateway, locate the ExpressRoute gateway inside the hub, and select the scale units from the dropdown. Save your change. It will take approximately 30 minutes to update the hub gateway.
To advertise default route 0.0.0.0/0 to endpoints
If you would like the Azure virtual hub to advertise the default route 0.0.0.0/0 to your ExpressRoute end points, you will need to enable 'Propagate default route'.
Select your Circuit ->…-> Edit connection.
Select Enable to propagate the default route.
Clean up resources
When you no longer need the resources that you created, delete them. Some of the Virtual WAN resources must be deleted in a certain order due to dependencies. Deleting can take about 30 minutes to complete.
- Open the virtual WAN that you created.
- Select a virtual hub associated to the virtual WAN to open the hub page.
- Click Delete. Delete all entities (connections, gateways, etc.) in the hub. This can take 30 minutes to complete.
- You can either delete the hub at this point, or delete it later when you delete the resource group.
- Repeat for all hubs associated to the virtual WAN.
- Navigate to the resource group in the Azure portal.
- Select Delete resource group. This deletes everything in the resource group, including the hubs and the virtual WAN.
Next, to learn more about Virtual WAN, see: