This article helps you create a connection linking a virtual network to an Azure ExpressRoute circuit, using the Azure portal. The virtual networks that you connect to your Azure ExpressRoute circuit can either be in the same subscription, or part of another subscription.
Before you begin
- You must have an active ExpressRoute circuit.
- Follow the instructions to create a Pureport ExpressRoute circuit.
- Ensure that you have Azure private peering configured for your circuit. See the Configure Azure Private Peering article for routing instructions.
- Ensure that you have a virtual network and a Virtual Network Gateway (VNG) created and fully provisioned. Follow the instructions to create a virtual network gateway for ExpressRoute. A Virtual Network Gateway for ExpressRoute uses the GatewayType 'ExpressRoute,' not VPN. Please note that the process of creating a VNG in the Azure portal can take as long as 45 minutes but is a one-time process.
- You can link up to 10 virtual networks to a standard ExpressRoute circuit. All virtual networks must be in the same geopolitical region when using a standard ExpressRoute circuit.
- You can link a single VNet to up to four ExpressRoute circuits. Use the process below to create a new connection object for each ExpressRoute circuit you are connecting to. The ExpressRoute circuits can be in the same subscription, different subscriptions, or a mix of both.
- You can link a virtual network outside of the geopolitical region of the ExpressRoute circuit, or connect a larger number of virtual networks to your ExpressRoute circuit if you enabled the ExpressRoute premium add-on. Review the Microsoft FAQ for more details on the premium add-on.
- Ensure that your ExpressRoute circuit and Azure private peering have been configured successfully. Your ExpressRoute circuit should appear similar to the following:
- To provision a connection to link your virtual network gateway to your ExpressRoute circuit, select Connection > Add to open the Add connection page,
Configure the values in the Add connection page:
- After configuring the connection, the connection object will show the information for the connection.
You can share an ExpressRoute circuit across multiple subscriptions. This figure illustrates sharing ExpressRoute circuits across multiple subscriptions.
Each of the smaller clouds within the large cloud is used to represent subscriptions that belong to different departments within an organization.
Each of the departments within the organization can use their own subscription for deploying their services, but they can share a single ExpressRoute circuit to connect back to your on-premises network.
A single department (in this example: IT) can own the ExpressRoute circuit. Other subscriptions within the organization can use the ExpressRoute circuit and authorizations associated to the circuit, including subscriptions linked to other Azure Active Directory tenants and Enterprise Agreement enrollments.
The 'circuit owner' is an authorized Power User of the ExpressRoute circuit resource. The circuit owner can create authorizations that can be redeemed by 'circuit users'. Circuit users are owners of virtual network gateways that are not within the same subscription as the ExpressRoute circuit. Circuit users can redeem authorizations (one authorization per virtual network).
The circuit owner has the power to modify and revoke authorizations at any time. Revoking an authorization results in all link connections being deleted from the subscription whose access was revoked.
To create a connection authorization
The circuit owner creates an authorization. This results in the creation of an authorization key that can be used by a circuit user to connect their virtual network gateways to the ExpressRoute circuit. An authorization is valid for only one connection.
- In the ExpressRoute page, Click Authorizations and then type a name for the authorization and click Save.
\u00a02. Once the configuration is saved, copy the Resource ID and the Authorization Key.
To delete a connection authorization
You can delete a connection by selecting the Delete icon on the page for your connection.
The circuit user needs the resource ID and an authorization key from the circuit owner.
To redeem a connection authorization
- Click the +New button.
2. Search for "Connection" in the Marketplace, select it, and click Create.
3. Make sure the Connection type is set to "ExpressRoute".
4. Fill in the details, then click OK in the Basics page.
5. In the Settings page, Select the Virtual network gateway and check the Redeem authorization check box.
6. Enter the Authorization key and the Peer circuit URI and give the connection a name. Click OK.
7. Review the information in the Summary page and click OK.
To release an ExpressRoute connection authorization
The Circuit Owner can release an authorization by deleting the connection that links the ExpressRoute circuit to the virtual network.
You can delete a connection and unlink your VNet to an ExpressRoute circuit by selecting the Delete icon on the page for your connection.
For more information about ExpressRoute, see the ExpressRoute FAQ.