If you already have an Azure ExpressRoute, and you are a serious user of Azure services, sooner or later you’ll get in the situation when you need to add more connections to your circuit. The good news is that you can add up to 10 virtual networks to the Standard Azure ExpressRoute circuit and up to 100 to Premium, depending on the speed. We can also connect multiple subscriptions to a single ExpressRoute, and that can be really useful if there are different projects or different teams inside the company, and each of them works with their own subscriptions.
Adding a virtual network from the same subscription or different subscription is not a difficult task to do, but it can be a little bit confusing. At least that’s how I found it to be when I did this for the first time. There are a few steps you need to do in a specific order, and the terminology used here is not very intuitive.
Let’s take a look at it together. Let’s add Virtual Networks from the same and different subscriptions to the existing ExpressRoute circuit.
Here is what we are working with:
| Subscription | Resources |
|---|---|
| Subscription1 | ResourceGroup1 vNET1 vNET2 Gateway1 ExpressRoute Circuit Connection1 |
| Subscription2 | ResourceGroup2 vNET3 |
ResourceGroup1 in Subsciption1 contains all the resources. ExpressRoute circuit is configured by the provider.
Connection1 is configured to use Gateway1 to connect vNET1 to the local gateway device in our local datacenter.
Our goal for today is to complete the following tasks:
- Task 1: Connect vNET2 to the ExpressRoute.
- Task 2: Connect vNET3 from Subscription2 to the ExpressRoute.
Task 1: Connect a virtual network from the same subscription to the ExpressRoute
The first thing to remember is that the ExpressRoute is location-dependent and that our resources should be in the same region where our ExpressRoute circuit is terminated
Each connection in ExpressRoute requires Virtual Network Gateway.
Each Virtual Network Gateway can be associated with only one Virtual Network. If we want to connect another Virtual Network to our ExpressRoute, it means that we also need to create a Virtual Network Gateway for it.
Creating a Gateway subnet
Azure Portal:
Connecting a Virtual Network Gateway to the Virtual Network will require a small subnet called GatewaySubnet. This small subnet contains the IP addresses for the gateway service to use. Don’t name your gateway subnet something else. And don’t deploy VMs or anything else to the gateway subnet. To add it, go to Virtual Networks, select vNET2, click Subnets, and add new subnet. This can be a very small subnet, with a mask of /29 or /27.
Azure PowerShell:
Select the Virtual Network:
1
$virtualNetwork = Get-AzVirtualNetwork -Name 'vNET2'
Create Virtual Network subnet configuration:
1
2
3
4
Add-AzVirtualNetworkSubnetConfig `
-Name GatewaySubnet `
-AddressPrefix 10.1.1.0/27 `
-VirtualNetwork $virtualNetwork
Update Virtual Network configuration:
1
$virtualNetwork | Set-AzVirtualNetwork
Creating a Virtual Network Gateway
Azure Portal:
Go to Virtual Network Gateways and click Add.
I’m going to select Subscription1, select the same location, enter gateway name Gateway2, select Gateway Type: ExpressRoute, and select vNET2 as our virtual network. Notice that the Resource Group will be automatically populated since this needs to be the same RG where our Virtual Network is. Create public IP if you don’t have one, add Tags, select the GatewaySubnet that we created earlier, and click Create. This is one of the more time-demanding tasks in Azure, and it can take up to 30 minutes to complete.
Azure PowerShell:
Creating a Virtual Network Gateway with Azure PowerShell is easy. First we need new PublicIP for the Gateway:
1
$ngwpip = New-AzPublicIpAddress -Name 'PublicIP-Gateway2' -ResourceGroupName "ResourceGroup1" -Location "West US" -AllocationMethod Dynamic
Select vnet and subnet:
1
2
3
$vnet = Get-AzVirtualNetwork -Name 'vNET2'
$subnet = Get-AzVirtualNetworkSubnetConfig -name 'gatewaysubnet' -VirtualNetwork $vnet
Create a Virtual Network Gateway IP configuration:
1
2
$ngwipconfig = New-AzVirtualNetworkGatewayIpConfig -Name ngwipconfig -SubnetId $subnet.Id `
-PublicIpAddressId $ngwpip.Id
Create new Virtual Network Gateway:
1
2
New-AzVirtualNetworkGateway -Name 'Gateway2' -ResourceGroupName 'ResourceGroup1' `
-Location $Location1 -IpConfigurations $gwipconf -GatewayType ExpressRoute -GatewaySku 'Standard'
Check the result:
1
Get-AzVirtualNetworkGateway -ResourceGroupName ResourceGroup1
Creating new ExpressRoute Connection
Azure Portal:
Now let’s create a Connection. Go to the ExpressRoute and select Connections. Here you should see our existing connection Connection1. We are going to create a new one, so click Add.
Connection type, ExpressRoute, Subscription, and a Resource Group should already be pre-selected. We only need to select our newly created Virtual Network Gateway at this point and click Ok.
That’s it on the Azure side. Connection2 is now ready. You might also need to add vNET2 IP range and routes on your local firewall, but this depends on how/what you have already configured.
Azure PowerShell:
Get the ExpressRoute Circutit and Virtual Network Gateways:
1
2
3
$circuit = Get-AzExpressRouteCircuit -Name 'ExpressRoute' -ResourceGroupName 'ResourceGroup1'
$gw = Get-AzVirtualNetworkGateway -Name "Gateway2" -ResourceGroupName "ResourceGroup1"
Create new connection:
1
2
3
4
5
6
$connection = New-AzVirtualNetworkGatewayConnection -Name "Connection2" `
-ResourceGroupName "ResourceGroup1" `
-Location "West US" `
-VirtualNetworkGateway1 $gw `
-PeerId $circuit.Id `
-ConnectionType ExpressRoute
Check the result:
1
Get-AzExpressRouteCrossConnection -Name Connection2 -ResourceGroupName ResourceGroup1
Task 2: Connect a virtual network from a different subscription to the ExpressRoute
vNET3 is in Subscription2. The first thing we will notice in Subscription2 is that there is no ExpressRoute in it. Does that mean that we have to create it here as well?
We can share one ExpressRoute circuit across multiple subscriptions, and we don’t have to create a new one. In our case, Subscription1 is where our circuit is, and that is considered to be a Circuit Owner subscription. Subscription2 will be a Circuit User. For this to work, the ‘Circuit Owner’ has to create authorization, and ‘Circuit User’ has to redeem it.
ExpressRoute Authorization
Azure Portal:
For this to work, ‘Circuit User’ needs to know the Authorization Key and a ReourceID. Authorization Key is generated for each connection, and the ‘Circuit Owner’ has the power to modify and revoke authorizations at any time. Revoking of the authorization will result in all link connections to be deleted from the subscription whose access was revoked.
To generate new authorization, go to Subscription1, select ExpressRoute, and click Authorizations.
Fill in the Name of the new connection and click Save. This will create a new connection and generate a unique Authorization Key.
Copy the ResourceID and the Authorization Key; we will need that.
Azure PowerShell:
Get the existing circuit:
1
$circuit = Get-AzExpressRouteCircuit -Name $CircuitName -ResourceGroupName $rg
Add the authorization:
1
Add-AzExpressRouteCircuitAuthorization -Name "Authorization-for-Subscription2" -Circuit $circuit
Configure the circuit:
1
Set-AzExpressRouteCircuit -ExpressRouteCircuit $Circuit
Creating Virtual Network Gateway and Virtual Network Subnet
Go to Subscription2. We have the same prerequisites as before. Add the GatewaySubnet to vNET3, and create a new Virtual Network Gateway called Gateway3.
Creating Connection from different Azure Subscription
Azure Portal:
Searching for ExpressRoute in our Subscription2 will not return any results. To create a connection, go to Connections and click Add.
Nothing is pre-selected this time and process is a little bit different from when we created a connection first time.
Select connection with type ExpressRoute, Subscription2, ResourceGroup2 and correct location. On the Settings page, select our newly created Gateway3, and select Redeem authorization. This is how the connection will know to which ExpressRoute is assigned and authorized. AuthorizationKey and Peer circuit URI are AuthorizationKey and ResourceID we copied earlier, and type a connection name. Routing optimization is a different topic, and for our purposes, we are going to keep it at 0.
This will create a connection and add it to your existing ExpressRoute circuit.
Do not get confused if you don’t see this connection in your ExpressRoute connection list in Subscription1. You will be able to see it from Connections (different from ExpressRoute\Connections). And you can always see it and revoke it from ExpressRoute\Authorizations.
Azure PowerShell:
Add ResourceID and Authorization Key:
1
2
$id = "***"
$key = "***"
Get the Virtual Network Gateway:
1
$gw = Get-AzVirtualNetworkGateway -Name "Gateway3" -ResourceGroupName "ResourceGroup2"
Create Connection and redeem the authorization:
1
$connection = New-AzVirtualNetworkGatewayConnection -Name "Connection3" -ResourceGroupName "ResourceGroup2" -Location "West US" -VirtualNetworkGateway1 $gw -PeerId $id -ConnectionType ExpressRoute -AuthorizationKey $key
View the result:
1
Get-AzExpressRouteCircuitAuthorization -ExpressRouteCircuit $circuit
We completed both of our tasks. I hope this was helpful to someone :) If you have any questions regarding the ExpressRoute, feel free to get in touch.
Thank you for sticking around.
Vukašin