Tutorial: Connect a virtual network to an ExpressRoute circuit using the Azure portal
This tutorial helps you create a connection to link a virtual network (VNet) to an Azure ExpressRoute circuit using the Azure portal. The virtual networks that you connect to your Azure ExpressRoute circuit can either be in the same subscription or part of another subscription.
In this tutorial, you learn how to:
- Connect a virtual network to a circuit in the same subscription.
- Connect a virtual network to a circuit in a different subscription.
- Configure ExpressRoute FastPath.
- Delete the link between the virtual network and ExpressRoute circuit.
You must have an active ExpressRoute circuit.
- Follow the instructions to create an ExpressRoute circuit and have the circuit enabled by your connectivity provider.
- Ensure that you have Azure private peering configured for your circuit. See the Create and modify peering for an ExpressRoute circuit article for peering and routing instructions.
- Ensure that Azure private peering gets configured and establishes BGP peering between your network and Microsoft for end-to-end connectivity.
- Ensure that you have a virtual network and a virtual network gateway created and fully provisioned. Follow the instructions to create a virtual network gateway for ExpressRoute. A virtual network gateway for ExpressRoute uses the GatewayType 'ExpressRoute', not VPN.
You can link up to 10 virtual networks to a standard ExpressRoute circuit. All virtual networks must be in the same geopolitical region when using a standard ExpressRoute circuit.
A single VNet can be linked to up to 16 ExpressRoute circuits. Use the following process to create a new connection object for each ExpressRoute circuit you're connecting to. The ExpressRoute circuits can be in the same subscription, different subscriptions, or a mix of both.
If you enable the ExpressRoute premium add-on, you can link virtual networks outside of the geopolitical region of the ExpressRoute circuit. The premium add-on will also allow you to connect more than 10 virtual networks to your ExpressRoute circuit depending on the bandwidth chosen. Check the FAQ for more details on the premium add-on.
In order to create the connection from the ExpressRoute circuit to the target ExpressRoute virtual network gateway, the number of address spaces advertised from the local or peered virtual networks needs to be equal to or less than 200. Once the connection has been successfully created, you can add additional address spaces, up to 1,000, to the local or peered virtual networks.
Review guidance for connectivity between virtual networks over ExpressRoute.
Connect a VNet to a circuit - same subscription
BGP configuration information will not appear if the layer 3 provider configured your peerings. If your circuit is in a provisioned state, you should be able to create connections.
To create a connection
Ensure that your ExpressRoute circuit and Azure private peering have been configured successfully. Follow the instructions in Create an ExpressRoute circuit and Create and modify peering for an ExpressRoute circuit. Your ExpressRoute circuit should look like the following image:
You can now start provisioning a connection to link your virtual network gateway to your ExpressRoute circuit. Select Connection > Add to open the Add connection page.
Enter a name for the connection and then select Next: Settings >.
Select the gateway that belongs to the virtual network that you want to link to the circuit and select Review + create. Then select Create after validation completes.
After your connection has been successfully configured, your connection object will show the information for the connection.
Connect a VNet to a circuit - different subscription
You can share an ExpressRoute circuit across multiple subscriptions. The following figure shows a simple schematic of how sharing works for ExpressRoute circuits across multiple subscriptions.
Connecting virtual networks between Azure sovereign clouds and Public Azure cloud is not supported. You can only link virtual networks from different subscriptions in the same cloud.
Each of the smaller clouds within the large cloud is used to represent subscriptions that belong to different departments within an organization. Each of the departments within the organization uses their own subscription for deploying their services--but they can share a single ExpressRoute circuit to connect back to your on-premises network. A single department (in this example: IT) can own the ExpressRoute circuit. Other subscriptions within the organization may use the ExpressRoute circuit.
Connectivity and bandwidth charges for the dedicated circuit will be applied to the ExpressRoute circuit owner. All virtual networks share the same bandwidth.
Administration - About circuit owners and circuit users
The 'circuit owner' is an authorized Power User of the ExpressRoute circuit resource. The circuit owner can create authorizations that can be redeemed by 'circuit users'. Circuit users are owners of virtual network gateways that aren't within the same subscription as the ExpressRoute circuit. Circuit users can redeem authorizations (one authorization per virtual network).
The circuit owner has the power to modify and revoke authorizations at any time. Revoking an authorization results in all link connections being deleted from the subscription whose access was revoked.
Circuit owner is not an built-in RBAC role or defined on the ExpressRoute resource. The definition of the circuit owner is any role with the following access:
This includes the built-in roles such as Contributor, Owner and Network Contributor. Detailed description for the different built-in roles.
Circuit owner operations
To create a connection authorization
The circuit owner creates an authorization, which creates an authorization key to be used by a circuit user to connect their virtual network gateways to the ExpressRoute circuit. An authorization is valid for only one connection.
Each connection requires a separate authorization.
In the ExpressRoute page, select Authorizations and then type a name for the authorization and select Save.
Once the configuration is saved, copy the Resource ID and the Authorization Key.
To delete a connection authorization
You can delete a connection by selecting the Delete icon for the authorization key for your connection.
If you want to delete the connection but retain the authorization key, you can delete the connection from the connection page of the circuit.
Connections redeemed in different subscriptions will not display in the circuit connection page. Navigate to the subscription where the authorization was redeemed and delete the top-level connection resource.
Circuit user operations
The circuit user needs the resource ID and an authorization key from the circuit owner.
To redeem a connection authorization
Select the + Create a resource button. Search for Connection and select Create.
Make sure the Connection type is set to ExpressRoute. Select the Resource group and Location, then select OK in the Basics page.
The location must match the virtual network gateway location you're creating the connection for.
In the Settings page, Select the Virtual network gateway and check the Redeem authorization check box. Enter the Authorization key and the Peer circuit URI and give the connection a name. Select OK.
The Peer Circuit URI is the Resource ID of the ExpressRoute circuit (which you can find under the Properties Setting pane of the ExpressRoute Circuit).
Review the information in the Summary page and select OK.
Configure ExpressRoute FastPath
You can enable ExpressRoute FastPath if your virtual network gateway is Ultra Performance or ErGw3AZ. FastPath improves data path performance such as packets per second and connections per second between your on-premises network and your virtual network.
Configure FastPath on a new connection
When adding a new connection for your ExpressRoute gateway, select the checkbox for FastPath.
Enabling FastPath for a new connection is only available through creating a connection from the gateway resource. New connections created from the ExpressRoute circuit or from the Connection resource page is not supported.
Configure FastPath on an existing connection
Go to the existing connection resource either from the ExpressRoute gateway, the ExpressRoute circuit, or the Connection resource page.
Select Configuration under Settings and then select the FastPath checkbox. Select Save to enable the feature.
You can use Connection Monitor to verify that your traffic is reaching the destination using FastPath.
Enroll in ExpressRoute FastPath features (preview)
FastPath support for virtual network peering is now in Public preview. Enrollment is only available through Azure PowerShell. See FastPath preview features, for instructions on how to enroll.
Any connections configured for FastPath in the target subscription will be enrolled in this preview. We do not advise enabling this preview in production subscriptions. If you already have FastPath configured and want to enroll in the preview feature, you need to do the following:
- Enroll in the FastPath preview feature with the Azure PowerShell command above.
- Disable and then re-enable FastPath on the target connection.
Clean up resources
You can delete a connection and unlink your VNet to an ExpressRoute circuit by selecting the Delete icon on the page for your connection.
In this tutorial, you learned how to connect a virtual network to a circuit in the same subscription and in a different subscription. For more information about ExpressRoute gateways, see: ExpressRoute virtual network gateways.
To learn how to configure route filters for Microsoft peering using the Azure portal, advance to the next tutorial.