Configure ExpressRoute and site-to-site coexisting connections using PowerShell

This article helps you configure ExpressRoute and site-to-site VPN connections that coexist. Having the ability to configure site-to-site VPN and ExpressRoute has several advantages. You can configure site-to-site VPN as a secure failover path for ExpressRoute, or use site-to-site VPNs to connect to sites that aren't connected through ExpressRoute. We cover the steps to configure both scenarios in this article. This article applies to the Resource Manager deployment model.

Configuring site-to-site VPN and ExpressRoute coexisting connections has several advantages:

  • You can configure a site-to-site VPN as a secure failover path for ExpressRoute.
  • Alternatively, you can use site-to-site VPNs to connect to sites that aren't connected through ExpressRoute.

The steps to configure both scenarios are covered in this article. This article applies to the Resource Manager deployment model and uses PowerShell. You can also configure these scenarios using the Azure portal, although documentation isn't yet available. You can configure either gateway first. Typically, you don't experience any downtime when adding a new gateway or gateway connection.

Note

If you want to create a site-to-site VPN over an ExpressRoute circuit, see site-to-site VPN over Microsoft peering.

Limits and limitations

  • Only route-based VPN gateway is supported. You must use a route-based VPN gateway. You also can use a route-based VPN gateway with a VPN connection configured for 'policy-based traffic selectors' as described in Connect to multiple policy-based VPN devices.
  • ExpressRoute-VPN Gateway coexist configurations are not supported with Basic SKU public IP.
  • If you want to use transit routing between ExpressRoute and VPN, the ASN of Azure VPN Gateway must be set to 65515, and Azure Route Server should be used. Azure VPN Gateway supports the BGP routing protocol. For ExpressRoute and Azure VPN to work together, you must keep the Autonomous System Number of your Azure VPN gateway at its default value, 65515. If you previously selected an ASN other than 65515 and you change the setting to 65515, you must reset the VPN gateway for the setting to take effect.
  • The gateway subnet must be /27 or a shorter prefix, such as /26, /25, or you receive an error message when you add the ExpressRoute virtual network gateway.

Configuration designs

Configure a site-to-site VPN as a failover path for ExpressRoute

You can configure a site-to-site VPN connection as a backup for your ExpressRoute connection. This connection applies only to virtual networks linked to the Azure private peering path. There's no VPN-based failover solution for services accessible through Azure Microsoft peering. The ExpressRoute circuit is always the primary link. Data flows through the site-to-site VPN path only if the ExpressRoute circuit fails. To avoid asymmetrical routing, your local network configuration should also prefer the ExpressRoute circuit over the site-to-site VPN. You can prefer the ExpressRoute path by setting higher local preference for the routes received the ExpressRoute.

Note

  • If you have ExpressRoute Microsoft peering enabled, you can receive the public IP address of your Azure VPN gateway on the ExpressRoute connection. To set up your site-to-site VPN connection as a backup, you must configure your on-premises network so that the VPN connection is routed to the Internet.

  • While the ExpressRoute circuit path is preferred over the site-to-site VPN when both routes are the same, Azure uses the longest prefix match to choose the route towards the packet's destination.

Diagram that shows a site-to-site VPN connection as a backup for ExpressRoute.

Configure a site-to-site VPN to connect to sites not connected through ExpressRoute

You can configure your network where some sites connect directly to Azure over site-to-site VPN, and some sites connect through ExpressRoute.

Coexist

Selecting the steps to use

There are two different sets of procedures to choose from. The configuration procedure that you select depends on whether you have an existing virtual network that you want to connect to, or you want to create a new virtual network.

  • I don't have a VNet and need to create one.

    If you don’t already have a virtual network, this procedure walks you through creating a new virtual network using Resource Manager deployment model and creating new ExpressRoute and site-to-site VPN connections.

  • I already have a Resource Manager deployment model VNet.

    You may already have a virtual network in place with an existing site-to-site VPN connection or ExpressRoute connection. In this scenario if the gateway subnet prefix is /28 or longer (/29, /30, etc.), you have to delete the existing gateway. The steps to configure coexisting connections for an already existing VNet section walks you through deleting the gateway, and then creating new ExpressRoute and site-to-site VPN connections.

    If you delete and recreate your gateway, you experience downtime for your cross-premises connections. However, your VMs and services can connect through the internet while you configure your gateway if they're configured to do so.

Before you begin

The steps and examples in this article use Azure PowerShell Az modules. To install the Az modules locally on your computer, see Install Azure PowerShell. To learn more about the new Az module, see Introducing the new Azure PowerShell Az module. PowerShell cmdlets are updated frequently. If you are not running the latest version, the values specified in the instructions may fail. To find the installed versions of PowerShell on your system, use the Get-Module -ListAvailable Az cmdlet.

You can use Azure Cloud Shell to run most PowerShell cmdlets and CLI commands, instead of installing Azure PowerShell or CLI locally. Azure Cloud Shell is a free interactive shell that has common Azure tools preinstalled and is configured to use with your account. To run any code contained in this article on Azure Cloud Shell, open a Cloud Shell session, use the Copy button on a code block to copy the code, and paste it into the Cloud Shell session with Ctrl+Shift+V on Windows and Linux, or Cmd+Shift+V on macOS. Pasted text is not automatically executed, press Enter to run code.

There are a few ways to launch the Cloud Shell:

Option Link
Click Try It in the upper right corner of a code block. Cloud Shell in this article
Open Cloud Shell in your browser. https://shell.azure.com/powershell
Click the Cloud Shell button on the menu in the upper right of the Azure portal. Cloud Shell in the portal

This procedure walks you through creating a VNet and site-to-site and ExpressRoute connections that coexist. The cmdlets that you use for this configuration may be slightly different than what you might be familiar with. Be sure to use the cmdlets specified in these instructions.

  1. Sign in and select your subscription.

    If you are using the Azure Cloud Shell, you sign in to your Azure account automatically after clicking 'Try it'. To sign in locally, open your PowerShell console with elevated privileges and run the cmdlet to connect.

    Connect-AzAccount
    

    If you have more than one subscription, get a list of your Azure subscriptions.

    Get-AzSubscription
    

    Specify the subscription that you want to use.

    Select-AzSubscription -SubscriptionName "Name of subscription"
    
  2. Define variables and create resource group.

    $location = "Central US"
    $resgrp = New-AzResourceGroup -Name "ErVpnCoex" -Location $location
    $VNetASN = 65515
    
  3. Create a virtual network including the GatewaySubnet. For more information about creating a virtual network, see Create a virtual network. For more information about creating subnets, see Create a subnet

    Important

    The GatewaySubnet must be a /27 or a shorter prefix, such as /26 or /25.

    Create a new virtual network.

    $vnet = New-AzVirtualNetwork -Name "CoexVnet" -ResourceGroupName $resgrp.ResourceGroupName -Location $location -AddressPrefix "10.200.0.0/16"
    

    Add two subnets named App and GatewaySubnet.

    Add-AzVirtualNetworkSubnetConfig -Name "App" -VirtualNetwork $vnet -AddressPrefix "10.200.1.0/24"
    Add-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet -AddressPrefix "10.200.255.0/24"
    

    Save the virtual network configuration.

    $vnet = Set-AzVirtualNetwork -VirtualNetwork $vnet
    
  4. Next, create your site-to-site VPN gateway. For more information about the VPN gateway configuration, see Configure a VNet with a site-to-site connection. The GatewaySku is only supported for VpnGw1, VpnGw2, VpnGw3, Standard, and HighPerformance VPN gateways. ExpressRoute-VPN Gateway coexist configurations aren't supported on the Basic SKU. The VpnType must be RouteBased.

    $gwSubnet = Get-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet
    $gwIP = New-AzPublicIpAddress -Name "VPNGatewayIP" -ResourceGroupName $resgrp.ResourceGroupName -Location $location -AllocationMethod Dynamic
    $gwConfig = New-AzVirtualNetworkGatewayIpConfig -Name "VPNGatewayIpConfig" -SubnetId $gwSubnet.Id -PublicIpAddressId $gwIP.Id
    New-AzVirtualNetworkGateway -Name "VPNGateway" -ResourceGroupName $resgrp.ResourceGroupName -Location $location -IpConfigurations $gwConfig -GatewayType "Vpn" -VpnType "RouteBased" -GatewaySku "VpnGw1"
    

    The Azure VPN gateway supports BGP routing protocol. You can specify ASN (AS Number) for the virtual network by adding the -Asn flag in the following command. Not specifying the Asn parameter defaults to the AS number to 65515.

    $azureVpn = New-AzVirtualNetworkGateway -Name "VPNGateway" -ResourceGroupName $resgrp.ResourceGroupName -Location $location -IpConfigurations $gwConfig -GatewayType "Vpn" -VpnType "RouteBased" -GatewaySku "VpnGw1"
    

    Note

    For coexisting gateways, you must use the default ASN of 65515. For more information, see limits and limitations.

    You can find the BGP peering IP and the AS number that Azure uses for the VPN gateway by running $azureVpn.BgpSettings.BgpPeeringAddress and $azureVpn.BgpSettings.Asn. For more information, see Configure BGP for Azure VPN gateway.

  5. Create a local site VPN gateway entity. This command doesn’t configure your on-premises VPN gateway. Rather, it allows you to provide the local gateway settings, such as the public IP and the on-premises address space, so that the Azure VPN gateway can connect to it.

    If your local VPN device only supports static routing, you can configure the static routes in the following way:

    $MyLocalNetworkAddress = @("10.100.0.0/16","10.101.0.0/16","10.102.0.0/16")
    $localVpn = New-AzLocalNetworkGateway -Name "LocalVPNGateway" -ResourceGroupName $resgrp.ResourceGroupName -Location $location -GatewayIpAddress *<Public IP>* -AddressPrefix $MyLocalNetworkAddress
    

    If your local VPN device supports the BGP and you want to enable dynamic routing, you need to know the BGP peering IP and the AS number of your local VPN device.

    $localVPNPublicIP = "<Public IP>"
    $localBGPPeeringIP = "<Private IP for the BGP session>"
    $localBGPASN = "<ASN>"
    $localAddressPrefix = $localBGPPeeringIP + "/32"
    $localVpn = New-AzLocalNetworkGateway -Name "LocalVPNGateway" -ResourceGroupName $resgrp.ResourceGroupName -Location $location -GatewayIpAddress $localVPNPublicIP -AddressPrefix $localAddressPrefix -BgpPeeringAddress $localBGPPeeringIP -Asn $localBGPASN
    
  6. Configure your local VPN device to connect to the new Azure VPN gateway. For more information about VPN device configuration, see VPN Device Configuration.

  7. Link the site-to-site VPN gateway on Azure to the local gateway.

    $azureVpn = Get-AzVirtualNetworkGateway -Name "VPNGateway" -ResourceGroupName $resgrp.ResourceGroupName
    New-AzVirtualNetworkGatewayConnection -Name "VPNConnection" -ResourceGroupName $resgrp.ResourceGroupName -Location $location -VirtualNetworkGateway1 $azureVpn -LocalNetworkGateway2 $localVpn -ConnectionType IPsec -SharedKey <yourkey>
    
  8. If you're connecting to an existing ExpressRoute circuit, skip steps 8 & 9 and, jump to step 10. Configure ExpressRoute circuits. For more information about configuring ExpressRoute circuit, see create an ExpressRoute circuit.

  9. Configure Azure private peering over the ExpressRoute circuit. For more information about configuring Azure private peering over the ExpressRoute circuit, see configure peering

  10. Create an ExpressRoute gateway. For more information about the ExpressRoute gateway configuration, see ExpressRoute gateway configuration. The GatewaySKU must be Standard, HighPerformance, or UltraPerformance.

    $gwSubnet = Get-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet
    $gwIP = New-AzPublicIpAddress -Name "ERGatewayIP" -ResourceGroupName $resgrp.ResourceGroupName -Location $location -AllocationMethod Dynamic
    $gwConfig = New-AzVirtualNetworkGatewayIpConfig -Name "ERGatewayIpConfig" -SubnetId $gwSubnet.Id -PublicIpAddressId $gwIP.Id
    $gw = New-AzVirtualNetworkGateway -Name "ERGateway" -ResourceGroupName $resgrp.ResourceGroupName -Location $location -IpConfigurations $gwConfig -GatewayType "ExpressRoute" -GatewaySku Standard
    
  11. Link the ExpressRoute gateway to the ExpressRoute circuit. After this step has been completed, the connection between your on-premises network and Azure, through ExpressRoute, is established. For more information about the link operation, see Link VNets to ExpressRoute.

    $ckt = Get-AzExpressRouteCircuit -Name "YourCircuit" -ResourceGroupName "YourCircuitResourceGroup"
    New-AzVirtualNetworkGatewayConnection -Name "ERConnection" -ResourceGroupName $resgrp.ResourceGroupName -Location $location -VirtualNetworkGateway1 $gw -PeerId $ckt.Id -ConnectionType ExpressRoute
    

To add point-to-site configuration to the VPN gateway

You can follow these steps to add a point-to-site configuration to your VPN gateway in a coexistence setup. To upload the VPN root certificate, you must either install PowerShell locally to your computer, or use the Azure portal.

  1. Add VPN Client address pool.

    $azureVpn = Get-AzVirtualNetworkGateway -Name "VPNGateway" -ResourceGroupName $resgrp.ResourceGroupName
    Set-AzVirtualNetworkGateway -VirtualNetworkGateway $azureVpn -VpnClientAddressPool "10.251.251.0/24"
    
  2. Upload the VPN root certificate to Azure for your VPN gateway. In this example, we assume the root certificate gets stored in the local machine where the following PowerShell cmdlets run and that you're running PowerShell locally. You can also upload the certificate using the Azure portal.

    $p2sCertFullName = "RootErVpnCoexP2S.cer" 
    $p2sCertMatchName = "RootErVpnCoexP2S" 
    $p2sCertToUpload=get-childitem Cert:\CurrentUser\My | Where-Object {$_.Subject -match $p2sCertMatchName} 
    if ($p2sCertToUpload.count -eq 1){write-host "cert found"} else {write-host "cert not found" exit} 
    $p2sCertData = [System.Convert]::ToBase64String($p2sCertToUpload.RawData) 
    Add-AzVpnClientRootCertificate -VpnClientRootCertificateName $p2sCertFullName -VirtualNetworkGatewayname $azureVpn.Name -ResourceGroupName $resgrp.ResourceGroupName -PublicCertData $p2sCertData
    

For more information on Point-to-Site VPN, see Configure a Point-to-Site connection.

To enable transit routing between ExpressRoute and Azure VPN

If you want to enable connectivity between one of your local networks that is connected to ExpressRoute and another of your local network that is connected to a site-to-site VPN connection, you need to set up Azure Route Server.

Next steps

For more information about ExpressRoute, see the ExpressRoute FAQ.