|
| 1 | +--- |
| 2 | +title: 'Create an ExpressRoute association to Azure Virtual WAN - PowerShell' |
| 3 | +description: Learn how to create an ExpressRoute association from your branch site to Azure Virtual WAN using PowerShell. |
| 4 | +author: cherylmc |
| 5 | +ms.service: virtual-wan |
| 6 | +ms.topic: how-to |
| 7 | +ms.date: 08/05/2022 |
| 8 | +ms.author: cherylmc |
| 9 | + |
| 10 | +--- |
| 11 | + |
| 12 | +# Create an ExpressRoute association to Virtual WAN - PowerShell |
| 13 | + |
| 14 | +This article helps you use Virtual WAN to connect to your resources in Azure over an ExpressRoute circuit. For more information about Virtual WAN and Virtual WAN resources, see the [Virtual WAN Overview](virtual-wan-about.md). |
| 15 | + |
| 16 | +## Prerequisites |
| 17 | + |
| 18 | +Verify that you've met the following criteria before beginning your configuration. |
| 19 | + |
| 20 | +* You have a virtual network that you want to connect to. Verify that none of the subnets of your on-premises networks overlap with the virtual networks that you want to connect to. To create a virtual network using PowerShell, see the [Quickstart](../virtual-network/quick-create-powershell.md). |
| 21 | + |
| 22 | +* Your virtual network doesn't have any virtual network gateways. If your virtual network has a gateway (either VPN or ExpressRoute), you must remove all gateways. This configuration requires that virtual networks are connected instead, to the Virtual WAN hub gateway. |
| 23 | + |
| 24 | +* Obtain an IP address range for your virtual hub region. A virtual hub is a virtual network that is created and used by Virtual WAN. The address range that you specify for the virtual hub can't overlap with any of your existing virtual networks that you connect to. It also can't overlap with your address ranges that you connect to on-premises. If you're unfamiliar with the IP address ranges located in your on-premises network configuration, coordinate with someone who can provide those details for you. |
| 25 | + |
| 26 | +* The ExpressRoute circuit must be a Premium or Standard circuit in order to connect to the virtual hub gateway. |
| 27 | + |
| 28 | +* If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). |
| 29 | + |
| 30 | +### Azure PowerShell |
| 31 | + |
| 32 | +[!INCLUDE [PowerShell](../../includes/vpn-gateway-cloud-shell-powershell-about.md)] |
| 33 | + |
| 34 | +## <a name="signin"></a>Sign in |
| 35 | + |
| 36 | +[!INCLUDE [sign in](../../includes/vpn-gateway-cloud-shell-ps-login.md)] |
| 37 | + |
| 38 | +## Create a virtual WAN |
| 39 | + |
| 40 | +Before you can create a virtual wan, you have to create a resource group to host the virtual wan or use an existing resource group. Use one of the following examples. |
| 41 | + |
| 42 | +**New resource group** - This example creates a new resource group named testRG in the West US location. |
| 43 | + |
| 44 | +1. Create a resource group. |
| 45 | + |
| 46 | + ```azurepowershell-interactive |
| 47 | + New-AzResourceGroup -Location "West US" -Name "testRG" |
| 48 | + ``` |
| 49 | + |
| 50 | +1. Create the virtual wan. |
| 51 | + |
| 52 | + ```azurepowershell-interactive |
| 53 | + $virtualWan = New-AzVirtualWan -ResourceGroupName testRG -Name myVirtualWAN -Location "West US" |
| 54 | + ``` |
| 55 | + |
| 56 | +**Existing resource group** - Use the following steps if you want to create the virtual wan in an already existing resource group. |
| 57 | + |
| 58 | +1. Set the variables for the existing resource group. |
| 59 | + |
| 60 | + ```azurepowershell-interactive |
| 61 | + $resourceGroup = Get-AzResourceGroup -ResourceGroupName "testRG" |
| 62 | + ``` |
| 63 | + |
| 64 | +1. Create the virtual wan. |
| 65 | + |
| 66 | + ```azurepowershell-interactive |
| 67 | + $virtualWan = New-AzVirtualWan -ResourceGroupName testRG -Name myVirtualWAN -Location "West US" |
| 68 | + ``` |
| 69 | + |
| 70 | +## Create a virtual hub and a gateway |
| 71 | + |
| 72 | +A virtual hub is a virtual network that can contain gateways for site-to-site, ExpressRoute, or point-to-site functionality. Use one of the following examples to create an ExpressRoute gateway in a new or existing virtual hub. |
| 73 | + |
| 74 | +**New virtual hub** - This example creates a default virtual hub named westushub with the specified address prefix and a location for the virtual hub. |
| 75 | + |
| 76 | +1. Create a virtual hub. |
| 77 | + |
| 78 | + ```azurepowershell-interactive |
| 79 | + $virtualHub = New-AzVirtualHub -VirtualWan $virtualWan -ResourceGroupName "testRG" -Name "westushub" -AddressPrefix "10.0.0.1/24" |
| 80 | + ``` |
| 81 | + |
| 82 | +1. Create an ExpressRoute gateway. ExpressRoute gateways are provisioned in units of 2 Gbps. 1 scale unit = 2 Gbps with support up to 10 scale units = 20 Gbps. It takes about 30 minutes for a virtual hub and gateway to fully create. |
| 83 | + |
| 84 | + ```azurepowershell-interactive |
| 85 | + $expressroutegatewayinhub = New-AzExpressRouteGateway -ResourceGroupName "testRG" -Name "testergw" -VirtualHubId $virtualHub.Id -MinScaleUnits 2 |
| 86 | + ``` |
| 87 | + |
| 88 | +**Existing virtual hub** - This example creates an ExpressRoute gateway in an existing virtual hub. |
| 89 | + |
| 90 | +```azurepowershell-interactive |
| 91 | +$expressroutegatewayinhub = New-AzExpressRouteGateway -MaxScaleUnits <UInt32> -MinScaleUnits 2 -Name 'testExpressRoutegw' -ResourceGroupName 'testRG' -Tag @{"tag1"="value1"; "tag2"="value2"} -VirtualHubName "[hub Name]" |
| 92 | +``` |
| 93 | + |
| 94 | +## Create an Express Route circuit |
| 95 | + |
| 96 | +The next step is to get the private peering ID of the ExpressRoute circuit. You can either create a new circuit, or get the ID from an existing circuit. Use one of the following examples. |
| 97 | + |
| 98 | +**New circuit** - This example creates a new ExpressRoute circuit and gets its private peering ID. |
| 99 | + |
| 100 | + ```azurepowershell-interactive |
| 101 | + $ExpressRouteCircuit = New-AzExpressRouteCircuit -ResourceGroupName "testRG" -Name "testExpressRouteCircuit" -Location "West Central US" -SkuTier Premium -SkuFamily MeteredData -ServiceProviderName "Equinix" -PeeringLocation "Silicon Valley" -BandwidthInMbps 200 |
| 102 | +
|
| 103 | + Add-AzExpressRouteCircuitPeeringConfig -Name "AzurePrivatePeering" -ExpressRouteCircuit $ExpressRouteCircuit -PeeringType AzurePrivatePeering -PeerASN 100 -PrimaryPeerAddressPrefix "123.0.0.0/30" -SecondaryPeerAddressPrefix "123.0.0.4/30" -VlanId 300 |
| 104 | +
|
| 105 | + $ExpressRouteCircuit = Set-AzExpressRouteCircuit -ExpressRouteCircuit $ExpressRouteCircuit |
| 106 | +
|
| 107 | + $ExpressRouteCircuitPeeringId = $ExpressRouteCircuit.Peerings[0].Id |
| 108 | + ``` |
| 109 | + |
| 110 | +**Existing circuit** - This example gets the details and Private Peering ID from an existing ExpressRoute circuit. |
| 111 | + |
| 112 | + ```azurepowershell-interactive |
| 113 | +
|
| 114 | + $ExpressRouteCircuit = Get-AzExpressRouteCircuit -ResourceGroupName ["resource group name"] -Name ["expressroute circuit name"] |
| 115 | +
|
| 116 | + $ExpressRouteCircuitPeeringId = $ExpressRouteCircuit.Peerings[0].Id |
| 117 | + ``` |
| 118 | + |
| 119 | +## Connect your circuit to the gateway |
| 120 | + |
| 121 | +In this section, you connect an ExpressRoute (ER) circuit to your virtual hub's ExpressRoute gateway. |
| 122 | + |
| 123 | +* ExpressRoute Standard or Premium circuits that are in ExpressRoute Global Reach-supported locations can connect to a Virtual WAN ExpressRoute gateway and enjoy all Virtual WAN transit capabilities (VPN-to-VPN, VPN, and ExpressRoute transit). |
| 124 | + |
| 125 | +* ExpressRoute Standard and Premium circuits that are in non-Global Reach locations can connect to Azure resources, but won't be able to use Virtual WAN transit capabilities. ExpressRoute Local is also supported with Azure Virtual WAN virtual hubs. |
| 126 | + |
| 127 | +Use one of the following examples to connect your circuit. Both examples include optional authorization key steps. |
| 128 | + |
| 129 | +**Connect - example ER gateway** - This example connects the ExpressRoute circuit that you created earlier to the virtual hub's ExpressRoute gateway ($expressroutegatewayinhub). |
| 130 | + |
| 131 | +1. Run the following example command: |
| 132 | + |
| 133 | + ```azurepowershell-interactive |
| 134 | + $ExpressrouteConnection = New-AzExpressRouteConnection -ResourceGroupName $expressroutegatewayinhub.ResourceGroupName -ExpressRouteGatewayName $expressroutegatewayinhub.Name -Name "testConnection" -ExpressRouteCircuitPeeringId $ExpressRouteCircuitPeeringId -RoutingWeight 20 |
| 135 | + ``` |
| 136 | + |
| 137 | +Optional - Connect by using ExpressRoute circuit's authorization key |
| 138 | + |
| 139 | +1. Create authorization key for the ExpressRoute circuit. For steps, see [How To Create Authorization](../expressroute/expressroute-howto-linkvnet-arm.md). |
| 140 | + |
| 141 | +1. Once authorization is created, get the authorization of the ER circuit. |
| 142 | + |
| 143 | + ```azurepowershell-interactive |
| 144 | + $authorizations = Get-AzExpressRouteCircuitAuthorization -ExpressRouteCircuit $ExpressRouteCircuit |
| 145 | + ``` |
| 146 | + |
| 147 | +1. Get the authorization key for the first key; use the index for other keys (i.e [1]). |
| 148 | + |
| 149 | + ```azurepowershell-interactive |
| 150 | + $authorizationskey = $authorizationskey[0].AuthorizationKey |
| 151 | + ``` |
| 152 | + |
| 153 | +1. Connect the ExpressRoute circuit to the virtual hub using the authorization key. |
| 154 | + |
| 155 | + ```azurepowershell-interactive |
| 156 | + $ExpressrouteConnection = New-AzExpressRouteConnection -ResourceGroupName $expressroutegatewayinhub.ResourceGroupName -ExpressRouteGatewayName $expressroutegatewayinhub.Name -Name "testConnectionpowershellauthkey" -ExpressRouteCircuitPeeringId $ExpressRouteCircuitPeeringId -RoutingWeight 2 -AuthorizationKey $authprizationskey |
| 157 | + ``` |
| 158 | + |
| 159 | +**Connect - existing ER gateway** - The steps in this example help you connect to an existing ExpressRoute gateway. |
| 160 | + |
| 161 | +1. Get the existing virtual hub ExpressRoute gateway details. |
| 162 | + |
| 163 | + ```azurepowershell-interactive |
| 164 | + $expressroutegatewayinhub = Get-AzExpressRouteGateway -ResourceId "[ERgatewayinhubID]" |
| 165 | + ``` |
| 166 | + |
| 167 | +1. Connect the ExpressRoute circuit to the virtual hub ExpressRoute gateway. |
| 168 | + |
| 169 | + ```azurepowershell-interactive |
| 170 | + $ExpressrouteConnection = New-AzExpressRouteConnection -ResourceGroupName $expressroutegatewayinhub.ResourceGroupName -ExpressRouteGatewayName $expressroutegatewayinhub.Name -Name "testConnection" -ExpressRouteCircuitPeeringId $ExpressRouteCircuitPeeringId -RoutingWeight 20 |
| 171 | + ``` |
| 172 | +
|
| 173 | +Optional - Connect by using ExpressRoute circuit's authorization key. |
| 174 | +
|
| 175 | +1. Create authorization key for the ExpressRoute circuit. For steps, see [How To Create Authorization](../expressroute/expressroute-howto-linkvnet-arm.md). |
| 176 | +
|
| 177 | +1. Once authorization is created, get the authorization of the ER circuit. |
| 178 | +
|
| 179 | + ```azurepowershell-interactive |
| 180 | + $authorizations = Get-AzExpressRouteCircuitAuthorization -ExpressRouteCircuit $ExpressRouteCircuit |
| 181 | + ``` |
| 182 | + |
| 183 | +1. Get the authorization key for the first key; use the index for other keys (i.e [1]). |
| 184 | + |
| 185 | + ```azurepowershell-interactive |
| 186 | + $authorizationskey = $authorizationskey[0].AuthorizationKey |
| 187 | + ``` |
| 188 | + |
| 189 | +1. Connect the ExpressRoute circuit to the virtual hub ExpressRoute gateway. |
| 190 | + |
| 191 | + ```azurepowershell-interactive |
| 192 | + $ExpressrouteConnection = New-AzExpressRouteConnection -ResourceGroupName $expressroutegatewayinhub.ResourceGroupName -ExpressRouteGatewayName $expressroutegatewayinhub.Name -Name "testConnectionpowershellauthkey" -ExpressRouteCircuitPeeringId $ExpressRouteCircuitPeeringId -RoutingWeight 2 -AuthorizationKey $authprizationskey |
| 193 | + ``` |
| 194 | + |
| 195 | +### Test connectivity |
| 196 | + |
| 197 | +After the circuit connection is established, the virtual hub connection status will indicate 'this hub', implying the connection is established to the virtual hub ExpressRoute gateway. Wait approximately 5 minutes before you test connectivity from a client behind your ExpressRoute circuit, for example, a VM in the VNet that you created earlier. |
| 198 | + |
| 199 | +If you have sites connected to a Virtual WAN VPN gateway in the same virtual hub as the ExpressRoute gateway, you can have bidirectional connectivity between VPN and ExpressRoute end points. Dynamic routing (BGP) is supported. The ASN of the gateways in the virtual hub is fixed and can't be edited at this time. |
| 200 | + |
| 201 | +### To change gateway size |
| 202 | + |
| 203 | +In the following example, an ExpressRoute gateway is modified to 3 scale units. |
| 204 | + |
| 205 | +```azurepowershell-interactive |
| 206 | +Set-AzExpressRouteGateway -ResourceGroupName "testRG" -Name "testergw" -MinScaleUnits 3 |
| 207 | +``` |
| 208 | + |
| 209 | +## Next Steps |
| 210 | + |
| 211 | +Next, to learn more about Virtual WAN, see the [Virtual WAN FAQ](virtual-wan-faq.md). |
0 commit comments