将虚拟网络连接到 ExpressRoute 线路Connect a virtual network to an ExpressRoute circuit

本文有助于使用资源管理器部署模型和 PowerShell 将虚拟网络 (VNet) 链接到 Azure ExpressRoute 线路。This article helps you link virtual networks (VNets) to Azure ExpressRoute circuits by using the Resource Manager deployment model and PowerShell. 虚拟网络可以在同一个订阅中,也可以属于另一个订阅。Virtual networks can either be in the same subscription or part of another subscription. 本文还介绍如何更新虚拟网络链接。This article also shows you how to update a virtual network link.

  • 最多可以将 10 个虚拟网络链接到一条标准 ExpressRoute 线路。You can link up to 10 virtual networks to a standard ExpressRoute circuit. 使用标准 ExpressRoute 线路时,所有虚拟网络都必须位于同一地缘政治区域。All virtual networks must be in the same geopolitical region when using a standard ExpressRoute circuit.

  • 单个 VNet 可最多连接到 4 条 ExpressRoute 线路。A single VNet can be linked to up to four ExpressRoute circuits. 使用本文中的步骤为要连接的每条 ExpressRoute 线路创建新的连接对象。Use the steps in this article to create a new connection object for each ExpressRoute circuit you are connecting to. ExpressRoute 线路可在同一订阅、不同订阅或两者兼有。The ExpressRoute circuits can be in the same subscription, different subscriptions, or a mix of both.

  • 如果已启用 ExpressRoute 高级加载项,则可以链接 ExpressRoute 线路的地缘政治区域外部的虚拟网络,或者将更多虚拟网络连接到 ExpressRoute 线路。You can link virtual networks outside of the geopolitical region of the ExpressRoute circuit, or connect a larger number of virtual networks to your ExpressRoute circuit if you enabled the ExpressRoute premium add-on. 有关高级外接程序的更多详细信息,请参阅常见问题解答Check the FAQ for more details on the premium add-on.

准备阶段Before you begin

  • 在开始配置之前,请先查看先决条件路由要求工作流Review the prerequisites, routing requirements, and workflows before you begin configuration.
  • 必须有一个活动的 ExpressRoute 线路。You must have an active ExpressRoute circuit.
    • 请按说明创建 ExpressRoute 线路,并通过连接提供商启用该线路。Follow the instructions to create an ExpressRoute circuit and have the circuit enabled by your connectivity provider.
    • 确保为线路配置 Azure 专用对等互连。Ensure that you have Azure private peering configured for your circuit. 有关路由说明,请参阅配置路由一文。See the configure routing article for routing instructions.
    • 确保配置 Azure 专用对等互连,并运行用户网络和 Microsoft 之间的 BGP 对等互连,以便启用端到端连接。Ensure that Azure private peering is configured and the BGP peering between your network and Microsoft is up so that you can enable end-to-end connectivity.
    • 确保已创建并完全预配一个虚拟网络和一个虚拟网络网关。Ensure that you have a virtual network and a virtual network gateway created and fully provisioned. 按照说明为 ExpressRoute 创建虚拟网关Follow the instructions to create a virtual network gateway for ExpressRoute. ExpressRoute 的虚拟网关使用 GatewayType“ExpressRoute”,而不是 VPN。A virtual network gateway for ExpressRoute uses the GatewayType 'ExpressRoute', not VPN.

将同一订阅中的虚拟网络连接到线路Connect a virtual network in the same subscription to a circuit

可以使用以下 cmdlet 将虚拟网络网关连接到 ExpressRoute 线路。You can connect a virtual network gateway to an ExpressRoute circuit by using the following cmdlet. 在运行 cmdlet 前,请确保已创建虚拟网络网关并可将其用于进行链接:Make sure that the virtual network gateway is created and is ready for linking before you run the cmdlet:

$circuit = Get-AzExpressRouteCircuit -Name "MyCircuit" -ResourceGroupName "MyRG"
$gw = Get-AzVirtualNetworkGateway -Name "ExpressRouteGw" -ResourceGroupName "MyRG"
$connection = New-AzVirtualNetworkGatewayConnection -Name "ERConnection" -ResourceGroupName "MyRG" -Location "China North" -VirtualNetworkGateway1 $gw -PeerId $circuit.Id -ConnectionType ExpressRoute

将不同订阅中的虚拟网络连接到线路Connect a virtual network in a different subscription to a circuit

用户可以在多个订阅之间共享 ExpressRoute 线路。You can share an ExpressRoute circuit across multiple subscriptions. 下图是在多个订阅之间共享 ExpressRoute 线路的简单示意图。The following figure shows a simple schematic of how sharing works for ExpressRoute circuits across multiple subscriptions.

大型云中的每个较小云用于表示属于组织中不同部门的订阅。Each of the smaller clouds within the large cloud is used to represent subscriptions that belong to different departments within an organization. 组织内的每个部门可以使用自己的订阅部署其服务,但可以共享单个 ExpressRoute 线路以连接回本地网络。Each of the departments within the organization can use their own subscription for deploying their services--but they can share a single ExpressRoute circuit to connect back to your on-premises network. 一个部门(此示例中为:IT 部门)可以拥有 ExpressRoute 线路。A single department (in this example: IT) can own the ExpressRoute circuit. 组织内的其他订阅可以使用 ExpressRoute 线路。Other subscriptions within the organization can use the ExpressRoute circuit.

Note

订阅所有者需要缴纳 ExpressRoute 线路的连接和带宽费用。Connectivity and bandwidth charges for the ExpressRoute circuit will be applied to the subscription owner. 所有虚拟网络共享相同的带宽。All virtual networks share the same bandwidth.

跨订阅连接

管理 - 线路所有者和线路用户Administration - circuit owners and circuit users

“线路所有者”是 ExpressRoute 线路资源的已授权高级用户。The 'circuit owner' is an authorized Power User of the ExpressRoute circuit resource. 线路所有者可以创建可供“线路用户”兑换的授权。The circuit owner can create authorizations that can be redeemed by 'circuit users'. 线路用户是虚拟网关的所有者,这些网关与 ExpressRoute 线路位于不同的订阅中。Circuit users are owners of virtual network gateways that are not within the same subscription as the ExpressRoute circuit. 线路用户可以兑换授权(每个虚拟网络需要一个授权)。Circuit users can redeem authorizations (one authorization per virtual network).

线路所有者有权随时修改和撤消授权。The circuit owner has the power to modify and revoke authorizations at any time. 撤消授权会导致从已撤消访问权限的订阅中删除所有链路连接。Revoking an authorization results in all link connections being deleted from the subscription whose access was revoked.

线路所有者操作Circuit owner operations

创建授权To create an authorization

线路所有者创建授权。The circuit owner creates an authorization. 这样即可创建授权密钥,供线路用户用来将其虚拟网络网关连接到 ExpressRoute 线路。This results in the creation of an authorization key that can be used by a circuit user to connect their virtual network gateways to the ExpressRoute circuit. 一个授权只可用于一个连接。An authorization is valid for only one connection.

以下 cmdlet 代码片段演示如何创建授权:The following cmdlet snippet shows how to create an authorization:

$circuit = Get-AzExpressRouteCircuit -Name "MyCircuit" -ResourceGroupName "MyRG"
Add-AzExpressRouteCircuitAuthorization -ExpressRouteCircuit $circuit -Name "MyAuthorization1"
Set-AzExpressRouteCircuit -ExpressRouteCircuit $circuit

$circuit = Get-AzExpressRouteCircuit -Name "MyCircuit" -ResourceGroupName "MyRG"
$auth1 = Get-AzExpressRouteCircuitAuthorization -ExpressRouteCircuit $circuit -Name "MyAuthorization1"

对此操作的响应将包含授权密钥和状态:The response to this will contain the authorization key and status:

Name                   : MyAuthorization1
Id                     : /subscriptions/&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&/resourceGroups/ERCrossSubTestRG/providers/Microsoft.Network/expressRouteCircuits/CrossSubTest/authorizations/MyAuthorization1
Etag                   : &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 
AuthorizationKey       : ####################################
AuthorizationUseStatus : Available
ProvisioningState      : Succeeded

查看授权To review authorizations

线路所有者可以通过运行以下 cmdlet 查看针对特定线路发出的所有授权:The circuit owner can review all authorizations that are issued on a particular circuit by running the following cmdlet:

$circuit = Get-AzExpressRouteCircuit -Name "MyCircuit" -ResourceGroupName "MyRG"
$authorizations = Get-AzExpressRouteCircuitAuthorization -ExpressRouteCircuit $circuit

添加授权To add authorizations

线路所有者可以使用以下 cmdlet 添加授权:The circuit owner can add authorizations by using the following cmdlet:

$circuit = Get-AzExpressRouteCircuit -Name "MyCircuit" -ResourceGroupName "MyRG"
Add-AzExpressRouteCircuitAuthorization -ExpressRouteCircuit $circuit -Name "MyAuthorization2"
Set-AzExpressRouteCircuit -ExpressRouteCircuit $circuit

$circuit = Get-AzExpressRouteCircuit -Name "MyCircuit" -ResourceGroupName "MyRG"
$authorizations = Get-AzExpressRouteCircuitAuthorization -ExpressRouteCircuit $circuit

删除授权To delete authorizations

线路所有者可以通过运行以下 cmdlet 来撤消/删除对用户的授权:The circuit owner can revoke/delete authorizations to the user by running the following cmdlet:

Remove-AzExpressRouteCircuitAuthorization -Name "MyAuthorization2" -ExpressRouteCircuit $circuit
Set-AzExpressRouteCircuit -ExpressRouteCircuit $circuit

线路用户操作Circuit user operations

线路用户需有对等 ID 以及线路所有者提供的授权密钥。The circuit user needs the peer ID and an authorization key from the circuit owner. 授权密钥是一个 GUID。The authorization key is a GUID.

可通过以下命令检查对等 ID:Peer ID can be checked from the following command:

Get-AzExpressRouteCircuit -Name "MyCircuit" -ResourceGroupName "MyRG"

兑换连接授权To redeem a connection authorization

线路用户可以通过运行以下 cmdlet 兑现链接授权:The circuit user can run the following cmdlet to redeem a link authorization:

$id = "/subscriptions/********************************/resourceGroups/ERCrossSubTestRG/providers/Microsoft.Network/expressRouteCircuits/MyCircuit"    
$gw = Get-AzVirtualNetworkGateway -Name "ExpressRouteGw" -ResourceGroupName "MyRG"
$connection = New-AzVirtualNetworkGatewayConnection -Name "ERConnection" -ResourceGroupName "RemoteResourceGroup" -Location "China North" -VirtualNetworkGateway1 $gw -PeerId $id -ConnectionType ExpressRoute -AuthorizationKey "^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"

释放连接授权To release a connection authorization

可以通过删除 ExpressRoute 线路与虚拟网络之间的连接释放授权。You can release an authorization by deleting the connection that links the ExpressRoute circuit to the virtual network.

修改虚拟网络连接Modify a virtual network connection

可以更新虚拟网络连接的某些属性。You can update certain properties of a virtual network connection.

更新连接权重To update the connection weight

虚拟网络可以连接到多条 ExpressRoute 线路。Your virtual network can be connected to multiple ExpressRoute circuits. 可以从多条 ExpressRoute 线路收到相同的前缀。You may receive the same prefix from more than one ExpressRoute circuit. 若要选择使用哪个连接发送目标为此前缀的流量,可以更改连接的 RoutingWeightTo choose which connection to send traffic destined for this prefix, you can change RoutingWeight of a connection. 会在具有最高 RoutingWeight 的连接上发送流量。Traffic will be sent on the connection with the highest RoutingWeight.

$connection = Get-AzVirtualNetworkGatewayConnection -Name "MyVirtualNetworkConnection" -ResourceGroupName "MyRG"
$connection.RoutingWeight = 100
Set-AzVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection

RoutingWeight 的范围是 0 到 32000。The range of RoutingWeight is 0 to 32000. 默认值为 0。The default value is 0.

后续步骤Next steps

有关 ExpressRoute 的详细信息,请参阅 ExpressRoute 常见问题For more information about ExpressRoute, see the ExpressRoute FAQ.