教程:使用 CLI 将虚拟网络连接到 ExpressRoute 线路Tutorial: Connect a virtual network to an ExpressRoute circuit using CLI

本教程介绍如何使用 Azure CLI 将虚拟网络 (VNet) 链接到 Azure ExpressRoute 线路。This tutorial shows you how to link virtual networks (VNets) to Azure ExpressRoute circuits using Azure CLI. 若要使用 Azure CLI 进行链接,必须使用资源管理器部署模型创建虚拟网络。To link using Azure CLI, the virtual networks must be created using the Resource Manager deployment model. 它们可以在同一个订阅中,也可以属于另一个订阅。They can either be in the same subscription, or part of another subscription. 如果想使用不同的方法将 VNet 连接到 ExpressRoute 线路,请从以下列表中选择一篇文章进行参阅:If you want to use a different method to connect your VNet to an ExpressRoute circuit, you can select an article from the following list:

在本教程中,你将了解如何执行以下操作:In this tutorial, you learn how to:

  • 将同一订阅中的虚拟网络连接到线路Connect a virtual network in the same subscription to a circuit
  • 将另一订阅中的虚拟网络连接到线路Connect a virtual network in a different subscription to a circuit
  • 修改虚拟网络连接Modify a virtual network connection
  • 配置 ExpressRoute FastPathConfigure ExpressRoute FastPath

必备条件Prerequisites

  • 需要最新版本的命令行接口 (CLI)。You need the latest version of the command-line interface (CLI). 有关详细信息,请参阅安装 Azure CLIFor more information, see Install the Azure CLI.

  • 在开始配置之前,请先查看先决条件路由要求工作流Review the prerequisites, routing requirements, and workflows before you begin configuration.

  • 必须有一个活动的 ExpressRoute 线路。You must have an active ExpressRoute circuit.

    • 请按说明创建 ExpressRoute 线路,并通过连接提供商启用该线路。Follow the instructions to create an ExpressRoute circuit and have the circuit enabled by your connectivity provider.
    • 请确保为线路配置 Azure 专用对等互连。Ensure that you have Azure private peering configured for your circuit. 有关路由说明,请参阅配置路由一文。See the configure routing article for routing instructions.
    • 请确保已配置 Azure 专用对等互连。Ensure that Azure private peering is configured. 必须建立网络和 Microsoft 之间的 BGP 对等互连,使你能够启用端到端的连接。The BGP peering between your network and Microsoft must be established so that you can enable end-to-end connectivity.
    • 确保已创建并完全预配一个虚拟网络和一个虚拟网络网关。Ensure that you have a virtual network and a virtual network gateway created and fully provisioned. 请按照说明为 ExpressRoute 配置虚拟网络网关Follow the instructions to Configure a virtual network gateway for ExpressRoute. 请务必使用 --gateway-type ExpressRouteBe sure to use --gateway-type ExpressRoute.
  • 最多可以将 10 个虚拟网络链接到一条标准 ExpressRoute 线路。You can link up to 10 virtual networks to a standard ExpressRoute circuit. 使用标准 ExpressRoute 线路时,所有虚拟网络必须都位于同一地缘政治区域。All virtual networks must be in the same geopolitical region when using a standard ExpressRoute circuit.

  • 单个 VNet 可最多连接到 4 条 ExpressRoute 线路。A single VNet can be linked to up to four ExpressRoute circuits. 使用以下流程为要连接的每条 ExpressRoute 线路创建新的连接对象。Use the following process to create a new connection object for each ExpressRoute circuit you're connecting to. ExpressRoute 线路可在同一订阅、不同订阅或两者兼有。The ExpressRoute circuits can be in the same subscription, different subscriptions, or a mix of both.

  • 如果启用 ExpressRoute 高级版加载项,则可以链接 ExpressRoute 线路的地缘政治区域外部的虚拟网络。If you enable the ExpressRoute premium add-on, you can link virtual networks outside of the geopolitical region of the ExpressRoute circuit. 通过高级版加载项,你还可以根据所选带宽,将 10 个以上的虚拟网络连接到 ExpressRoute 线路。The premium add-on will also allow you to connect more than 10 virtual networks to your ExpressRoute circuit depending on the bandwidth chosen. 有关高级外接程序的更多详细信息,请参阅常见问题解答Check the FAQ for more details on the premium add-on.

将同一订阅中的虚拟网络连接到线路Connect a virtual network in the same subscription to a circuit

可以使用以下示例将虚拟网络网关连接到 ExpressRoute 线路。You can connect a virtual network gateway to an ExpressRoute circuit by using the example. 在运行此命令之前,请确保虚拟网络网关已创建并可用于进行链接。Make sure that the virtual network gateway is created and is ready for linking before you run the command.

az network vpn-connection create --name ERConnection --resource-group ExpressRouteResourceGroup --vnet-gateway1 VNet1GW --express-route-circuit2 MyCircuit

将另一订阅中的虚拟网络连接到线路Connect a virtual network in a different subscription to a circuit

用户可以在多个订阅之间共享 ExpressRoute 线路。You can share an ExpressRoute circuit across multiple subscriptions. 下图是在多个订阅之间共享 ExpressRoute 线路的简单示意图。The following figure shows a simple schematic of how sharing works for ExpressRoute circuits across multiple subscriptions.

大型云中的每个较小云用于表示属于组织中不同部门的订阅。Each of the smaller clouds within the large cloud is used to represent subscriptions that belong to different departments within an organization. 组织内的每个部门使用自己的订阅部署其服务,但可以共享单个 ExpressRoute 线路以连接回本地网络。Each of the departments within the organization uses their own subscription for deploying their services--but they can share a single ExpressRoute circuit to connect back to your on-premises network. 单个部门(在此示例中为 IT 部门)可以拥有 ExpressRoute 线路。A single department (in this example: IT) can own the ExpressRoute circuit. 组织内的其他订阅可以使用 ExpressRoute 线路。Other subscriptions within the organization may use the ExpressRoute circuit.

备注

专用线路的连接和带宽费用将应用于 ExpressRoute 线路所有者。Connectivity and bandwidth charges for the dedicated circuit will be applied to the ExpressRoute Circuit Owner. 所有虚拟网络共享相同的带宽。All virtual networks share the same bandwidth.

跨订阅连接

管理 - 线路所有者和线路用户Administration - Circuit Owners and Circuit Users

“线路所有者”是 ExpressRoute 线路资源的已授权超级用户。The 'Circuit Owner' is an authorized Power User of the ExpressRoute circuit resource. 线路所有者可以创建可由“线路用户”兑换的授权。The Circuit Owner can create authorizations that can be redeemed by 'Circuit Users'. 线路用户是虚拟网络网关的所有者(这些网关与 ExpressRoute 线路位于不同的订阅中)。Circuit Users are owners of virtual network gateways that are not within the same subscription as the ExpressRoute circuit. 线路用户可以兑现授权(每个虚拟网络需要一个授权)。Circuit Users can redeem authorizations (one authorization per virtual network).

线路所有者有权随时修改和撤销授权。The Circuit Owner has the power to modify and revoke authorizations at any time. 撤销授权后,会从撤销了访问权限的订阅中删除所有链路连接。When an authorization is revoked, all link connections are deleted from the subscription whose access was revoked.

线路所有者操作Circuit Owner operations

若要创建授权To create an authorization

线路所有者创建授权,这将创建授权密钥,供线路用户用于将其虚拟网络网关连接到 ExpressRoute 线路。The circuit owner creates an authorization, which creates an authorization key to be used by a circuit user to connect their virtual network gateways to the ExpressRoute circuit. 一个授权只可用于一个连接。An authorization is valid for only one connection.

以下示例说明如何创建授权:The following example shows how to create an authorization:

az network express-route auth create --circuit-name MyCircuit -g ExpressRouteResourceGroup -n MyAuthorization

此响应包含授权密钥和状态:The response contains the authorization key and status:

"authorizationKey": "0a7f3020-541f-4b4b-844a-5fb43472e3d7",
"authorizationUseStatus": "Available",
"etag": "W/\"010353d4-8955-4984-807a-585c21a22ae0\"",
"id": "/subscriptions/81ab786c-56eb-4a4d-bb5f-f60329772466/resourceGroups/ExpressRouteResourceGroup/providers/Microsoft.Network/expressRouteCircuits/MyCircuit/authorizations/MyAuthorization1",
"name": "MyAuthorization1",
"provisioningState": "Succeeded",
"resourceGroup": "ExpressRouteResourceGroup"

若要查看授权To review authorizations

线路所有者可以运行以下示例来查看针对特定线路发布的所有授权:The Circuit Owner can review all authorizations that are issued on a particular circuit by running the following example:

az network express-route auth list --circuit-name MyCircuit -g ExpressRouteResourceGroup

若要添加授权To add authorizations

线路所有者可以使用以下示例来添加授权:The Circuit Owner can add authorizations by using the following example:

az network express-route auth create --circuit-name MyCircuit -g ExpressRouteResourceGroup -n MyAuthorization1

若要删除授权To delete authorizations

线路所有者可以运行以下示例来撤销/删除对用户的授权:The Circuit Owner can revoke/delete authorizations to the user by running the following example:

az network express-route auth delete --circuit-name MyCircuit -g ExpressRouteResourceGroup -n MyAuthorization1

线路用户操作Circuit User operations

线路用户需要对等 ID 以及线路所有者提供的授权密钥。The Circuit User needs the peer ID and an authorization key from the Circuit Owner. 授权密钥是一个 GUID。The authorization key is a GUID.

az network express-route show -n MyCircuit -g ExpressRouteResourceGroup

若要兑换连接授权To redeem a connection authorization

线路用户可以运行以下示例来兑现链接授权:The Circuit User can run the following example to redeem a link authorization:

az network vpn-connection create --name ERConnection --resource-group ExpressRouteResourceGroup --vnet-gateway1 VNet1GW --express-route-circuit2 MyCircuit --authorization-key "^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"

若要释放连接授权To release a connection authorization

可以通过删除 ExpressRoute 线路与虚拟网络之间的连接释放授权。You can release an authorization by deleting the connection that links the ExpressRoute circuit to the virtual network.

修改虚拟网络连接Modify a virtual network connection

可以更新虚拟网络连接的某些属性。You can update certain properties of a virtual network connection.

若要更新连接权重To update the connection weight

虚拟网络可以连接到多条 ExpressRoute 线路。Your virtual network can be connected to multiple ExpressRoute circuits. 可以从多条 ExpressRoute 线路收到相同的前缀。You may receive the same prefix from more than one ExpressRoute circuit. 若要选择使用哪个连接发送目标为此前缀的流量,可以更改连接的 RoutingWeightTo choose which connection to send traffic destined for this prefix, you can change RoutingWeight of a connection. 将在具有最高 RoutingWeight 的连接上发送流量。Traffic will be sent on the connection with the highest RoutingWeight.

az network vpn-connection update --name ERConnection --resource-group ExpressRouteResourceGroup --routing-weight 100

RoutingWeight 的范围是 0 到 32000。The range of RoutingWeight is 0 to 32000. 默认值为 0。The default value is 0.

清理资源Clean up resources

如果不再需要 ExpressRoute 连接,请使用 az network vpn-connection delete 命令,从该网关所在的订阅删除网关和线路之间的链接。If you no longer need the ExpressRoute connection, from the subscription where the gateway is located use the az network vpn-connection delete command to remove the link between the gateway and the circuit.

az network vpn-connection delete --name ERConnection --resource-group ExpressRouteResourceGroup

后续步骤Next steps

在本教程中,你已了解如何将虚拟网络连接到同一订阅和不同订阅中的线路。In this tutorial, you learned how to connect a virtual network to a circuit in the same subscription and a different subscription. 有关 ExpressRoute 网关的详细信息,请参阅:For more information about the ExpressRoute gateway, see: