使用 CLI 将虚拟网络连接到 ExpressRoute 线路Connect a virtual network to an ExpressRoute circuit using CLI

本文介绍了如何使用 CLI 将虚拟网络 (VNet) 链接到 Azure ExpressRoute 线路。This article helps you link virtual networks (VNets) to Azure ExpressRoute circuits using CLI. 若要使用 Azure CLI 进行链接,必须使用资源管理器部署模型创建虚拟网络。To link using Azure CLI, the virtual networks must be created using the Resource Manager deployment model. 它们可以在同一个订阅中,也可以属于另一个订阅。They can either be in the same subscription, or part of another subscription. 如果想使用不同的方法将 VNet 连接到 ExpressRoute 线路,请从以下列表中选择一篇文章进行参阅:If you want to use a different method to connect your VNet to an ExpressRoute circuit, you can select an article from the following list:

配置先决条件Configuration prerequisites

  • 需要最新版本的命令行接口 (CLI)。You need the latest version of the command-line interface (CLI). 有关详细信息,请参阅安装 Azure CLIFor more information, see Install the Azure CLI.

  • 在开始配置之前,需要查看先决条件路由要求工作流You need to review the prerequisites, routing requirements, and workflows before you begin configuration.

  • 必须有一个活动的 ExpressRoute 线路。You must have an active ExpressRoute circuit.

    • 请按说明创建 ExpressRoute 线路,并通过连接提供商启用该线路。Follow the instructions to create an ExpressRoute circuit and have the circuit enabled by your connectivity provider.
    • 确保为线路配置 Azure 专用对等互连。Ensure that you have Azure private peering configured for your circuit. 有关路由说明,请参阅配置路由一文。See the configure routing article for routing instructions.
    • 请确保已配置 Azure 专用对等互连。Ensure that Azure private peering is configured. 必须运行网络和 Microsoft 之间的 BGP 对等互连,使你能够启用端到端的连接。The BGP peering between your network and Microsoft must be up so that you can enable end-to-end connectivity.
    • 确保已创建并完全预配一个虚拟网络和一个虚拟网络网关。Ensure that you have a virtual network and a virtual network gateway created and fully provisioned. 请按照说明为 ExpressRoute 配置虚拟网络网关Follow the instructions to Configure a virtual network gateway for ExpressRoute. 请务必使用 --gateway-type ExpressRouteBe sure to use --gateway-type ExpressRoute.
  • 最多可以将 10 个虚拟网络链接到一条标准 ExpressRoute 线路。You can link up to 10 virtual networks to a standard ExpressRoute circuit. 使用标准 ExpressRoute 线路时,所有虚拟网络都必须位于同一地缘政治区域。All virtual networks must be in the same geopolitical region when using a standard ExpressRoute circuit.

  • 单个 VNet 可最多连接到 4 条 ExpressRoute 线路。A single VNet can be linked to up to four ExpressRoute circuits. 通过以下流程为正在连接的每条 ExpressRoute 线路创建新的连接对象。Use the process below to create a new connection object for each ExpressRoute circuit you are connecting to. ExpressRoute 线路可在同一订阅、不同订阅或两者兼有。The ExpressRoute circuits can be in the same subscription, different subscriptions, or a mix of both.

  • 如果启用 ExpressRoute 高级版外接程序,则可以链接 ExpressRoute 线路的地缘政治区域外部的虚拟网络,或者将更多虚拟网络连接到 ExpressRoute 线路。If you enable the ExpressRoute premium add-on, you can link a virtual network outside of the geopolitical region of the ExpressRoute circuit, or connect a larger number of virtual networks to your ExpressRoute circuit. 有关高级版外接程序的详细信息,请参阅常见问题解答For more information about the premium add-on, see the FAQ.

将同一订阅中的虚拟网络连接到线路Connect a virtual network in the same subscription to a circuit

可以使用以下示例将虚拟网络网关连接到 ExpressRoute 线路。You can connect a virtual network gateway to an ExpressRoute circuit by using the example. 在运行此命令之前,请确保虚拟网络网关已创建并可用于进行链接。Make sure that the virtual network gateway is created and is ready for linking before you run the command.

az network vpn-connection create --name ERConnection --resource-group ExpressRouteResourceGroup --vnet-gateway1 VNet1GW --express-route-circuit2 MyCircuit

将不同订阅中的虚拟网络连接到线路Connect a virtual network in a different subscription to a circuit

用户可以在多个订阅之间共享 ExpressRoute 线路。You can share an ExpressRoute circuit across multiple subscriptions. 下图是在多个订阅之间共享 ExpressRoute 线路的简单示意图。The figure below shows a simple schematic of how sharing works for ExpressRoute circuits across multiple subscriptions.

大型云中的每个较小云用于表示属于组织中不同部门的订阅。Each of the smaller clouds within the large cloud is used to represent subscriptions that belong to different departments within an organization. 组织内的每个部门可以使用自己的订阅部署其服务,但可以共享单个 ExpressRoute 线路以连接回本地网络。Each of the departments within the organization can use their own subscription for deploying their services--but they can share a single ExpressRoute circuit to connect back to your on-premises network. 一个部门(此示例中为:IT 部门)可以拥有 ExpressRoute 线路。A single department (in this example: IT) can own the ExpressRoute circuit. 组织内的其他订阅可以使用 ExpressRoute 线路。Other subscriptions within the organization can use the ExpressRoute circuit.

Note

专用线路的连接和带宽费用将应用于 ExpressRoute 线路所有者。Connectivity and bandwidth charges for the dedicated circuit will be applied to the ExpressRoute Circuit Owner. 所有虚拟网络共享相同的带宽。All virtual networks share the same bandwidth.

跨订阅连接

管理 - 线路所有者和线路用户Administration - Circuit Owners and Circuit Users

“线路所有者”是 ExpressRoute 线路资源的已授权超级用户。The 'Circuit Owner' is an authorized Power User of the ExpressRoute circuit resource. 线路所有者可以创建可由“线路用户”兑换的授权。The Circuit Owner can create authorizations that can be redeemed by 'Circuit Users'. 线路用户是虚拟网络网关的所有者(这些网关与 ExpressRoute 线路位于不同的订阅中)。Circuit Users are owners of virtual network gateways that are not within the same subscription as the ExpressRoute circuit. 线路用户可以兑现授权(每个虚拟网络需要一个授权)。Circuit Users can redeem authorizations (one authorization per virtual network).

线路所有者有权随时修改和撤销授权。The Circuit Owner has the power to modify and revoke authorizations at any time. 撤销授权后,会从撤销了访问权限的订阅中删除所有链路连接。When an authorization is revoked, all link connections are deleted from the subscription whose access was revoked.

线路所有者操作Circuit Owner operations

创建授权To create an authorization

线路所有者创建一个授权,这将创建一个授权密钥,供线路用户用于将其虚拟网络网关连接到 ExpressRoute 线路。The Circuit Owner creates an authorization, which creates an authorization key that can be used by a Circuit User to connect their virtual network gateways to the ExpressRoute circuit. 一个授权只可用于一个连接。An authorization is valid for only one connection.

以下示例说明如何创建授权:The following example shows how to create an authorization:

az network express-route auth create --circuit-name MyCircuit -g ExpressRouteResourceGroup -n MyAuthorization

此响应包含授权密钥和状态:The response contains the authorization key and status:

"authorizationKey": "0a7f3020-541f-4b4b-844a-5fb43472e3d7",
"authorizationUseStatus": "Available",
"etag": "W/\"010353d4-8955-4984-807a-585c21a22ae0\"",
"id": "/subscriptions/81ab786c-56eb-4a4d-bb5f-f60329772466/resourceGroups/ExpressRouteResourceGroup/providers/Microsoft.Network/expressRouteCircuits/MyCircuit/authorizations/MyAuthorization1",
"name": "MyAuthorization1",
"provisioningState": "Succeeded",
"resourceGroup": "ExpressRouteResourceGroup"

若要查看授权To review authorizations

线路所有者可以运行以下示例来查看针对特定线路发布的所有授权:The Circuit Owner can review all authorizations that are issued on a particular circuit by running the following example:

az network express-route auth list --circuit-name MyCircuit -g ExpressRouteResourceGroup

添加授权To add authorizations

线路所有者可以使用以下示例来添加授权:The Circuit Owner can add authorizations by using the following example:

az network express-route auth create --circuit-name MyCircuit -g ExpressRouteResourceGroup -n MyAuthorization1

删除授权To delete authorizations

线路所有者可以运行以下示例来撤销/删除对用户的授权:The Circuit Owner can revoke/delete authorizations to the user by running the following example:

az network express-route auth delete --circuit-name MyCircuit -g ExpressRouteResourceGroup -n MyAuthorization1

线路用户操作Circuit User operations

线路用户需要对等 ID 以及线路所有者提供的授权密钥。The Circuit User needs the peer ID and an authorization key from the Circuit Owner. 授权密钥是一个 GUID。The authorization key is a GUID.

Get-AzExpressRouteCircuit -Name "MyCircuit" -ResourceGroupName "MyRG"

若要兑换连接授权To redeem a connection authorization

线路用户可以运行以下示例来兑现链接授权:The Circuit User can run the following example to redeem a link authorization:

az network vpn-connection create --name ERConnection --resource-group ExpressRouteResourceGroup --vnet-gateway1 VNet1GW --express-route-circuit2 MyCircuit --authorization-key "^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"

释放连接授权To release a connection authorization

可以通过删除 ExpressRoute 线路与虚拟网络之间的连接释放授权。You can release an authorization by deleting the connection that links the ExpressRoute circuit to the virtual network.

修改虚拟网络连接Modify a virtual network connection

可以更新虚拟网络连接的某些属性。You can update certain properties of a virtual network connection.

更新连接权重To update the connection weight

虚拟网络可以连接到多条 ExpressRoute 线路。Your virtual network can be connected to multiple ExpressRoute circuits. 可以从多条 ExpressRoute 线路收到相同的前缀。You may receive the same prefix from more than one ExpressRoute circuit. 若要选择使用哪个连接发送目标为此前缀的流量,可以更改连接的 RoutingWeightTo choose which connection to send traffic destined for this prefix, you can change RoutingWeight of a connection. 会在具有最高 RoutingWeight 的连接上发送流量。Traffic will be sent on the connection with the highest RoutingWeight.

az network vpn-connection update --name ERConnection --resource-group ExpressRouteResourceGroup --routing-weight 100

RoutingWeight 的范围是 0 到 32000。The range of RoutingWeight is 0 to 32000. 默认值为 0。The default value is 0.

后续步骤Next steps

有关 ExpressRoute 的详细信息,请参阅 ExpressRoute 常见问题For more information about ExpressRoute, see the ExpressRoute FAQ.