| title | Tutorial: Create an ExpressRoute association to Azure Virtual WAN |
|---|---|
| description | In this tutorial, learn how to use Azure Virtual WAN to create ExpressRoute connections to Azure and on-premises environments. |
| author | cherylmc |
| ms.service | azure-virtual-wan |
| ms.topic | tutorial |
| ms.date | 12/12/2024 |
| ms.author | cherylmc |
This tutorial shows you how to use Virtual WAN to connect to your resources in Azure over an ExpressRoute circuit. For more conceptual information about ExpressRoute in Virtual WAN, see About ExpressRoute in Virtual WAN. You can also create this configuration using the PowerShell steps.
In this tutorial, you learn how to:
[!div class="checklist"]
- Create a virtual WAN
- Create a hub and a gateway
- Connect a VNet to a hub
- Connect a circuit to a hub gateway
- Test connectivity
- Change a gateway size
- Advertise a default route
Verify that you've met the following criteria before beginning your configuration:
-
You have a virtual network that you want to connect to. Verify that none of the subnets of your on-premises networks overlap with the virtual networks that you want to connect to. To create a virtual network in the Azure portal, see the Quickstart.
-
Your virtual network doesn't have any virtual network gateways. If your virtual network has a gateway (either VPN or ExpressRoute), you must remove all gateways. This configuration requires that virtual networks are connected instead to the Virtual WAN hub gateway.
-
Obtain an IP address range for your hub region. The hub is a virtual network that is created and used by Virtual WAN. The address range that you specify for the hub can't overlap with any of your existing virtual networks that you connect to. It also can't overlap with your address ranges that you connect to on-premises. If you're unfamiliar with the IP address ranges located in your on-premises network configuration, coordinate with someone who can provide those details for you.
-
The following ExpressRoute circuit SKUs can be connected to the hub gateway: Local, Standard, and Premium.
-
If you don't have an Azure subscription, create a free account.
-
If you plan to remove Azure BGP communities from virtual network and UDR routes, don't advertise these routes back into Azure, as this causes routing issues. We don't recommend advertising Azure routes back into Azure.
[!INCLUDE Create a virtual WAN]
In this section, you'll create an ExpressRoute gateway for your virtual hub. You can either create the gateway when you create a new virtual hub, or you can create the gateway in an existing hub by editing it.
Create a new virtual hub. Once a hub is created, you'll be charged for the hub, even if you don't attach any sites.
[!INCLUDE Create a hub]
[!INCLUDE Create ExpressRoute gateway]
You can also create a gateway in an existing hub by editing the hub.
- Go to the virtual WAN.
- In the left pane, select Hubs.
- On the Virtual WAN | Hubs page, select the hub that you want to edit.
- On the Virtual HUB page, at the top of the page, select Edit virtual hub.
- On the Edit virtual hub page, select the checkbox Include ExpressRoute gateway and adjust any other settings that you require.
- Select Confirm to confirm your changes. It takes about 30 minutes for the hub and hub resources to fully create.
Once you've created an ExpressRoute gateway, you can view gateway details. Navigate to the hub, select ExpressRoute, and view the gateway.
:::image type="content" source="./media/virtual-wan-expressroute-portal/viewgw.png" alt-text="Screenshot shows viewing a gateway." border="false":::
In this section, you create the peering connection between your hub and a VNet. Repeat these steps for each VNet that you want to connect.
-
On the page for your virtual WAN, select Virtual network connection.
-
On the virtual network connection page, select +Add connection.
-
On the Add connection page, fill in the following fields:
- Connection name - Name your connection.
- Hubs - Select the hub you want to associate with this connection.
- Subscription - Verify the subscription.
- Virtual network - Select the virtual network you want to connect to this hub. The virtual network can't have an already existing virtual network gateway (i.e. VPN, ExpressRoute).
Once the gateway is created, you can connect an ExpressRoute circuit to it.
First, verify that your circuit's peering status is provisioned in the ExpressRoute circuit -> Peerings page in Portal. Then, go to the Virtual hub -> Connectivity -> ExpressRoute page. If you have access in your subscription to an ExpressRoute circuit, you'll see the circuit you want to use in the list of circuits. If you don’t see any circuits, but have been provided with an authorization key and peer circuit URI, you can redeem and connect a circuit. See To connect by redeeming an authorization key.
- Select the circuit.
- Select Connect circuit(s).
Use the authorization key and circuit URI you were provided in order to connect.
- On the ExpressRoute page, select +Redeem authorization key
- On the Redeem authorization key page, fill in the values.
- Select Add to add the key.
- View the circuit. A redeemed circuit only shows the name (without the type, provider and other information) because it is in a different subscription than that of the user.
After the circuit connection is established, the hub connection status will indicate 'this hub', implying the connection is established to the hub ExpressRoute gateway. Wait approximately 5 minutes before you test connectivity from a client behind your ExpressRoute circuit, for example, a VM in the VNet that you created earlier.
If you want to change the size of your ExpressRoute gateway, locate the ExpressRoute gateway inside the hub, and select the scale units from the dropdown. Save your change. It will take approximately 30 minutes to update the hub gateway.
If you would like the Azure virtual hub to advertise the default route 0.0.0.0/0 to your ExpressRoute end points, you'll need to enable 'Propagate default route'.
-
Select your Circuit ->…-> Edit connection.
:::image type="content" source="./media/virtual-wan-expressroute-portal/defaultroute1.png" alt-text="Screenshot shows Edit ExpressRoute Gateway page." border="false":::
-
Select Enable to propagate the default route.
Navigate to the Connections page for your ExpressRoute circuit to see each ExpressRoute gateway that your ExpressRoute circuit is connected to. If the gateway is in a different subscription than the circuit, then the Peer field will be the circuit authorization key. :::image type="content" source="./media/virtual-wan-expressroute-portal/view-expressroute-connection.png" alt-text="Screenshot shows the initial container page." lightbox="./media/virtual-wan-expressroute-portal/view-expressroute-connection.png":::
By default, VNet to Virtual WAN traffic is disabled over ExpressRoute. You can enable this connectivity by using the following steps.
- In the "Edit virtual hub" blade, enable Allow traffic from non Virtual WAN networks.
- In the "Virtual network gateway" blade, enable Allow traffic from remote Virtual WAN networks. See instructions here.
We recommend that you keep these toggles disabled and instead create a Virtual Network connection between the standalone virtual network and Virtual WAN hub. This offers better performance and lower latency, as conveyed in our FAQ.
You can modify certain properties of an ExpressRoute circuit without impacting connectivity. Learn more about Modifying an ExpressRoute circuit.
When deleting an ExpressRoute connection to a Virtual WAN hub, you can delete the ExpressRoute Connection by navigating to:
- The circuit connected to the hub: Your Virtual WAN -> Hubs -> The Relevant Hub -> Overview -> ExpressRoute -> Select the relevant circuit -> Connections -> Select the relevant connection -> Delete
- The ExpressRoute Gateway in the hub: Your Virtual WAN -> Hubs -> The Relevant Hub -> Overview -> ExpressRoute -> Select the ExpressRoute gateway link in the top right -> ExpressRoute Connections -> Select the relevant connection -> Delete
Make sure to review the following guidance for your ExpressRoute Connections as well:
- Review how you'd like to manage your connection authorization keys. Learn more about Managing ExpressRoute circuit authorization keys.
Note
If you encounter difficulties when deleting ExpressRoute connections, try using alternative deletion methods. You can delete connections through the Azure portal, PowerShell, or Azure CLI. Using a different method may resolve any transient issues you experience during the deletion process.
You can deprovision and delete your ExpressRoute Circuit by following the steps in Deprovisioning and deleting an ExpressRoute circuit.
When you no longer need the resources that you created, delete them. Some of the Virtual WAN resources must be deleted in a certain order due to dependencies. Deleting can take about 30 minutes to complete.
[!INCLUDE Delete resources]
Next, to learn more about ExpressRoute in Virtual WAN, see:
[!div class="nextstepaction"]