Configure Expressroute and Site to Site in a co-existence setup using existing Gateway Subnet and Virtual Network in the same subscription
Overview
This document outlines the proposed steps to take to configure a connection from the Expressroute circuit to existing virtual network in the hub subscription.
Limits and limitations
- Only route-based VPN gateway is supported. You must use a route-based VPN gateway. You also can use a route-based VPN gateway with a VPN connection configured for ‘policy-based traffic selectors’ as described in Connect to multiple policy-based VPN devices.
- The ASN of Azure VPN Gateway must be set to 65515. Azure VPN Gateway supports the BGP routing protocol. For ExpressRoute and Azure VPN to work together, you must keep the Autonomous System Number of your Azure VPN gateway at its default value, 65515. If you previously selected an ASN other than 65515 and you change the setting to 65515, you must reset the VPN gateway for the setting to take effect.
- The gateway subnet must be /27 or a shorter prefix, (such as /26, /25), or you will receive an error message when you add the ExpressRoute virtual network gateway.
- Coexistence in a dual-stack vnet is not supported. If you are using ExpressRoute IPv6 support and a dual-stack ExpressRoute gateway, coexistence with VPN Gateway will not be possible.
High Level Process Steps
| Process Step # | High Level Process | Summary Expected Outcome |
| Step 1 | Create Expressroute Gateway | New Private Link Endpoint Created
New Private IP assigned |
| Step 2 | Connect Expressroute circuit to the new Expressroute GW | Endpoint Approved
DNS Updated |
| Step 3 | Deployment Verification Steps | Connectivity to Temenos Restored |
Pre-requisite
In order to be able to use the Azure PowerShell commands, you must have the latest Az modules installed in the machine where the commands will be executed. If not, follow the below steps to install it.
PowerShell cmdlets are updated frequently. If you are not running the latest version, the values specified in the instructions may fail. To find the installed versions of PowerShell on your system, use the
Get-Module -ListAvailable Az cmdlet
| Step # | Step Name | Action | Expected Outcome | Status (Success / Failed – Comment if failed) |
| 1 | Check the PowerShell version | To check your PowerShell version, run the following command from within a PowerShell session
$PSVersionTable.PSVersion
|
The version of PowerShell is returned. | Completed – Success
Failed |
| 2. | Install the Az modules | Using the Install-Module cmdlet is the preferred installation method for the Az PowerShell module. Install the Az module for the current user only. This is the recommended installation scope. This method works the same on Windows, macOS, and Linux platforms. Run the following command from a PowerShell session:
Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force |
Azure PowerShell modules are installed successfully | Completed – Success
Failed |
| 3. | Test installation | To test the successful installation, try to login to Azure using the commandline
Connect-AzAccount |
Logged into the Azure Portal successfully | Completed – Success
Failed |
You can use Azure Cloud Shell to run most PowerShell cmdlets and CLI commands, instead of installing Azure PowerShell or CLI locally. Azure Cloud Shell is a free interactive shell that has common Azure tools preinstalled and is configured to use with your account. To run any code contained in this article on Azure Cloud Shell, open a Cloud Shell session, use the Copy button on a code block to copy the code, and paste it into the Cloud Shell session with Ctrl+Shift+V on Windows and Linux, or Cmd+Shift+V on macOS. Pasted text is not automatically executed, press Enter to run code.
There are a few ways to launch the Cloud Shell:
| Option | Link |
| Open Cloud Shell in your browser. |  |
| Click the Cloud Shell button on the menu in the upper right of the Azure portal. |  |
Process Step 1: Create Expressroute Gateway
To apply coexistence, you need to use azure PowerShell. The portal creation will not pass the right parameters to the azure backend which are needed to create the new express route gateway correctly
However using azure PowerShell below the parameter will pass in correct format and syntax needed for the creation to work
| Step # | Step Name | Action | Expected Outcome | Status (Success / Failed – Comment if failed) |
| 1 | Login to Azure rom PowerShell | Launch a Windows PowerShell window (double click on the Windows PowerShell app)
Login using the CLI command: Connect-AzAccount This will take you to a login window in the default browser in your laptop. When promoted enter the username and password to login. If login is successful, it will prompt to close the window
Select-AzSubscription -SubscriptionId <subscription_id> |
Logged into the Azure Portal successfully
Shared Services Subscription selected |
Completed – Success
Failed |
| 2 | Set Variables | Please simply copy paste the below commands
$location= ‘UAE Central’ |
Location, resource group and virtual network details are collected. | Completed – Success
Failed |
| 3 | Create an ExpressRoute gateway.
The GatewaySKU must be Standard, HighPerformance, or UltraPerformance. |
Please simply copy paste the below commands
$gwSubnet = Get-AzVirtualNetworkSubnetConfig -Name”GatewaySubnet” -VirtualNetwork $vnet #Note: -AllocationMethod for gateway public IP will always be Dynamic. Changing this to Static causes the command to fail. $gwConfig = New-AzVirtualNetworkGatewayIpConfig -Name“<gateway_public_ipconfig_name>” -SubnetId$gwSubnet.Id -PublicIpAddressId $gwIP.Id $gw = New-AzVirtualNetworkGateway -Name “<expressroute_gateway_name>” -ResourceGroupName $RG-Location $location -IpConfigurations $gwConfig -GatewayType “ExpressRoute” -GatewaySku Standard -verbose-debug Note: This step can take between 45 minutes to 1 hour as the creation of a VPN Gateway is always long running job in Azure. |
A new Expressroute Gateway Public IP resource is created with Dynamic IP Allocation.
A new Expressroute Gateway IP config resource is created which is associated to the Public IP resource created in the previous step. A new Expressroute Gateway is created in the existing Gateway subnet in the Shared Services hub virtual network. |
Completed – Success
Failed |
Select the Subscription, in this case the Shared Services Subscription and set it using the following command:Process Step 2: Connect Expressroute circuit to the new Expressroute GW
| Step # | Step Name | Action | Expected Outcome | Status (Success / Failed – Comment if failed) |
| 1 | Link the ExpressRoute gateway to the ExpressRoute circuit. After this step has been completed, the connection between your on-premises network and Azure, through ExpressRoute, is established. | Please simply copy paste the below commands
$ckt = Get-AzExpressRouteCircuit -Name “<expressroute_circuit_name>” -ResourceGroupName “<expressroute_circuit_resource_group_name>” New-AzVirtualNetworkGatewayConnection -Name “<expressroute_connection_name>” -ResourceGroupName $RG-Location $location -VirtualNetworkGateway1 $gw -PeerId $ckt.Id -ConnectionType ExpressRoute |
Express route connection established. | Completed – Success
Failed |
Deployment Verification Steps
| Step # | Step Name | Action | Expected Outcome | Status (Success / Failed – Comment if failed) |
| 1 | Login to Azure rom PowerShell | Login to Azure successful | Logged into the Azure Portal successfully | Completed – Success
Failed |
| 2. | Test Connectivity | RDP to an Azure Resource from on-premises and monitor the Expressroute circuit for any traffic flow related to the ping activity | RDP completes successfully and traffic flow via Expressroute indicate the traffic is indeed flowing via the new circuit. | Completed – Success
Failed |
Rollback Plan
Rollback plan will include
- Delete the connection resource on Expressroute circuit (created as part of this deployment)
- Delete the Expressroute Gateway resource and its associated resources
- Delete Expressroute Gateway IP config, Expressroute Gateway Public IP resource.