• 3 min read

Enabling Multiple Subscriptions to Share an ExpressRoute Circuit

This post shows you how to link an ExpressRoute circuit to an Azure VNET owned by a different subscription.

When we launched ExpressRoute in May we allowed customers to link multiple VNETs to an ExpressRoute circuit. However, the VNETs and the circuit had to belong to the same subscription. We’ve gotten strong enterprise customer adoption of ExpressRoute. Some of our customers connect hundreds of their sites to Azure via ExpressRoute. Along with the strong adoption we have also gotten a lot of feedback. One important request was to allow multiple subscriptions to share the same ExpressRoute circuit. Many enterprise customers have multiple subscriptions for a couple of reasons:

  1. Each subscription is billed separately. Enterprises may have multiple departments and each has its own billing policies. As a result each department creates its own subscription.
  2. Each subscription can be managed separately. Enterprises may have departments that have different security and compliance requirements. Each department needs to own and manage its own subscription.

When these customers create an ExpressRoute circuit using one subscription they want to link VNETs owned by a different subscription to the same circuit. We now support this scenario. We’ll examine the scenario, the requirements and the workflow in this blog.

Scenario

Each department in Contoso has its own Azure subscription. Contoso IT has purchased an ExpressRoute circuit to connect Contoso’s on-premises network to the IT department’s VNET on Azure. Contoso wants to use the same circuit to connect its Sales’, Marketing’s and Engineering’s VNETs back to the on-premises network.

image

Requirements

All VNETs connected to an ExpressRoute circuit must be in the same routing domain. They must not have overlapping IP addresses.

Workflow

Step 1

The circuit owner authorizes the administrators of other subscriptions to use the specified circuit.

PS C:> New-AzureDedicatedCircuitLinkAuthorization -ServiceKey '6ed7e310-1a02-4261-915f-6ccfedc416f1' -Description 'SalesTeam' -Limit 2 -MicrosoftIds 'salesadmin@contoso.com'

Description         : SalesTeam 
Limit               : 2 
LinkAuthorizationId : e2bc2645-6fd4-44a4-94f5-f2e43e6953ed 
MicrosoftIds        : salesadmin@contoso.com 
Used                : 0

In the above example, the administrator of the circuit (Contoso IT) enables the administrator of another subscription (Contoso Sales), by specifying their Microsoft (Live) ID, to link up to 2 VNETs to the circuit.

The cmdlet doesn’t send email to the specified Microsoft ID. The circuit owner need to explicitly notify the other subscription owner that the authorization is complete.

Step 2

Once notified by the circuit owner, the administrator of the authorized subscription can run the following cmdlet to retrieve the service key of the circuit.

# Sign in using the specified Microsoft IDPS C:> Add-AzureAccount 

PS C:> Get-AzureAuthorizedDedicatedCircuit

Bandwidth                        : 100
CircuitName                      : ContosoIT
Location                         : Washington DC
MaximumAllowedLinks              : 2
ServiceKey                       : 6ed7e310-1a02-4261-915f-6ccfedc416f1
ServiceProviderName              : ###########
ServiceProviderProvisioningState : Provisioned
Status                           : Enabled
UsedLinks                        : 0

In this example, the administrator of Contoso Sales must first sign in using the specified Microsoft ID, salesadmin@contoso.com.

Step 3

The administrator of the authorized subscription runs the following cmdlet to complete the link operation.

PS C:> New-AzureDedicatedCircuitLink –servicekey 6ed7e310-1a02-4261-915f-6ccfedc416f1 –VnetName ‘SalesVNET1’ 

                                              State VnetName 
                                              ----- -------- 
                                        Provisioned SalesVNET1

That’s it. Contoso’s Sales VNET on Azure is now linked to a circuit created/owned by Contoso IT.

Managing Authorization

The circuit owner can share a circuit with up to 10 Azure subscriptions. The circuit owner can view who has been authorized to the circuit. The owner can revoke the authorization at any time.

PS C:> Get-AzureDedicatedCircuitLinkAuthorization -ServiceKey: 6ed7e310-1a02-4261-915f-6ccfedc416f1 

Description         : EngineeringTeam 
Limit               : 3 
LinkAuthorizationId : cc958457-c8c1-4f16-af09-e7f099da64bf 
MicrosoftIds        : engadmin@contoso.com 
Used                : 1 

Description         : MarketingTeam 
Limit               : 1 
LinkAuthorizationId : d972726f-c7b9-4658-8598-ad3208ac9348 
MicrosoftIds        : marketingadmin@contoso.com 
Used                : 0 

Description         : SalesTeam 
Limit               : 2 
LinkAuthorizationId : e2bc2645-6fd4-44a4-94f5-f2e43e6953ed 
MicrosoftIds        : salesadmin@contoso.com 
Used                : 2 

PS C:> Remove-AzureDedicatedCircuitLinkAuthorization -ServiceKey '6ed7e310-1a02-4261-915f-6ccfedc416f1' -AuthorizationId 'e2bc2645-6fd4-44a4-94f5-f2e43e6953ed'

When the circuit owner revokes an authorization, identified by LinkAuthorizationId, all links permitted by that authorization will be deleted immediately. The linked VNETs will lose connectivity to the on-premises network through the ExpressRoute circuit.

For more information about the PowerShell cmdlets used in this blog, please refer to the MSDN page here.

We hope this new feature makes it easier to manage and use ExpressRoute. Please send us your questions and feedback.