How to, Hybrid + Multicloud, Networking, expressroute
Enabling Multiple Subscriptions to Share an ExpressRoute Circuit
By Charley Wen Program Manager, Azure Networking
3 min read
When we launched ExpressRoute in May we allowed customers to link multiple VNETs to an ExpressRoute circuit. However, the VNETs and the circuit had to belong to the same subscription. We’ve gotten strong enterprise customer adoption of ExpressRoute. Some of our customers connect hundreds of their sites to Azure via ExpressRoute. Along with the strong adoption we have also gotten a lot of feedback. One important request was to allow multiple subscriptions to share the same ExpressRoute circuit. Many enterprise customers have multiple subscriptions for a couple of reasons:
- Each subscription is billed separately. Enterprises may have multiple departments and each has its own billing policies. As a result each department creates its own subscription.
- Each subscription can be managed separately. Enterprises may have departments that have different security and compliance requirements. Each department needs to own and manage its own subscription.
When these customers create an ExpressRoute circuit using one subscription they want to link VNETs owned by a different subscription to the same circuit. We now support this scenario. We’ll examine the scenario, the requirements and the workflow in this blog.
Each department in Contoso has its own Azure subscription. Contoso IT has purchased an ExpressRoute circuit to connect Contoso’s on-premises network to the IT department’s VNET on Azure. Contoso wants to use the same circuit to connect its Sales’, Marketing’s and Engineering’s VNETs back to the on-premises network.
All VNETs connected to an ExpressRoute circuit must be in the same routing domain. They must not have overlapping IP addresses.
The circuit owner authorizes the administrators of other subscriptions to use the specified circuit.
PS C:> New-AzureDedicatedCircuitLinkAuthorization -ServiceKey '6ed7e310-1a02-4261-915f-6ccfedc416f1' -Description 'SalesTeam' -Limit 2 -MicrosoftIds 'email@example.com' Description : SalesTeam Limit : 2 LinkAuthorizationId : e2bc2645-6fd4-44a4-94f5-f2e43e6953ed MicrosoftIds : firstname.lastname@example.org Used : 0
In the above example, the administrator of the circuit (Contoso IT) enables the administrator of another subscription (Contoso Sales), by specifying their Microsoft (Live) ID, to link up to 2 VNETs to the circuit.
The cmdlet doesn’t send email to the specified Microsoft ID. The circuit owner need to explicitly notify the other subscription owner that the authorization is complete.
Once notified by the circuit owner, the administrator of the authorized subscription can run the following cmdlet to retrieve the service key of the circuit.
# Sign in using the specified Microsoft IDPS C:> Add-AzureAccount PS C:> Get-AzureAuthorizedDedicatedCircuit Bandwidth : 100 CircuitName : ContosoIT Location : Washington DC MaximumAllowedLinks : 2 ServiceKey : 6ed7e310-1a02-4261-915f-6ccfedc416f1 ServiceProviderName : ########### ServiceProviderProvisioningState : Provisioned Status : Enabled UsedLinks : 0
In this example, the administrator of Contoso Sales must first sign in using the specified Microsoft ID, email@example.com.
The administrator of the authorized subscription runs the following cmdlet to complete the link operation.
PS C:> New-AzureDedicatedCircuitLink –servicekey 6ed7e310-1a02-4261-915f-6ccfedc416f1 –VnetName ‘SalesVNET1’ State VnetName ----- -------- Provisioned SalesVNET1
That’s it. Contoso’s Sales VNET on Azure is now linked to a circuit created/owned by Contoso IT.
The circuit owner can share a circuit with up to 10 Azure subscriptions. The circuit owner can view who has been authorized to the circuit. The owner can revoke the authorization at any time.
PS C:> Get-AzureDedicatedCircuitLinkAuthorization -ServiceKey: 6ed7e310-1a02-4261-915f-6ccfedc416f1 Description : EngineeringTeam Limit : 3 LinkAuthorizationId : cc958457-c8c1-4f16-af09-e7f099da64bf MicrosoftIds : firstname.lastname@example.org Used : 1 Description : MarketingTeam Limit : 1 LinkAuthorizationId : d972726f-c7b9-4658-8598-ad3208ac9348 MicrosoftIds : email@example.com Used : 0 Description : SalesTeam Limit : 2 LinkAuthorizationId : e2bc2645-6fd4-44a4-94f5-f2e43e6953ed MicrosoftIds : firstname.lastname@example.org Used : 2 PS C:> Remove-AzureDedicatedCircuitLinkAuthorization -ServiceKey '6ed7e310-1a02-4261-915f-6ccfedc416f1' -AuthorizationId 'e2bc2645-6fd4-44a4-94f5-f2e43e6953ed'
When the circuit owner revokes an authorization, identified by LinkAuthorizationId, all links permitted by that authorization will be deleted immediately. The linked VNETs will lose connectivity to the on-premises network through the ExpressRoute circuit.
For more information about the PowerShell cmdlets used in this blog, please refer to the MSDN page here.
We hope this new feature makes it easier to manage and use ExpressRoute. Please send us your questions and feedback.