Changing an Azure Virtual Network connection from site-to-site VPN to ExpressRoute

With more businesses becoming reliant on the cloud and on-premises datacenters being extended to Azure, ExpressRoute is becoming ever more popular. For customers that already have in place a site-to-site VPN, one of the first things to do after the ExpressRoute circuit has been previsioned is to switch the virtual network connection from a site-to-site VPN to the ExpressRoute circuit.

The following article works through the various steps involved in this process, including:

  • Checking the status of the ExpressRoute circuit
  • Updating the Virtual Network configuration
  • Linking ExpressRoute to the Virtual Network

NOTE: Migrating an existing virtual network from a site-to-site VPN to an ExpressRoute circuit will cause a short amount of lost connectivity between your on-premises network and your virtual network.

If like me you have access to multiple Azure subscriptions, the first thing to do is check you are in the right one. Using the cmdlet below we can pull back the details for the subscription that we are currently working in.

Get-AzureSubscription -Current

vpn2er01
To change subscriptions if required use:

Select-AzureSubscription -SubscriptionID "Subscription ID"

Once working in the correct subscription it is time to import the ExpressRoute PowerShell module. The module doesn’t load by default when PowerShell is run but it is found on the local drive and was installed by the Azure PowerShell installer.

To import the module run:

Import-Module 'C:\Program Files (x86)\Microsoft SDKs\Azure\PowerShell\ServiceManagement\Azure\Azure.psd1'
Import-Module 'C:\Program Files (x86)\Microsoft SDKs\Azure\PowerShell\ServiceManagement\Azure\ExpressRoute\ExpressRoute.psd1'

vpn2er02

Checking the status of the ExpressRoute circuit

It is now possible to check that the ExpressRoute circuit has been provisioned correctly and is in the correct state. Use the Get-AzureDedicatedCircuit cmdlet to pull back information about the current circuits.

Before its possible to assign this circuit to a virtual network we need to make sure that the ServiceProviderProvisioningState is Provisioned and that the Status is Enabled. Once this is the case the circuit is ready!

vpn2er03

Updating the Virtual Network configuration

The first thing we need to do to is update the configuration of the virtual network gateway. To do this we need to first remove the current gateway which will then allow us to make configuration changes. This can be done via the portal and clicking on the Delete Gateway button or by using the Remove-AzureVNETGateway PowerShell cmdlet.

vpn2er04
The next step in configuring the virtual network involves resizing the existing gateway subnet. The site-to-site gateway supports a maximum size of a /29 subnet whereas the ExpressRoute gateway supports a minimum gateway subnet size of /28. As always this can be done either in the management portal or via PowerShell.

VPN2ExpressRoute006
After resizing the gateway subnet but before recreating a new gateway, we need to configure the virtual network for an ExpressRoute connection. To do this open the virtual network configuration tab and check the Use ExpressRoute checkbox in the management portal then click save.

VPN2ExpressRoute007
The final step in upgrading the virtual network configuration is to create a new Gateway. From within the management portal click the CREATE GATEWAY button to recreate the gateway.

VPN2ExpressRoute008
Once the gateway has completed provisioning, the final stage is to link the virtual network to your existing ExpressRoute circuit.

Linking ExpressRoute to the Virtual Network

At this point we can double check the ExpressRoute circuit is still in the correct state,  then finally link the circuit with the virtual network.

Get-AzureDedicatedCircuit

$Vnet = "VirtualNetwork-1"
$ServiceKey = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
New-AzureDedicatedCircuitLink -ServiceKey $ServiceKey -VNetName $Vnet

VPN2ExpressRoute009

A full listing of ExpressRoute PowerShell Cmdlets can be found in this Microsoft article Azure ExpressRoute PowerShell Cmdlets

That’s it for this post, hope its of some help 🙂

Reader Comments

  1. NOTE: Migrating an existing virtual network from a site-to-site VPN to an ExpressRoute circuit will cause a short amount of lost connectivity between your on-premises network and your virtual network.

    Aprox how long will this outage be?

    Thanks

    1. It will depend but as its likely the gateway will need to be recreated, this in itself could take half an hour or more. In total with all configuration changes and assuming the ExpressRoute connection is up and tested, it should be all possible within an hour.

Leave a Reply

Your email address will not be published. Required fields are marked *