Microsoft Azure : How to connect my Enterprise? Expressroute or VPN?

Posted on by kvaes

microsoft-azure1

Microsoft has been going at warp speed last year (and it looks this pace will be kept) with the features they have been adding to Azure. In the beginning when I came into contact with Azure, one of my first questions was ; “How can I hook up Azure in my Wide-Area-Network (WAN)?” The answer at that point was a kinda flaky VPN connection. About a half-year ago, Microsoft released “ExpressRoute”. This was the answer Enterprise customers were looking for in terms of hooking up Azure to their WAN. So let’s take a look at your options…

Basically, you have five options to connect to Azure ;

Internet (public)

  • Medium : Public
  • Network : Public
  • Capacity: No explicit cap
  • Connection Resilience : Active / Active
  • High Level Solution : Your “typical” enterprise internet
  • Typical Usage : Almost everything in Azure that isn’t linked by the underneath mentioned services.

Virtual Network – Point-to-site

  • Medium : Public
  • Network : Private
  • Capacity: Typically 100 Mbit Aggregates
  • Connection Resilience : Active / Pasive
  • High Level Solution : A point-to-site VPN also allows you to create a secure connection to your virtual network. In a point-to-site configuration, the connection is configured individually on each client computer that you want to connect to the virtual network. Point-to-site connections do not require a VPN device. They work by using a VPN client that you install on each client computer. The VPN is established by manually starting the connection from the on-premises client computer. You can also configure the VPN client to automatically restart.
  • Typical Usage : Proof-of-Concept, Prototyping, Evaluation, …

Virtual Network – Site-to-site

  • Medium : Public
  • Network : Private
  • Capacity: Typically 100 Mbit Aggregates
  • Connection Resilience : Active / Pasive
  • High Level Solution : A site-to-site VPN allows you to create a secure connection between your on-premises site and your virtual network. To create a site-to-site connection, a VPN device that is located on your on-premises network is configured to create a secure connection with the Azure Virtual Network Gateway. Once the connection is created, resources on your local network and resources located in your virtual network can communicate directly and securely. Site-to-site connections do not require you to establish a separate connection for each client computer on your local network to access resources in the virtual network.
  • Typical Usage : Small scale production workloads, development/test environments, …

ExpressRoute – Exchange Provider

  • Medium : Private
  • Network : Public
  • Capacity: up to 1Gbps
  • Connection Resilience : Active / Active (customer managed)
  • High Level Solution : Azure ExpressRoute lets you create private connections between Azure datacenters and infrastructure that’s on your premises or in a co-location environment. ExpressRoute connections do not go over the public Internet, and offer more reliability, faster speeds, lower latencies and higher security than typical connections over the Internet. In some cases, using ExpressRoute connections to transfer data between on-premises and Azure can also yield significant cost benefits. With ExpressRoute Exchange Provider, you can establish connections to Azure at an ExpressRoute location (Exchange Provider facility) clip_image002 - Exchange Provider - ExpressRoute
  • Typical Usage : Mission Critical Workloads

ExpressRoute – Network Service Provider

  • Medium : Public
  • Network : Public
  • Capacity : up to 10Gbps
  • Connection Resilience : Active / Active (telecom provider managed)
  • High Level Solution : Azure ExpressRoute lets you create private connections between Azure datacenters and infrastructure that’s on your premises or in a co-location environment. ExpressRoute connections do not go over the public Internet, and offer more reliability, faster speeds, lower latencies and higher security than typical connections over the Internet. In some cases, using ExpressRoute connections to transfer data between on-premises and Azure can also yield significant cost benefits. With ExpressRoute Service Provider, you can directly connect to Azure from your existing WAN network (such as a MPLS VPN) provided by a network service provider. clip_image002 - Network Service Provider - ExpressRoute
  • Typical Usage : Mission Critical Workloads

Network Seggregation

So if I get ExpressRoute, how will my network flows go?

clip_image001
Basically, the private solutions will ensure that your company communication will not traverse over the public internet. You can configure your service to either use the internet connect of Azure, or your own hop, to breakout towards public services. Let’s say for instance, if you want to download updates, you could set it up that those are done via Azure, instead of going back over your ExpressRoute link in order to break out from within your own premises.

Decision Chart

So what does this mean for a typical Enterprise?

It depends on your scenario…

  • Looking to get do some raw testing?
      Isolated Test : Internet only
      Integrated : Point/site-to-site vpn
  • Hook up your development/test environment in a lean manner? Site-to-site vpn
  • Azure as a Disaster Recovery location? Dependent on your size …
      Small IT Landscape : Site-to-site
      • From a few TB : ExpressRoute
  • Azure as a Primary Datacenter : ExpressRoute Service Provider

route

References

Where can I find additional information?

Published by kvaes

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.