vnet1

Azure ExpressRoute

 

Azure Express Route

 

Azure ExpressRoute

In today’s digital landscape, businesses increasingly rely on cloud computing to streamline operations and improve efficiency. Microsoft Azure, one of the leading cloud platforms, offers a wide range of services to meet the varying needs of organizations. Among these services, Azure ExpressRoute is a reliable and secure solution for establishing private connections between on-premises networks and Azure data centers. In this blog post, we will explore the key features, benefits, and use cases of Azure ExpressRoute.

Azure ExpressRoute is a dedicated network service that allows organizations to extend their on-premises networks into the Microsoft Azure cloud. It provides a private, high-bandwidth, and low-latency connection that bypasses the public internet, ensuring a more reliable and secure connection. By leveraging ExpressRoute, businesses can directly connect to Azure services, such as Azure Virtual Networks, Azure Storage, and Azure SQL Database.

 

Highlights: Azure ExpressRoute

  • Connecting to the Cloud

The following post goes into detail about Azure ExpressRoute and Direct Connet. We will address Azure ExpressRoute redundancy and compare this to the Barracuda product that uses a different tunneling method from Azure Express Route. There is increasing talk about the cloud, what it can do for business, and how you connect to it. Any cloud can be connected via untrusted Internet or a private direct connection.

  • Direct Connectivity

For direct connectivity, AWS has a product known as AWS Direct Connect, and Microsoft has a competing product known as Azure ExpressRoute. Both provide the same end goal; cloud and on-premise endpoint connectivity, not over the Internet. However, as its stands, Microsoft’s ExpressRoute offers more flexibility in terms of geographical connectivity. 

 

You may find the following helpful post for pre-information:

  1. Load Balancer Scaling
  2. IDS IPS Azure
  3. Low Latency Network Design
  4. Data Center Performance
  5. Baseline Engineering
  6. WAN SDN 
  7. Technology Insight for Microsegmentation
  8. SDP VPN

 



Azure Express Route.

Key Azure ExpressRoute Discussion Points:


  • Introduction to Azure ExpressRoute and what is involved.

  • Highlighting the issues around Internet performance.

  • Critical points on the Azure solution and how it can be implemented.

  • Technical details on Microsoft ExpressRoute and redundancy.

  • Technical details VNETs and TINA Tunnels.

 

Back to basics with Azure VPN gateway

Let to its defaults; when you deploy one Azure VPN gateway, two gateway instances are configured in an active-standby configuration. This standby instance delivers partial redundancy but is not highly available, as it might take a few minutes for the second instance to arrive online and reconnect to the destination of the VPN.

For this lower level of redundancy, you can choose whether the VPN is regionally redundant or zone-redundant. If you utilize a Basic public IP address, the VPN you configure can only be regionally redundant. If you require a zone-redundant configuration, use a Standard public IP address with the VPN gateway.

 

Benefits of Azure ExpressRoute:

1. Enhanced Performance: ExpressRoute offers predictable network performance with low latency and high bandwidth, allowing organizations to meet their demanding application requirements. By bypassing the public internet, organizations can reduce network congestion and improve overall application performance.

2. Improved Security: ExpressRoute provides a private connection, ensuring data remains within the organization’s network perimeter. This eliminates the risks associated with transmitting data over the public internet, such as data breaches and unauthorized access. Furthermore, ExpressRoute supports network isolation, enabling organizations to control their data strictly.

3. Reliability and Availability: Azure ExpressRoute offers a Service Level Agreement (SLA) that guarantees a high level of availability, with uptime percentages ranging from 99.9% to 99.99%. This ensures organizations can rely on a stable connection to Azure services, minimizing downtime and maximizing productivity.

4. Cost Optimization: ExpressRoute helps organizations optimize costs by reducing data transfer costs and providing more predictable pricing models. With dedicated connectivity, businesses can avoid unpredictable network costs associated with public internet connections.

Use Cases of Azure ExpressRoute:

1. Hybrid Cloud Connectivity: Organizations with a hybrid cloud infrastructure, combining on-premises resources with cloud services, can use ExpressRoute to establish a seamless and secure connection between their environments. This enables seamless data transfer, application migration, and hybrid identity management.

2. Data-Intensive Workloads: ExpressRoute is particularly beneficial for organizations dealing with large volumes of data or running data-intensive workloads. By leveraging the high-bandwidth connection, organizations can transfer data quickly and efficiently, ensuring optimal performance for analytics, machine learning, and other data-driven processes.

3. Compliance and Data Sovereignty: Industries with strict compliance requirements, such as finance, healthcare, and government sectors, can benefit from ExpressRoute’s ability to keep data within their network perimeter. This ensures compliance with data protection regulations and facilitates data sovereignty, addressing data privacy and residency concerns.

 

The following table lists ExpressRoute locations;

Azure ExpressRoute

 

Azure Express Route and Encryption

Azure ExpressRoute does not offer built-in encryption. For this reason, you should investigate Barracuda’s cloud security product sets. They offer secure transmission and automatic path failover via redundant, secure tunnels to complete an end-to-end cloud solution. Other 3rd-party security products are available in Azure, but they are not as mature as Barracuda’s product set.

 

Internet Performance

Connecting to Azure public cloud over the Internet may be cheap, but it has its drawbacks with security, uptime, latency, packet loss, and jitter. The latency, jitter, and packet loss associated with the Internet often cause the performance of an application to degrade. This is primarily a concern if you support hybrid applications requiring real-time backend on-premise communications.

Transport network performance directly impacts application performance. Business is now facing new challenges when accessing applications in the cloud over the Internet. Delayed round-trip time (RTT) is a big concern. TCP spends a few RTTs to establish the TCP session; two RTTs before you get the first data byte.

Client-side cookies may also add delays if they are large enough and unable to fit in the first data byte. Having a transport network offering good RTT is essential for application performance. You need the ability to transport packets as quickly as possible and support the concept that “every packet counts.

 

  • The Internet does not provide this or offer any guaranteed Service Level Agreement (SLA) for individual traffic classes.

 

The Azure solution – Azure ExpressRoute & Telecity cloud-IX

With Microsoft Azure ExpressRoute, you get your private connection to Azure with a guaranteed SLA. It’s like a natural extension to your data center, offering lower latency, higher throughput, and better reliability than the Internet. You can now build applications spanning on-premise infrastructures and Azure Cloud without compromising performance. It bypasses the Internet and lets you connect your on-premise data center to your cloud data center via 3rd-party MPLS networks.

Two ways to establish your private connection to Azure with ExpressRoute: Exchange Provider or Network Service Provider. Choose a method if you want to co-locate equipment or not. Companies like Telecity offer a “bridging product” enabling direct connectivity from your WAN to Azure via their MPLS network. Even though Telecity is an exchange provider, their network offerings are network service providers. Their bridging product is called Cloud-IX. Bridging product connectivity makes Azure Cloud look like another terrestrial data center.

 

Azure ExpressRoute
Diagram: Azure ExpressRoute.

 

 

Cloud-IX is a neutral cloud ecosystem. It allows enterprises to establish private connections to cloud service providers, not just Azure. Telecity Cloud-IX network already has redundant NNI peering to Microsoft data centers enabling you to set up your peering connections to Cloud-IX via BGP or statics only. You don’t peer directly with Azure. Telecity and Cloud-IX take care of transport security and redundancy. Cloud-IX is likely an MPLS network that uses route targets (RT) and route distinguishers (RD) to separate and distinguish customer traffic.

 

Azure ExpressRoute Redundancy

The introduction of VNets

Layer-3 overlays called VNets ( cloud boundaries/subnets) are now associated with four ExpressRoutes. This offers a proper active-active data center design enabling path diversity and the ability to build resilient connectivity. This is great for designers as it means we can make true geo-resilience into ExpressRoute designs by creating two ExpressRoute “dedicated circuits” and associating each virtual network with both.

This ensures full end-to-end resilience built into azure ExpressRoute configuration, including removing all geographic SPOFs. The ExpressRoute connections are created between the Exchange Service Provider or Network Service Provider to the Microsoft cloud. The connectivity between customers’ on-premise locations and the service provider is produced independently of ExpressRoute. Microsoft only peers with service providers.

 

Azure Express Route
Diagram: Azure Express Route redundancy with VNets.

 

Barracuda NG firewall & Azure Express Route

Barracuda NG Firewall adds protection to Microsoft ExpressRoute. The NG is installed at both ends of the connection and offers traffic access controls, security features, low latency, and automatic path failover with Barracuda’s proprietary transport protocol TINA. Traffic Access Control: From the IP to the Application layer, the NG firewall gives you complete visibility into traffic flows in and out of ExpressRoute.

With visibility, you get better control of the traffic. In addition, the NG firewall gives you full logging of what servers are doing outbound. This may be interesting to know if a server gets hacked in Azure. You would like to know what the attacker is doing outbound to it. Analytics will let you contain it or log it. When you get attacked, you need to know what traffic the attacker generates and if they are pivoting to other servers.

There have been security concerns about the number of administrative domains ExpressRoute overlays. It would help if you implemented security measures as you shared the logic with other customers’ physical routers. The NG encrypts end-to-end traffic from both endpoints. This encryption can be customized based on your requirement; for example, transport may be TCP, UDP, or hybrid, and you have complete control over the keys and algorithms.

 

  • Preserve low latency

Preserve Low Latency for applications that require high-quality service. The NG can provide quality service based on ports and applications, which offer a better service to high business applications. It also optimizes traffic by sending bulk traffic automatically over the Internet and keeping critical traffic on the low latency path.

Automatic Transport Link failover with TINA. Upon MPLS link failure, the NG can automatically switch to an internet-based transport and continue to pass traffic to the Azure gateway. It automatically creates a secure tunnel over the Internet without any packet drops, offering a graceful failover to Internet VPN. This allows multiple links to be active-active, making the WAN edge similar to the analogy of SD-WAN utilizing a transport-agnostic failover approach.

 

TINA is SSL-based, not IPSEC, and runs over TCP/UDP /ESP. Because Azure only supports TCP & UDP, TINA is supported and can run across the Microsoft fabric.

 

Azure Express Route