Azure ExpressRoute | Cloud-IX | Barracuda

There is increasing talk about the cloud, what it can do for business and how you connect to it. Connectivity to any cloud can be done via untrusted Internet or private direct connection. For direct connectivity, AWS has a product known as AWS Direct Connect and Microsoft has a competing product known as Azure ExpressRoute. Both provide the same end goal; cloud and on-premise endpoint connectivity not over the Internet. As its stands, Microsoft’s ExpressRoute offers more flexibility in terms of geographical connectivity.


The following table lists ExpressRoute locations;



ExpressRoute does not offer built-in encryption. For this reason, you should investigate Barracudas cloud security product sets. They offer secure transmission and automatic path failover via redundant secure tunnels to complete an end-to-end cloud solution. There are other 3rd-party security products available in Azure, but they are not as mature as Barracudas product set.


Internet Performance

Connecting to Azure public cloud over the Internet may be cheap but it has its own set of drawbacks with security, uptime, latency, packet loss, and jitter. The latency, jitter, and packet loss that is associated with the Internet often cause the performance of an application to degrade. This is especially a concern if you support hybrid applications requiring real-time backend on-premise communications.

Transport network performance directly impacts application performance. Business is now facing a whole new set of challenges when accessing applications in the cloud over the Internet. Delayed round trip time (RTT) is a big concern. TCP spends a few RTT just to establish the TCP session; two RTT before you get the first byte of data. Client-side cookies may also add delays if they are large enough and unable to fit in the first byte of data. Having a transport network offering good RTT is important for application performance. You need the ability to transport packets as quickly as possible and support the concept that “every packet counts.

The Internet does not provide this or offer any guaranteed Service Level Agreement (SLA) for individual traffic classes.


Azure Solution – ExpressRoute & Telecity Cloud-IX

With Microsoft Azure ExpressRoute, you get your own private connection to Azure with guaranteed SLA. Its like a natural extension to your data centre offering lower latency, higher throughput and better reliability than the Internet. You can now build applications that span on-premise infrastructures and Azure Cloud not compromising performance. It bypasses the Internet and allows you to connect your on-premise data centre to your cloud data centre via 3rd-party MPLS networks. Two ways to establish your private connection to Azure with ExpressRoute: Exchange Provider or Network Service Provider. Choose a method if you want to co-locate equipment or not. Companies like Telecity offer a “bridging product” enabling direct connectivity from your WAN to Azure via their MPLS network. Even though Telecity is an exchange provider, their network offerings is a network service provider. Their bridging product is called Cloud-IX.

Bridging product connectivity makes Azure Cloud look like another terrestrial data centre.




Cloud-IX is a neutral cloud ecosystem. It allows enterprises to establish private connections to cloud service providers of their choice, not just Azure. Telecity Cloud-IX network already has redundant NNI peering to Microsoft data centres allowing you to set up your peering connections to Cloud-IX via BGP or statics only. You don’t peer directly with Azure. Telecity and Cloud-IX take care of transport security and redundancy. Cloud-IX is more than likely to be an MPLS network that uses route targets (RT) and route distinguishers (RD) to separate and distinguish customer traffic.


ExpressRoute Redundancy

Layer-3 overlays called VNets ( cloud boundaries / subnets ) are now associated with four ExpressRoutes. This offers a true active – active data centre design enabling path diversity and ability to build resilient connectivity. This is great for designers as it means we can build true geo-resilience into ExpressRoute designs by creating two ExpressRoute “dedicated circuits” and associate each virtual network with both. This ensures full end-to-end resilience built into azure ExpressRoute configuration, including removing all geographic SPOFs. The ExpressRoute connections are created between the Exchange Service Provider or Network Service Provider to the Microsoft cloud. The connectivity between customers on-premise locations and the service provider are created independently of ExpressRoute. Microsoft only peer with service providers.





Barracuda NG Firewall & ExpressRoute

Barracuda NG Firewall adds protection to ExpressRoute. The NG is installed at both ends of the connection and offers traffic access controls, security features, low latency, and automatic path failover with Barracudas proprietary transport protocol TINA. Traffic Access Control: From IP to Application layer, the NG firewall gives you full visibility into traffic flows in and out of ExpressRoute. With visibility, you get better control of the traffic. NG firewall gives you full logging with what servers are doing outbound. This may be interesting to know if a server gets hacked in Azure you would like to know what the attacker is doing outbound to it. Analytics will let you contain it or log it. When you get attacked you need to know what traffic the attacker is generating and if they are beach heading to other servers. There has been Security Concerns about the number of administrative domains ExpressRoute overlays. As you are sharing the logical with physical routers that other customers are using, you should implement security measures. The NG encrypts end-to-end traffic from both end points. This encryption can be customized based on your requirement, for example, transport may be TCP, UDP, or hybrid and you have full control over the keys and algorithms.

Preserve Low Latency for applications that require high quality of service. The NG can provide quality of service based on ports and application, which offer a better service to high business applications. It also optimizes traffic by sending bulk traffic automatically over the Internet and keeping critical traffic on the low latency path.

Automatic Transport Link failover with TINA. Upon MPLS link failure, the NG can automatically switch to an internet-based transport and continue to pass traffic to Azure gateway. It automatically creates the secure tunnel over the Internet without any packet drops; offering a graceful failover to Internet VPN. This allows multiple links to be used as active –  active making the WAN edge similar to the analogy of SD-WAN utilizing a transport agnostic failover approach.


TINA is SSL based not IPSEC and runs over TCP/UDP /ESP. Due to the fact that Azure only support TCP & UDP, TINA is supported and can run across the Microsoft fabric.





About Matt Conran

Matt Conran has created 179 entries.


  • Jeremy

    Hi Matt,
    You mention performance, in particular the round trip. Does high latency over an expressroute connection effect the TCP windowing the same as a standard internet session, i.e where your nice 10 gig pipes may saturate far sooner due to enlarged buffering?

    Assuming it does, I see your other post about app delivery controllers, do ADC’s have any capability to stabilise a high latency link, or would your advice be to just ensure a low latency network provider connection in the first place?


  • Matt Conran

    Hi Jeremy, great question 🙂

    High latency with small TCP window size can cause a drop in throughput. This is the case on any public or private IP network. But for example, with a private network over Cloud-IX, the service provider can implement measures to decrease the impact of this and can have some kind of re-routing over congested links. This is service provider independent and you have no control. But as you know over the public internet by default you have little control unless you deploy some kind of proactive path monitoring. A French company called Border6 comes to mind 😉

    DNS load balancers can be used to extract network telemetry information and provide path information that way too. NSONE ( new york ) have a nice data-driven DNS product. Have a look at this too

    The entire idea of the Cloud-IX product is you can send delay sensitive information over it while using the internet for Video and less critical applications. Cloud-IX should never really get congested and if it does its better to upgrade your links and bandwidth capabilities they offer. Qos is not a magic bullet!

Leave a Reply