Microsoft Azure - The Network Operating System of the Future, Today (Part 2) - Dedicated WAN Connectivity with ExpressRoute

by [Published on 14 Aug. 2014 / Last Updated on 14 Aug. 2014]

In this article we'll look at the features and functionalities in Microsoft Azure that we think are the most fun, and that’s the networking components.

If you would like to read the other parts in this article series please go to:

Introduction

In Part 1 of this series, we took a short tour through the history of the network operating system (NOS) and introduced Windows Azure as the latest and greatest in that long line – but with a big difference: it’s the NOS that can take networks into the cloud.

Some people think of the public cloud when they hear the term, but for enterprise IT departments, Windows Azure is all about hybrid cloud (a.k.a hybrid IT), where you can take advantage of resources “out there” on Windows Azure and have them work together with resources located on your corporate network. In most cases, the term hybrid IT is the more accurate choice of words, because “hybrid cloud” assumes that you have a cloud system in place on your corporate network. Since most organizations at this point in time still don’t actually have a private cloud (one that fully instantiates the five essential characteristics of cloud computing), hybrid IT is more descriptive.

Implementing hybrid IT

There are a number of ways you can connect resources hosted in a Windows Azure public cloud with the resources in your on-premises datacenter (or private cloud, if you do indeed have one). Some of these include:

  • Connecting single hosts to an Azure Virtual Network though a remote access VPN connection. This is similar to the typical remote access VPN server scenario, but in this case Windows Azure provides an RRAS server to which your client systems can connect to establish a virtual private network.
  • Allowing HTTP access between on-premises resources and those that are hosted on an Azure Virtual Network. In this case, there is not a layer 2 (or virtual layer 2) connection between your corporate network and the Windows Azure Virtual Networks. Rather, there is only application connectivity and network connectivity.
  • Connecting entire on-premises networks to the Azure Virtual Network. In this scenario, you might create a site to site VPN between your on-premises networks and one or more Azure Virtual Networks. Another option would be to create a dedicated WAN link between your on-premises resources (or resources that are hosted in a co-located network provider site) so that the data flow doesn’t go over the public Internet.

There are many advantages of having a dedicated WAN link between your on-premises resources and an Azure Virtual Network. These include the following:

  • Privacy – Because the link is dedicated to your organization, there is a very small change of someone being able to access your data streams. In order to do this, an attacker would need to be able to compromise the provider’s facilities or the physical links, and this is something that isn’t very easy to do compared to software-only based attacks.
  • Performance – Dedicated WAN links can be very fast. Because these are layer 2 connections, they bypass much of the processing overhead that is related to virtual layer 2 connections such as VPNs. Encryption and protocol overhead for VPN and similar technologies have profound influence over the ability to get even close to wire speeds for network connectivity.
  • Reliability – When you use public based network connectivity methods, you’re always at the mercy of network conditions anywhere between your on-premises location and the destination. Sometimes the Internet is fast, and sometimes not so fast. With dedicated WAN links, you have an SLA in place that guarantees a certain level of bandwidth and you can be assured that you’re going to get that amount of bandwidth as long as the link is up. You also have SLAs in place in terms of uptime, which is something that can’t be provided for a public link, where networks between the source and destination are outside the control of both you and the public cloud service provider.

Nothing is perfect, though, and there are a couple of downsides to dedicated WAN links:

  • Cost. You get what you pay for, and you pay a lot for dedicated WAN links. You have to be able to rationalize the cost of WAN links, considering the value they provide your organization. You will need to have a good business case in order to justify the cost.
  • Complexity. Setting up dedicated WAN links isn’t like setting up a site to site VPN. You have to work closely with your network partners and make sure that you have all the right equipment and additional information configured on that equipment. There are also some complex routing protocols, such as BGP, that you’ll need to deal with.

Introducing ExpressRoute

Prior to May 2014, the only way to connect your on-premises network to an Azure Virtual Network was to use a site to site VPN. While this is a tried and true way to connect disparate networks, there was a price to pay in terms of processing overhead. Because of this overhead, the practical limit you had on bandwidth for that connection varied from 80-100 Mbps. That might seem like a lot of bandwidth for an Internet service, but if you want to fully integrate your high performance on-premises network with an Azure Virtual Network, then 100 Mbps is downright puny. Why would you want to throttle application performance to 100 Mbps when you’ve finely tuned your on-premises network using modern 10+ Gbps network standards and equipment?

Of course you wouldn’t. That’s why Microsoft introduced ExpressRoute. ExpressRoute is a new dedicated WAN link capability that enables you to connect your on-premises network resources to an Azure Virtual Network. The on-premises resources can be hosted truly on-premises, or they can be co-located with an Exchange Provider. In the latter case, you’re going to have an Ethernet connection to the Exchange provider that lets you fully leverage wire speed efficiencies you’ve build into your on-premises network design.

How fast can it go? It depends on whether you connect from a Network Service Provider or an Exchange Service Provider. If you connect from a Network Service Provider, you’ll be connecting your on-premises network to the Azure Virtual Network. If you connect from an Exchange Provider, you’ll have Ethernet connections to the Exchange Providers network, or your on-premises resources will be co-located on the Exchange Provider’s network.

Available data transfer rates are:

  • Network Service Provider connection: 10-1000 Mbps (up to 1 Gbps)
  • Exchange Providers: 200 Mbps-10 Gbps

If this is the kind of performance you’re interested in and you can justify the costs, then ExpressRoute just might be your ticket to a high performance hybrid IT deployment.

Here are some interesting facts about ExpressRoute that might answer some initial questions you have about the service:

  • The service isn’t available everywhere. You need to be able to leverage the offerings of a company that has a relationship with Windows Azure. You can find these here.
  • You can use ExpressRoute to connect to Azure storage. This makes setting up a backup datacenter that you can use for disaster recovery and business continuity a reality.
  • You can also use ExpressRoute to connect your on-premises datacenter resources to an Azure SQL DB. The low latency, high performance ExpressRoute network should be able to support even your most demanding database-bound applications.
  • You still have to pay for outbound datacenter traffic (outbound from your Azure Virtual Network) just as you have to do when you’re using a site to site VPN. The amount of outbound datacenter traffic you get per month is bundled with the monthly price of the service, which is associated with the network speed you’ve purchased. If you go over that number, you’ll be charged an additional 3.5 cents per gigabyte. The good news is that there are no limits on the amount of data transfer, you can transfer as much as you want to pay for.
  • Although you have to pay for traffic leaving the Azure Virtual Network, you don’t have to pay for traffic coming into the Azure Virtual Network. That means if you want to back up 100 TB of data from your on-premises facility to Azure storage, you won’t be charged extra.
  • Ensure that you know what transfer rate you actually need before you order the service. Prices are proportional to the link speed. The 200 Mbps connection will cost you $200/month. If you need 10 Gbps (50X the 200 Mbps connection), then you’re going to pay 50X that $200/month, which is $10,000/month.
  • The ExpressRoute connections are redundant and are configured with active/active pairs of cross connections.
  • VLANs are not supported into your Azure Virtual Network. There’s just no way to take into account your private VLAN architecture in a public cloud service like Windows Azure.
  • Most organizations are going to have multiple Azure Virtual Networks. The good news is that you can connect multiple Azure Virtual Networks together over your ExpressRoute connection. However, all those Azure Virtual Networks will need to be part of the same subscription.
  • If you’re now using site to site or point to site (remote access VPN client connection over SSTP) to connect from on-premises to an Azure Virtual Network, you’re going to have to move over to ExpressRoute only, since you can’t use these VPN based connectivity methods at the same time as ExpressRoute. That said, it’s not clear whether you can still keep the current software gateway in place to support the remote access VPN client connections which can be used by point to site users when they are off-premises. This is something worth asking if you’re interested in ExpressRoute, since point to site connections are very useful for users who are connecting from outside your corporate network. If it turns out that you cannot have this point to site gateway in place when you use ExpressRoute, then you’ll have to enable VPN connectivity into your on-premises network for those users so that they can access the Azure Virtual Networks from inside your corporate network.

Summary

Site to site and remote access client VPNs that go over the public Internet are fine if you have modest requirements. But if you want to fully realize the benefits of hybrid IT, then you’re going to need to have access to a dedicated WAN link. This year Microsoft introduced ExpressRoute, which enables you to connect your on-premises resources to Azure Virtual Networks over a dedicated WAN link. ExpressRoute can provide you with highly available and high performance networking solutions to connect your hybrid IT resources. If you’d like to learn more about ExpressRoute, check out Microsoft’s ExpressRoute page.

ExpressRoute is just one of many new Azure features that make it the NOS of the future, available to you today. In Part 3, we’ll tell you about more of those great new technologies.

If you would like to read the other parts in this article series please go to:

 

Advertisement

Featured Links