When you decide to undertake a strategy based on a hybrid cloud, that combines on-premises IT resources with public cloud resources and services, it is advisable to carefully consider how to connect your local network with the virtual networks present in the public cloud. In Azure one option is to use ExpressRoute, a private and dedicated connection that takes place through a third-party connectivity provider. This article describes possible network architectures with ExpressRoute, together with a series of precautions to be taken into consideration for a successful deployment.
Very often a Site-to-site VPN is used to establish connectivity between the on-premise resources and the resources in Azure environment attested on the Virtual Networks. This type of connectivity is ideal for the following use cases:
- Development environments, test, laboratories, but also production workloads where the resources located in the Azure environment do not use the connectivity to the on-premises environment intensively and strategically and vice versa.
- When you have an acceptable tolerance for bandwidth and speed in the hybrid connection.
There are some use cases, however, where ExpressRoute should be configured, according to Microsoft best practices, to ensure bidirectional connectivity between the on-premise network and virtual networks (vNet) of Azure of the customer. Indeed, ExpressRoute is suitable for the following use cases:
- If high speed requirements are to be met, connection with low latency and high availability / resilience.
- In the presence of mission-critical workloads that use hybrid connectivity.
What is ExpressRoute?
Thanks to ExpressRoute it is possible to activate a dedicated private connection, provided by a third party connectivity provider, to extend the on-premises network to Azure. ExpressRoute connections do not go through the public internet. In this way they can offer a higher level of security, greater reliability, faster speeds and consistent latencies than traditional internet connections.
Figure 1 - ExpressRoute logic diagram
ExpressRoute connections enable access to the following services:
- Microsoft Azure services (scenario covered in this article).
- Services of Microsoft 365. Microsoft 365 it has been designed to be accessed securely and reliably over the Internet. For this reason it is recommended that you use ExpressRoute with Microsoft 365 only in certain scenarios, as described in this Microsoft article.
It is possible to create an ExpressRoute connection between the local network and the Microsoft cloud via four different modes:
Figure 2 - ExpressRoute connectivity models
Connectivity providers can offer one or more connectivity models and you can choose the most appropriate model for your connectivity needs.
The following reference architecture shows how you can connect your on-premises network to virtual networks in Azure, using Azure ExpressRoute.
Figure 3 - Reference architecture to extend a local network with ExpressRoute
The architecture will consist of the following components.
- On-premises corporate network (“On-premises network” in the schema). This is the Customer's private local network.
- Local Edge Routers. These are the routers that connect the local network to the circuit managed by the provider.
- ExpressRoute Circuit. It is a circuit layer 2 or layer 3, provided by the connectivity provider, which joins the local network to Azure via edge router. The circuit uses the hardware infrastructure managed by the connectivity provider.
- Edge router Microsoft. These are routers in an active-active high availability configuration. These routers allow the connectivity provider to connect their circuits directly to the data center.
- Virtual network gateway (ExpressRoute). The ExpressRoute virtual network gateway enables the virtual network (VNet) Azure to connect to the ExpressRoute circuit used for connectivity with the local network.
- Azure virtual networks (VNet). Virtual networks residing in an Azure region.
In the architecture described above, ExpressRoute will be used as the primary connectivity channel to connect the on-premises network to Azure.
Furthermore, it is possible to use a site-to-site VPN connection as a source of backup connectivity to improve connectivity resilience. In this case, the reference architecture will be the following:
Figure 4 - Reference architecture to use both ExpressRoute and a site-to-site VPN connection
In this scenario they are expected, in addition to the architectural components described above, the following components:
- Appliance VPN on-premises. A device or service that provides external connectivity to the local network. The VPN appliance can be a hardware device or a supported software solution for connecting to Azure.
- Virtual network gateway (VPN). The VPN virtual network gateway allows the virtual network to connect to the VPN appliance present in the local network.
- VPN connection. The connection has properties that specify the type of connection (IPSec) and the key shared with the local VPN appliance to encrypt the traffic.
How to monitor ExpressRoute
To allow you to monitor network resources in the presence of ExpressRoute connectivity, you can use the Azure Monitor platform tool, through which you can check availability, performance, the use and operation of this connectivity.
A screenshot of the solution is shown as an example.
Figure 5 – ExpressRoute circuit monitor via Azure Monitor
This solution will provide a detailed topology mapping of all ExpressRoute components (peering, connections, gateway) in relation to each other. The detailed network information for ExpressRoute will include a dashboard through which the metrics can be consulted, the actual speed, any drop of network packets and gateway metrics.
As an example, a dashboard screen showing the total throughput of inbound and outbound traffic for the ExpressRoute circuit is shown (expressed in bits / second). Furthermore, you can view the throughput for individual connections.
Figure 6 - Metrics relating to the Throughput of ExpressRoute connections
For more details you can refer to the Microsoft official documentation on how to make the ExpressRoute monitor.
Microsoft in the security baselines for ExpressRoute, refer to the Azure Security Benchmark version 1.0, the Azure-specific set of guidelines created by Microsoft, provides several indications that are recommended to be followed. Among the main ones that should be adopted we find:
- Definition and implementation of standard security configurations for Azure ExpressRoute using Azure Policy.
- Use of tags for Azure ExpressRoute components in order to provide metadata and a logical and structured organization of resources.
- Locking to prevent accidental deletion or unwanted modification of Azure components related to ExpressRoute configuration.
- Using Azure Platform Tools to Monitor Network Resource Configurations and Detect Network Resource Changes of ExpressRoute Connections. Creating Alerts in Azure Monitor to be generated when changes are made to critical resources.
- Configure centralized collection of Activity Logs for ExpressRoute components.
ExpressRoute offers a fast and reliable connection to Azure with bandwidths that can reach up to 100 Gbps. It is therefore an ideal option for specific scenarios such as periodic data migration, replication for business continuity purposes, the disaster recovery, and the activation of high availability strategies. Thanks to ExpressRoute's fast speed and low latency times, Azure will feel like a natural extension of your data centers. In this way, it is possible to take advantage of the scalability and innovation of the public cloud without compromising in terms of network performance.