Comparing Ways to Connect to Microsoft Azure


There are several methods of connecting to the popular Cloud Service Provider, but which one is right for your business?


Curious about Microsoft Azure and the best ways to connect? Azure is a hybrid Cloud Service Provider (CSP) with customized, scalable, cloud-based packages. These encompass Software as a Service (SaaS), based on subscription-based software licensing and delivery, Platform as a Service (PaaS), allowing companies to develop, deploy, manage, and update applications, and Infrastructure as a Service (IaaS), providing high-level application programming interfaces (APIs).

Whether you’re part of a multinational corporation or a small startup, you can choose among Azure service plans to meet your needs. Enterprises use these services for artificial intelligence (AI)-based number crunching and analytics, virtual desktop networking, integration with the internet of things (IoT), storage/retrieval, and more.

There are a lot of services to reach in Microsoft Azure but how do you communicate with these services from outside the cloud?


An overview of Azure connections


ExpressRoute and ExpressRoute Direct bypass the public internet, making it attractive to financial corporations and governments, among others. VPN Connections are also a popular way to connect to Microsoft Cloud by facilitating encrypted traffic over the public internet.

Azure Virtual WAN (wide area network) uses hub-and-spoke architecture to connect to Microsoft’s global network, automating branch connectivity and optimizes routing on a vast scale.

There are a lot of scenarios for connectivity where multiple methods may be used together, and it’s worth noting that ExpressRoute and VPN Gateway are two options to reach Azure Virtual WAN.




What is Microsoft ExpressRoute?


ExpressRoute links enterprises to Microsoft data centers through private connections like: 

(a) cloud exchange colocation, 
(b) any-to-any IP VPNs (usually MPLS), or 
(c) point-to-point Ethernet networks.

Connections are secured by on-premises networks or colocation facilities using a third-party connectivity provider’s virtual cross-connection software.



You can use the same ExpressRoute to privately pass your data into your Virtual Networks via Private Peering and access Microsoft public services via Microsoft Peering. All ExpressRoutes come with a primary and secondary connection, however it’s up to the user if they wish to use both connections. The data rate provisioned on the ExpressRoute will allow you the full data rate capability on both the primary and secondary interfaces. Note that you will need to have both enabled to receive the Microsoft ExpressRoute SLA.





What are the benefits of ExpressRoute?


Dedicated data that bypasses the public internet travels with higher bandwidth and reliability, and lower and more consistent latency. Security is enhanced greatly through this private connection because of the private nature of ExpressRoute and your data not touching the internet. Some enterprises also report cost savings due to significantly lower egress data costs versus the internet.

Specifically, ExpressRoute offers these features as outlined by Microsoft:

  • Layer 3 connectivity between on-premises and Microsoft Cloud through a connectivity provider
  • Connectivity to Microsoft cloud services across all regions in the geopolitical region or to all global regions with the ExpressRoute premium add-on.
  • Dynamic routing between your network and Microsoft via BGP
  • Built-in ExpressRoute redundancy in every peering location for higher reliability
  • ExpressRoute Connection uptime SLA
  • Scalable data rates from 50 Mbps to 10 Gbps.


Onboarding with ExpressRoute


Enterprises peer with Microsoft through an ExpressRoute carrier partner. Order an ExpressRoute circuit, and your connectivity provider extends your network to an ExpressRoute location or peering location. ExpressRoute locations are colocation facilities that host Microsoft Enterprise Edge devices. 

There is also an option to encrypt your data over a private ExpressRoute. Using an encrypted ExpressRoute private connection, your data accesses Azure VNets with, as Microsoft explains, “confidentiality, anti-replay, authenticity, and integrity.” The data travels on a site-to-site IPsec/IKE VPN tunnel to and from your networks and Azure VNets, which cross-connect to the Microsoft network. The protocol is direct over a virtual local area network (VLAN) or MPLS.

If enterprises do not wish to use an ExpressRoute partner, they can connect by choosing a regional carrier and connecting via a physical Ethernet connection. Data goes through the supported exchange provider to peer with Microsoft via ExpressRoute Direct.


What is Microsoft ExpressRoute Direct?


With ExpressRoute Direct, Microsoft Cloud customers can connect at global peering locations distributed around the world to reach Microsoft’s global network directly. Connectivity interfaces are either 10 Gbps or 100 Gbps, with various circuit SKU options available up to the interface data rate. This typically means ordering two cross connects from your rack directly to Microsoft’s ExpressRoute Direct interfaces. See Microsoft ExpressRoute Direct for more information.

Image courtesy of Microsoft. Source: https://docs.microsoft.com/en-us/azure/expressroute/expressroute-connectivity-models>



What are the benefits of ExpressRoute Direct?


As with Azure ExpressRoute, using ExpressRoute Direct reduces lag, increases bandwidth, and ensures low latency, giving clients dual 100 Gbps or 10 Gbps connectivity. In addition, enterprise IT teams have Active/Active connectivity at scale, allowing them to manage peering traffic as needed. 

Heavily regulated industries, such as banking, government, and retail, sometimes require dedicated and isolated connectivity; ExpressRoute Direct (and Azure ExpressRoute in general) provides the necessary physical isolation. Clients that generate huge amounts of data, such as large retailers, government agencies, and global manufacturers, use ExpressRoute Direct to manage their massive database and storage needs.

It’s worth looking at costs before going down the ExpressRoute Direct path, as it can get expensive – the current cost of a 100Gbps ER Direct Port Pair is over $50,000 per month.


ExpressRoute Peering Locations and Azure regions


When you create an ExpressRoute, you must choose an ExpressRoute peering location and a home region. The peering location is the actual on-ramp location of the Partner NNI with Microsoft. The region, in most cases, does not have to be the same as the Peering Location.

You’ll also need to choose the SKU type of Local, Standard, or Premium. With an ExpressRoute Local circuit SKU, you can connect to resources in Azure regions in the same metro as the peering site. The Standard SKU allows you to connect to all Azure regions in the geopolitical area of the ExpressRoute. If you need to connect to regions outside the geopolitical region of the ExpressRoute, then you’ll need to configure an ExpressRoute Premium SKU circuit. The Premium SKU will allow you to access resources globally across all Azure regions – see example diagram below from Microsoft FAQs.

You can have up to 10 virtual networks connected on a standard ExpressRoute circuit, and up to 100 on a premium ExpressRoute circuit.


Image courtesy of Microsoft. Source: https://medium.com/awesome-azure/azure-difference-between-azure-expressroute-and-azure-vpn-gateway-comparison-azure-hybrid-connectivity-5f7ce02044f3>



What is VPN Gateway?


If you don’t want to use ExpressRoute or ExpressRoute Direct, you could choose Azure VPN Gateway. This is a Virtual Network Gateway type that sends encrypted data from on-premises devices over the public internet to the Azure virtual network. The data is encrypted in a private tunnel, as shown in the lower part of the diagram. As with the encryption options offered with ExpressRoute, Azure VPN Gateway gives IT staff control over who has access to data and other assets.


What are the benefits of Azure VPN?


VPN GWs are typically used to connect to Azure with one of two types of VPN – either Site to Site or Point to Site. Each type comes with different features regarding throughput, routing, resilience, use cases, and pricing, which should be considered to select the one that suits your needs.

VPN Gateways are very popular due to their speed of deployment, seamless accessibility from anywhere, encrypted traffic, and ease of use.

Other features include:

  • Users can access the VPN gateway remotely—site to site or point to site—with their devices (laptops, tablets, phones, IoT etc.)
  • Enterprises pay based on the VPN Gateway sizing and the amount of Egress Data sent
  • Bandwidth is up to 10 Gpbs
  • Gateways are easy to set up
  • Scalability and resiliency.




What is Azure Virtual WAN?


Azure offers a single interface through Azure Virtual WAN, meaning networking, security, and routing occur through hub-and-spoke architecture. Setup and configuration are also automated and updated behind the scenes. ExpressRoute and VPN connectivity are two methods you can combine with Virtual WAN to give you access from outside Microsoft Azure. 


Image courtesy of Microsoft. Source: https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about



What are the benefits of Azure Virtual WAN?


Clients can diversify ways to connect to cloud destinations and services through Virtual WAN’s hub-and-spoke architecture. Microsoft outlines these benefits:

  • Branch connectivity (via connectivity automation from Virtual WAN Partner devices such as SD-WAN or VPN CPE)
  • Site-to-site VPN connectivity
  • Remote user VPN connectivity (point-to-site)
  • Private connectivity (ExpressRoute)
  • Intracloud connectivity (transitive connectivity for virtual networks)
  • VPN ExpressRoute interconnectivity
  • Routing, Azure Firewall, and encryption for private connectivity.


Which Azure connectivity option is best for you?


Healthcare, financial services, government agencies, retail firms, and manufacturers all rely on Azure services, depending on their needs. Azure offers hybrid cloud, AI, IoT, and mixed reality to quickly scale, improve security, and instantly update software. Governments use Azure to meet compliance standards and lower costs through faster connections, and industries operating globally can unite their workforce and analyze data on a vast scale.

Communicating with Azure cloud services can be fine-tuned among private and public connections. Users can connect their on-premises equipment privately via Microsoft connectivity partners, or connect across the internet via VPNs. Your security needs and data flow, whether you’re part of an industry or public institution, will affect which connection is best.


Choosing ExpressRoute or ExpressRoute Direct

ExpressRoute manages data up to 10 Gbps, with Direct adding a tenfold bump to 100 Gps. For government entities and corporations that need high speeds, low latency, and high reliability, both ExpressRoute products should be considered. ExpressRoute and ExpressRoute Direct provide access to all Azure services and tend to be more expensive than VPN due to the private highway that you’re accessing. There are use cases for high data rate users where the lower egress fees will allow ExpressRoute to pay for itself.


Choosing VPN Gateway 

IT managers should consider VPN Gateway for hybrid applications where the traffic between on-premises hardware and the cloud is likely to be light. It is not, however, recommended for high data transfers. At the cost of slightly extended latency, enterprises will receive Azure’s flexibility and access all of Azure’s services. It is also not for organizations with compliance or restrictions on passing their data across the internet. Small organizations appreciate VPN, especially those prototyping and developing products. 


Choosing Azure Virtual WAN

For clients needing a higher level of options, and that have a global reach, Virtual WAN might be the answer. It can link a multinational corporation’s branch offices, IoT devices (point of sale or otherwise), and virtual desktops. Data connections can be expanded, reduced, or rerouted seamlessly through partners, OpenVPN clients, and ExpressRoute interfaces.



Moving forward with Azure


No matter which plan you choose, Azure is adaptable. The range of options may seem daunting, but if you triage your crucial levels of data protection, speed, and reliability against your budget, you can start with a solution and modify it later.

Megaport’s Network as a Service (NaaS) solutions enable fast, flexible, and secure connectivity to Azure and other top cloud providers, data center operators, systems integrators, and managed service providers.

Our global Software Defined Network (SDN) helps businesses rapidly and securely connect their networks to services through our easy-to-use portal or open API, reducing operating costs and increasing speed to market compared to traditional networking solutions. To learn more, chat to one of our Solutions Architects.

Paul McGuinness
Senior Solutions Architect, Europe

Filed under: Cloud Networking

Get the latest cloud insights delivered.