How to Connect AWS Direct Connect and Microsoft Azure ExpressRoute
If your business relies on or is considering the two leading hyperscalers for your network, you could take your connectivity to the next level by integrating them. Here’s how to do it.
In 2022, having a secure and reliable network for your business isn’t just a nice thing to have: It’s a necessity. As speed, bandwidth, and accessibility needs have increased alongside businesses’ remote expansion, we’ve also seen a surge in multicloud adoption – with a predicted 94% of organizations having a multicloud network by 2024, many are realizing the benefits of using multiple clouds to support their business-critical applications.
As more and more enterprise workloads migrate to the cloud, many organizations need ways to connect securely and reliably to Amazon Web Service (AWS) and Microsoft Azure, the world’s two largest hyperscalers, to future-proof their networks and ensure the best compatibility between workloads.
And we’ve covered this before: In our blog ‘3 Ways to Connect Your AWS and Microsoft Azure Environments’, we shared the different methods (along with their pros and cons) to connect your AWS and Azure cloud environments for a more secure and performant multicloud experience. But did you know that you can take it a step further and connect the cloud providers’ dedicated private connections, AWS’ Direct Connect and Azure’s ExpressRoute, to each other?
What is a dedicated private connection, and how do they work?
A dedicated connection is a private connection created by the Cloud Service Provider (CSP) to connect a single business’ network to their cloud. Both Direct Connect and ExpressRoute enable customers to connect to their cloud workloads over a private connection not shared with any other providers or customers. This then provides a path for your business-critical data that does not route through the public internet (which can threaten your network’s reliability, performance, and most importantly, security).
AWS Direct Connect is the “shortest path to your AWS resources.” With Direct Connect, your network traffic remains on AWS’ global network and therefore never touches the public internet, reducing the chances of bottlenecking or latency.
Azure ExpressRoute acts similarly and allows you to create private connections between Azure data centers and your own data centers or on-premises infrastructure. Connecting via ExpressRoute can be useful for companies heavily relying on Microsoft cloud for services such as virtual compute, database service, or cloud storage, as is also the case with AWS cloud products.
Both Direct Connect and ExpressRoute allow you to transfer data into their cloud for free, but data coming out (egress) is charged by the gigabyte, with pricing depending on region and destination (see our ExpressRoute pricing explanation for more information). Connectivity speeds offered are also similar ranging from 50Mbps to 100Gbps. Both cloud providers require layer 3 routing with eBGP (External Border Gateway Protocol) for sharing route prefixes.
One technical difference you’ll want to consider is how VLAN (Virtual Local Area Networks) tagging is supported across these two solutions. With AWS Direct Connect, a Virtual Interface (VIF) – which can be configured as private, transit, or public – will be associated with a single VLAN. This will be presented as a single 802.1q subinterface on the Layer 3 endpoint peering with AWS.
With Azure ExpressRoute, QinQ 802.1ad is supported. The outer VLAN tag or S-tag is associated with the ExpressRoute itself and inner tag or C-tag is associated with the peering type. Azure offers private peering and Microsoft Peering across ExpressRoute – which we’ve explained when to use more in our previous blog. You’ll need to make sure your Layer 3 endpoint supports QinQ. Many providers, such as Megaport, have solutions to work with Layer 3 endpoints that do not support QinQ.
Other technical differences you’ll need to consider are Maximum Transmission Unit (MTU) sizing and BGP Route Prefix Limits. These vary based on cloud provider and in some cases can be configured based on product SKU and configuration options. There are some product offering differences related to pricing models and service-level agreement (SLAs) available from each CSP.
The benefits of using a dedicated network connection
There are numerous benefits to using a CSP’s dedicated network connection such as Direct Connect and ExpressRoute to connect to their respective cloud rather than the public internet, similar to the benefits of using a private cloud over a public one. These include:
- Bolstered security – connecting through a dedicated, private network connection ensures an extra level of security by hosting your critical data inside a protected path environment made just for your business, meaning significantly reduced threats of cyberattacks and data breaches. This is unlike the path that the public internet provides, which can be compromised by other enterprise traffic.
- Cost savings – depending on the volume of data you’re exchanging between clouds, your costs could be lower by using private connections. AWS and Azure both charge higher egress data rates for relying on the public internet versus using their private network options, meaning you could save hundreds or even thousands of dollars by sticking to their dedicated connections while migrating applications from your on-premises infrastructure.
- Greater oversight and control – companies can hone in on their data to a much greater extent and be “closer” to their cloud migration due to its private nature, to oversee and monitor their data effectively (i.e., see which data is going where).
- Stable performance – a private network solution will give you improved and consistent performance when accessing your data in the cloud. This means reduced latency, fewer and less frequent hops, and lower levels of jitter, meaning fewer interruptions to your day-to-day operations.
Why connect the two?
There are a handful of common use cases for connecting the two dedicated cloud connectivity paths. This means that a customer’s ExpressRoute can communicate directly to their Direct Connect path, rather than just connecting their entire AWS and Azure clouds.
- Data migration – large data migrations can be more cost-effective and predictable over private connectivity. By connecting the two, mass data migration between your AWS and Azure clouds can be faster and more reliable.
- Multicloud workloads – opting for and connecting both your AWS and Azure paths can allow your organization to use “best of breed” product and pricing options in each cloud. Multicloud also ensures a backup of your critical data should disaster strike. Learn more about multicloud with our Beginner’s Guide.
- Easier IT integration – this enables you to integrate your network without having to fully migrate your cloud workloads. This is especially useful for network mergers.
How to connect Direct Connect and ExpressRoute
There are three recommended ways you can connect your Direct Connect and ExpressRoute workloads for better performance and compatibility:
- Using your data center.
- Virtual Network Function (VNF).
- Carrier Multiprotocol Label Switching (MPLS).
Each of these connection methods can prove beneficial for your enterprise, depending on how you intend to design and take advantage of your multicloud network.
1. Using your data center
By utilizing one of your existing data centers and establishing two point-to-point circuits from a network service provider (one to AWS Direct Connect and the second to Azure ExpressRoute), you can effectively connect your two workloads. Establish connection by terminating on a new or existing layer 3 endpoint and use your data center as the hybrid multicloud node between AWS and Azure.
The below diagram shows how this architecture would look. Once complete, you will have established a private data path between AWS and Azure through your data center. The Direct Connect and ExpressRoute location shown will be chosen based on cloud provider region and data center location (this is often the same location for both cloud providers, but it may also be different locations). Once BGP is established between the data center router and each cloud provider edge, traffic can then pass between Azure and AWS.
- Better control and customization – fine-tune your data migration to greater select which data goes where.
- Expand on existing service – with this method, you have the ability to take advantage of your existing security stack as well as the network hardware and toolset you’re already familiar with to establish connectivity.
- No new solution to learn or integrate into your overall network strategy.
- Higher costs – maintaining a data center requires continued costs of expert maintenance, rent, and more.
- Time to deploy – many times, this will require a service provider to deliver local loops into your data center, which can come with term agreements and high monthly costs. These new services typically take weeks or months to deploy.
- Possible bandwidth strain – if you are using your existing network infrastructure, you’ll want to make sure you have the capacity for the throughput requirements. Latency can also be a detriment if your data center is not in the same geographic area as the ExpressRoute and Direct Connect locations.
2. Virtual Network Function (VNF)
This virtual network device can become your Layer 3 endpoint to exchange traffic between AWS and Azure. Network as a Service (NaaS) providers like Megaport offer cloud-based solutions that allow you to easily connect your dedicated connections. While offerings vary by provider, you can typically order a pre-packaged solution that includes licensing and route functionality.
One thing to consider is whether the NaaS provider is also an AWS Direct Connect and Azure ExpressRoute partner. This will become important as you can then more seamlessly build these virtual cross connects (VXCs) from your VNF to the respective cloud providers.
The VNF solution gives you the flexibility to either just deploy a simple router between the two CSPs, create a firewall to implement security policies, or to fully integrate with your SD-WAN solution already in place.
In the below diagram, the router instance is brought closer to the cloud in comparison to the data solution. The data path between Azure and AWS will typically traverse less physical distance. BGP will now terminate between cloud providers and the VNF instance establishing the data paths between the two clouds. Megaport offers two VNF solutions: Megaport Cloud Router (MCR), and Megaport Virtual Edge (MVE).
- Time to deploy – you can deploy these solutions using your NaaS provider’s portal interface or API, usually within minutes. After your virtual router is up and running, deploying virtual cross connects to ExpressRoute and Direct Connect become very simple.
- Lower costs – by avoiding data center hairpinning, you reduce the amount of data you send out of AWS and Azure, thereby reducing hefty egress fees. We share more ways to lower your Azure egress fees on our blog.
- Higher network performance – when you deploy your virtual network device close to the cloud workload region, you can enjoy higher network performance due to reduced latency and jitter.
- Flexible term agreements – by using a VNF solution, you can scale up and scale down your routers as needed, as opposed to signing long-term contracts for carrier-provided MPLS circuits.
- Less customizable – prepackaged solutions will have a specific feature set that may or may not be right for you, so you’ll need to make sure the features you need are available. Make sure the specific SD-WAN or firewall vendor you want to deploy is available with that specific NaaS provider.
3. Carrier Private IP-VPN
As some network carriers are also AWS and Azure partners, they can provide connectivity from their Private IP-VPN (Internet Protocol Virtual Private Network) solution. IP-VPNs use multiprotocol label switching (MPLS) technology to avoid connecting via public gateways. This technology has similar benefits to other private solutions including bolstered security, high availability, and improved performance. If your current carrier already provides this type of service to you, it may be worth looking into to accomplish this connectivity need.
The below diagram shows how an IP-VPN network can be used to connect AWS Direct Connect to Microsoft ExpressRoute. With this architecture, the traffic between the two cloud providers will now traverse through your IP-VPN Provider Edge (PE) Router. Unlike the prior solutions discussed, this device is not physically or virtually managed by you.
- Fully managed – the Layer 3 device (IP-VPN CE/PE) between your AWS and Azure clouds is fully managed, meaning you can leave maintenance to the experts.
- Extension of service – as you may already have an agreement and relationship in place with both or one of the CSPs, connection can be even quicker.
- Ability to leverage – if you have other remote locations on the MPLS network, these could leverage the same connections to interface with AWS and Azure.
- Higher cost – MPLS costs tend to be the most expensive option when connecting to cloud providers, and usually come with a contract term commitment.
- Time to deploy – while it will depend on the carrier, some still provision these connections in a legacy fashion. This may require several weeks or months to deploy connections, meaning a delay to your multicloud capabilities.
- Control – all routing functionality, filtering, and security will be dependent on the carrier’s product capabilities, which may be limited, meaning you’ll have less oversight and customization over your data.
The solution best for you, and how Megaport can help
The right AWS to Azure connection method for your business will depend on a number of factors, from your budget, to the type of applications involved, to network performance, speed, and bandwidth requirements.
Using your data center as the hybrid or multicloud network node can be beneficial to enterprises who have an existing data center and want to more seamlessly connect their workloads. This solution also provides greater oversight and visibility over data migration.
Virtual Network Function (VNF), on the other hand, works best for networks wanting a quick connection solution, as you can deploy the virtual network devices using your NaaS provider’s portal interface or API within minutes. And as it’s placed closer to the workload’s cloud region, you can enjoy higher network performance.
Megaport Cloud Router (MCR)’s virtual network function capabilities make networking easier by allowing you to connect at Layer 3 in an instant, taking the complexity out of setup. There’s no need to learn the ins and outs of network engineering: Simply log in to your Megaport account and start building your virtual network in a few clicks. MCR also supports multicloud, and allows you to privately peer between leading cloud providers. Megaport Virtual Edge (MVE), our on-demand Network Function Virtualization (NFV) service, allows you to spin up new connections between your clouds, without having to deploy hardware.
If your enterprise wishes to leverage on existing MPLSs, the carrier-managed MPLS option can be beneficial for connectivity that requires less management by your enterprise, leaving it to the experts.
No matter which multicloud network design is right for your business, Megaport has solutions that are quick and simple to deploy, improve network performance, and can reduce costs.