How to Connect Your AWS and Microsoft Azure Environments

How to Connect Your AWS and Microsoft Azure Environments

We explain why you should connect the leading two cloud providers, the options available, and which one is right for your business.

Hybrid cloud and multicloud architectures have become common—with a predicted 94% of organisations having a multicloud network by 2024—for enterprise IT departments seeking greater network reliability, security, and cost-efficiency in support of optimal application performance. As more and more enterprise workloads migrate to the cloud, it’s only natural that organizations seek ways to connect Amazon Web Services (AWS) and Microsoft Azure, two leading hyperscalers, to future-proof their network and ensure the lowest latency between workloads.


Why should I connect my clouds? Benefits and use cases

Having multiple cloud providers alone isn’t enough to future-proof your business. And in an era of remote workforces, rampant cybercrime, and impatient customers, it’s never been more important to optimize your cloud suite. The simplest (and best) way is to privately interconnect your clouds – in other words, adopt cloud-to-cloud routing.

Interconnecting your cloud suite brings a range of benefits and unlocks new use cases: It mitigates risks by introducing data redundancy and disaster recovery, improves network performance, reduces latency and hops (by decreasing the distance that data needs to travel by creating direct clear paths between clouds), and allows for flexibility and “best-of-breed” choice – all of which will also improve your business’s reputation with your customers. We explain more in our blog, Three Reasons You Should Interconnect Your Clouds .

Cross-cloud: An evolved way to think about multicloud

Cross-cloud is a new way to think of multicloud infrastructure and an especially compelling case for connecting your cloud environments. It specifically refers to using multiple cloud platforms or services, in this case, AWS and Azure, to run a single application or workload, therefore reducing overhead. This is different to multicloud which simply refers to using multiple clouds. As VMware’s Dave Wolpert explains , “With cross-cloud, application development takes on a new life. SaaS providers can build applications on top of a cloud data platform and, by nature, access and use data from any public cloud.”

This resolves two issues: Data ownership, and time to deploy. These solutions allow for enhanced freedom and flexibility across these two clouds. This fairly new framework is still evolving and the key players are continuing to develop their cross-cloud capabilities, but it’s a great strategic goal to have in mind once you’ve connected your clouds and determined the core applications and SaaS products your business and branches need to run smoothly.

Okay, but back to the mission at hand: connecting your two cloud workloads. Let’s say you’re like one of our customers, a global retail brand that hosts its e-commerce presence with AWS and Azure, currently deploying mirror applications in both clouds. To comply with your security policy, you backhaul some of your traffic to your data center where that policy is applied – but not all of your traffic needs to be subject to the security policy. To save network resources in your data center, you want to keep the remaining traffic at the edge of each cloud, decreasing latency between AWS and Azure.

In this case, there are three ways to connect an AWS environment to a Microsoft Azure one, each with its pros and cons. One method, the VPN tunnel, is far and away the most common, but as you might have guessed if you read our blog regularly, we don’t think it’s the best one.

How to connect your AWS and Azure cloud environments

Set up VPN tunnels

There are plenty of resources online about how you can set up a VPN tunnel over a public internet connection between AWS and Microsoft Azure. It’s a tried and true traditional method of connecting between clouds, but there are many disadvantages to connecting your cloud environments this way:

  • Limited throughput –
    • For higher compute workloads, you’ll have to build numerous tunnels to support the throughput you need.
    • You’ll spend a lot of time managing ECMP (Equal-Cost Multi-Path routing) or load balancing.
  • Routing is unpredictable via the public internet.
  • There’s always potential for compromised security due to Border Gateway Protocol (BGP) route hijacking.
  • Cloud egress fees over the Internet – These fees are applied per GB by the cloud providers on egress. They can be prohibitive and quickly build up to larger amounts of your cloud budget.

While using VPN tunnels can prove a more affordable and easy solution for businesses performing small, low-risk activities in the cloud, it’s not recommended for bandwidth-heavy workloads or businesses dealing with sensitive information that could be subject to compromise, particularly those in the financial services or government sector.

connection diagram

What is a dedicated private connection, and how do they work?

A dedicated connection is a private connection created by the CSP to connect a single business’s network to its cloud. Both Direct Connect and ExpressRoute enable customers to connect to their cloud workloads over a private connection not shared with any other providers or customers. This then provides a path for your business-critical data that does not route through the public internet. There are numerous benefits: security, cost savings, greater oversight and control, and stable performance.

For the cloud providers mentioned here, the dedicated private connections are called AWS Direct Connect and Azure ExpressRoute.

Why should I connect Direct Connect and ExpressRoute?

There are a handful of everyday use cases for connecting these two dedicated cloud connectivity paths, including:

  • Data migration – Large data migrations can be more cost-effective and predictable over private connectivity. By connecting the two, mass data migration between your AWS and Azure clouds can be faster and more reliable.
  • Multicloud workloads – connecting both your AWS and Azure paths can allow your organization to use “best of breed” product and pricing options in each cloud. Multicloud also ensures a backup of your critical data, should disaster strike. Learn more about multicloud connectivity with our complete guide.
  • Easier IT integration – This enables you to integrate your network without having to fully migrate your cloud workloads. This is especially useful for network mergers.

There are three recommended ways you can connect your Direct Connect and ExpressRoute workloads for better performance and compatibility:

  • Using your data center.
  • Virtual Network Function (VNF).
  • Carrier Multiprotocol Label Switching (MPLS).

Each of these connection methods can prove beneficial for your enterprise, depending on how you intend to design and take advantage of your multicloud network.

Build private lines or build your own

The second way you can connect your AWS and Azure environments is to build private lines to the two hyperscalers by buying dedicated circuits from your telco provider. These circuits will give you a private connection with strengthened security to the cloud providers, with traffic that isn’t routed over the unpredictable and vulnerable public internet.

Similarly, by utilizing one of your existing data centers and establishing two point-to-point circuits from a network service provider, you can effectively connect your two workloads via a router you manage. In this case, you are using your data center as the hybrid multicloud node between AWS and Azure.

But there are also many disadvantages to this approach:

  • It’s costly as it subjects you to long-term contracts. Your telco will likely lock you into 18-24 month contracts for your dedicated circuits, with 45-90 day installation windows.
  • Fixed data rates mean it can take you months to increase bandwidth capacity.
  • Private lines are generally the most costly option to connect between AWS and Microsoft Azure.
  • Latency is still an issue due to backhaul traffic. Even with private circuits to each cloud, you’ll still need to backhaul traffic to your data center or on-premises routing equipment.
  • You’ll continue to need on-premises infrastructure or a significant colocation presence. And this, of course, means more capex to account for in your annual budget.

connection diagram 2

Set up private connectivity with a virtual router or Virtual Network Function (VNF)

A virtual network device can become your Layer 3 endpoint to exchange traffic between AWS and Azure. Network as a Service (NaaS) providers like Megaport offer cloud-based network solutions that allow you to easily connect your dedicated connections. While offerings vary by provider, you can typically order a pre-packaged solution that includes licensing and route functionality.

One thing to consider is whether the NaaS provider is also a Direct Connect and ExpressRoute partner. This will become important as you can then more seamlessly build these Virtual Cross Connects (VXCs) from your VNF to the respective cloud providers. The VNF solution gives you the flexibility to either just deploy a simple router between the two CSPs, create a firewall to implement security policies, or to fully integrate with your SD-WAN solution already in place.

In the below diagram, the router instance is brought closer to the cloud in comparison to the data center solution. The data path between Azure and AWS will typically traverse less physical distance. BGP will now terminate between cloud providers and the VNF instance, establishing the data paths between the two clouds. Megaport offers two VNF solutions: Megaport Cloud Router (MCR) , and Megaport Virtual Edge (MVE) .

connection diagram 3

While the most common way to connect workloads to different cloud environments is to use a VPN tunnel, a way that’s becoming increasingly common is to set up private connectivity with a virtual router like Megaport Cloud Router (MCR). These provide private connectivity and the security, reliability, and lower costs that come with not having to send data through the public internet. Plus, you won’t have to:

  • Hairpin your traffic back to your on-premises environment
  • Sign on to long-term contracts with your telco provider
  • Worry about device licensing
  • Add any extra equipment to turn up connectivity
  • Pay high AWS and Azure data transfer fees for egress data going through the internet.

If you want to scale your bandwidth needs, you can do it with a few clicks on the NaaS on-demand Software Defined Network (SDN) or you can even automate changes to your capacity needs through our API. The MCR is set up in the same physical location where the AWS and Microsoft Azure edges reside. In many cases, MCR and both cloud service providers are available on the same data center campus.

Let’s say you’re our customer again – that global retail brand. Your e-commerce store is hosted with AWS eu-central-1 (Frankfurt) with applications in Germany West Central with Azure. You want to route directly between the two clouds. The latency between the two cloud environments, privately connected via our virtual router, is just a one-to-four-millisecond round trip. This lowest-latency path between AWS and Azure, enabled by the MCR’s direct connection, means optimal application performance.

Using a virtual router like MCR is the best way to ensure smooth sailing when connecting multiple cloud workloads like those held in AWS and Azure. It’s private and protected, boosts performance (meaning fewer interruptions for not only you, but also your customers), and can cut costs by bringing your clouds and applications closer to you and each other.

connection diagram 4

Carrier Private IP-VPN

As some network carriers are also AWS and Azure partners, they can provide connectivity from their Private IP-VPN (Internet Protocol Virtual Private Network) solution. IP-VPNs use multiprotocol label switching (MPLS) technology to avoid connecting via public gateways. This technology has similar benefits to other private solutions including bolstered security, high availability, and improved performance. If your current carrier already provides this type of service to you, it may be worth looking into to accomplish this connectivity need.

The below diagram shows how an IP-VPN network can be used to connect Direct Connect to Microsoft ExpressRoute. With this architecture, the traffic between the two cloud providers will now traverse through your IP-VPN Provider Edge (PE) Router. Unlike the prior solutions discussed, this device is not physically or virtually managed by you.

connection diagram 5


  • Fully managed – The Layer 3 device (IP-VPN CE/PE) between your AWS and Azure clouds is fully managed, meaning you can leave maintenance to the experts.
  • Extension of service – As you may already have an agreement and relationship in place with both or one of the CSPs, the connection can be even quicker.
  • Ability to leverage – If you have other remote locations on the MPLS network, these could leverage the same connections to interface with AWS and Azure.


  • Higher cost – MPLS costs tend to be the most expensive option when connecting to cloud providers and usually come with a contract term commitment.
  • Time to deploy – While it will depend on the carrier, some still provision these connections in a legacy fashion. This may require several weeks or months to deploy connections, meaning a delay to your multicloud capabilities.
  • Control – All routing functionality, filtering, and security will be dependent on the carrier’s product capabilities, which may be limited, meaning you’ll have less oversight and customization over your data.

Weighing up the options

The most suitable AWS to Azure connection method for your business will depend on several factors, from your budget, to the type of applications involved, to network performance, speed, and bandwidth requirements. Using your data center as the hybrid or multicloud network node can be beneficial to enterprises that have an existing data center and want to more seamlessly connect their workloads. This solution also provides greater oversight and visibility over data migration.

Virtual Network Function (VNF), on the other hand, works best for those wanting a quick connection solution, as you can deploy the virtual network devices using your NaaS provider’s portal interface or API within minutes. And as it’s placed closer to the workload’s cloud region, you can enjoy higher network performance. Did we mention that this private cloud-to-cloud architecture can be deployed in an afternoon?

Related Posts

How Scalable Connectivity Improves Business Agility

How Scalable Connectivity Improves Business Agility

Building a cloud or data transport strategy? Here’s how scalable connectivity could significantly improve the process – and your overall business agility.

Read More
How Green Is Your Network?

How Green Is Your Network?

As the tech industry goes green, how does your network stack up – and how can you make it greener?

Read More
Three Hidden Costs in Your Multicloud Setup

Three Hidden Costs in Your Multicloud Setup

If you’re looking to improve your business’ bottom line, there are a few creeping fees to be aware of when it comes to the cloud.

Read More