Azure offers a robust set of networking services and tools. Connectivity options allow linking your datacenter, other Cloud environments, or remote users to Cloud resources. There are also a variety of services and tools that allow you to inspect, direct, and troubleshoot traffic.
This article focuses exclusively on Azure resources and offerings, and how they connect with both physical and Cloud environments. Windows Firewall, third party VPN clients, and OS level route tables are not covered as these elements are not unique to the Azure experience.
Connecting existing environments to the Cloud is almost always the first step in a new deployment. This is so foundational that we automatically deploy a VPN Gateway with all new deployments as standard practice.
All VPNs we configure are IKEv2 IPSec. These provide route-based, Site-to-Site tunneling capability and Point-to-Site connectivity through the installation of an Azure VPN client on individual systems. Policy based VPNs are possible in Azure but allow connectivity to only single other endpoints. Therefore, we do not recommend or support them.
ExpressRoutes are a different type of VPN connectivity which your Telco uses to connect your existing MPLS network to your Azure Cloud. There are several benefits to an ExpressRoute deployment over an IPSec VPN. ExpressRoute connections traverse the existing MPLS network internal to the Telco, increasing control and performance. ExpressRoute advertises BGP routes to all VNETs in a subscription (by default), and simplifies remote connectivity into your Azure deployment
While an ExpressRoute may seem like the obvious choice, there are several things to be aware of. First is the cost. A regular VPN connection requires a VPN Gateway object. An ExpressRoute connection requires the VPN Gateway, an ExpressRoute circuit, and an additional connection with your Telco. These additional pieces incur significant additional costs.
Regarding performance, a Site-to-Site VPN connection starts at 650Mbps performance (options scale over 1Gbps). ExpressRoute connections are scoped by the circuit you purchase. This becomes a cost tolerance consideration. ExpressRoute connections scale much higher, and you can create a connection up to 10Gbp.
The bandwidth that you choose for your ExpressRoute connection will be allocated from the existing bandwidth provided by your ISP. ExpressRoute traffic crosses the same connection and does not add additional bandwidth above what you are already running. Your internet service bandwidth should accommodate your ExpressRoute circuit and other traffic to get full benefit of the circuit’s speed rating.
Azure delivers network security to secure traffic to and from your systems. Network Security Groups (NSGs) provide a set of inbound and outbound filters that can apply directly to the subnet or the NIC of your VMs. Use these for filtering specific ports to and from specific locations. NSGs are somewhat analogous to a Windows Firewall type of rules set.
Azure also has a Firewall object that manages a rule set. Route tables on your subnets set the next hop to the private side of the firewall object. Firewalls have the advantage of being able to control all traffic through a single endpoint. They also allow more robust rule sets than NSGs, including the functionality of controlling traffic to specific URLs
If you need more robust control of your connectivity and traffic, Azure supports Network Virtual Appliances (NVAs). There are a variety of virtual firewalls to deploy, including products such as FortiGate. These operate almost identically with their physical counterparts. NVAs can be used as the internal gateway for your Azure environment, and they can be used to create VPN tunnels, provide NAT’ing, and all other standard firewall functions.
In addition to standard packet inspection and traffic control that you can do with an NVA, Azure also provides a variety of tools in the portal to troubleshoot network traffic. VNGs have a VPN troubleshooter while VNETs have connection monitor and troubleshooter. As with all Azure assets metrics and alerts can be configured to cover just about any need.
Determining the right solution for your needs in the face of all these options can be challenging. A good rule of thumb is to start with the simplest design and add complexity as required. Considering design requirements up front saves re-configurations later. Adding complexity is always a balance of technical requirements, performance, and cost. Increased complexity generally adds direct spend, and simultaneously increases support overhead.
KAMIND IT can help you analyze your business and technical needs and help you come up with the most cost effective and supportable design for your deployment’s networking. Please talk to your account representative to discuss options and arrange technical review as appropriate.