Azure ExpressRoute: All you should know
Imagine an organization that has begun migrating resources to Azure. The organization has systems that need to communicate between an on-premises network and Azure, and it doesn’t want this traffic traversing the internet. These applications have higher bandwidth requirements and need to have consistent network performance. The organization also uses Office 365. It wants to reduce traffic over the internet and send this traffic over a dedicated connection to Azure.
In this article my goal is to share important information about ExpressRoute and help you understand why Azure ExpressRoute presents a valid option to connect your on-premises networks to the Microsoft cloud.
Azure ExpressRoute service extends your on-premises networks into the Microsoft cloud. Connections are made over a private high-bandwidth connection. The ExpressRoute service provides a secure and reliable way to connect your on-premises network directly to Azure. ExpressRoute enables direct access to Microsoft Office 365, Microsoft Dynamics 365, Azure compute services, such as Azure Virtual Machines, Azure cloud services, such as Azure Cosmos DB and Azure Storage.
Consider using the Azure ExpressRoute service in the following scenarios:
- Low-latency connectivity to services in the cloud. In these situations, eliminating or reducing the network overhead will have a significant impact on the performance of your applications.
- Accessing high-volume systems in the cloud that consume or produce massive volumes of data quickly. ExpressRoute can move data around rapidly, with high reliability.
- Consuming Microsoft Cloud Services, such as Office 365 and Dynamics 365. ExpressRoute is especially useful if your organization has a large number of users who need to access these services concurrently.
- Organizations that have migrated large-scale on-premises systems to Azure. Using ExpressRoute helps ensure that the results of the migrations are seamless for on-premises clients. They should notice no drop in performance. They might even experience some improvement if the previous on-premises systems were restricted by network bandwidth.
- Situations where data should not traverse the public internet for security reasons.
- Large datacenters, with a high number of users and systems accessing SaaS offerings.
ExpressRoute provides Layer 3 (address-level) connectivity between your on-premises network and the Microsoft cloud through connectivity partners. These connections can be from a point-to-point, any-to-any network, or they can be virtual cross-connections through an exchange. Each connectivity provider uses redundant devices to ensure that connections established with Microsoft are highly available. You can configure multiple circuits to complement this feature. All redundant connections are configured with Layer 3 connectivity to meet SLAs. ExpressRoute connections don’t go over the public Internet. This allows ExpressRoute connections to offer more reliability, faster speeds, consistent latencies, and higher security than typical connections over the Internet.
With Azure ExpressRoute you will get the following additional benefits:
- You can enable ExpressRoute Global Reach to exchange data across your on-premises sites by connecting your ExpressRoute circuits.
- ExpressRoute is supported across all regions and locations. To implement ExpressRoute, you need to work with an ExpressRoute partner. The partner provides the edge service: an authorized and authenticated connection that operates through a partner-controlled router.
- Use Microsoft peering to connect to Azure PaaS services, Office 365 services, and Dynamics 365.
- Up to 10 virtual networks can be linked to an ExpressRoute circuit, but these virtual networks must be in the same geopolitical region as the ExpressRoute circuit.
- You can link a single virtual network to four ExpressRoute circuits if necessary.
- The ExpressRoute circuit can be in the same subscription to the virtual network, or in a different one.
- Dynamic routing between your network and Microsoft via BGP.
- You can increase the ExpressRoute circuit bandwidth (on a best effort basis) without having to tear down your connections.
- Microsoft guarantees a minimum of 99.95 percent availability for an ExpressRoute dedicated circuit.
It is also important to consider the following limitations while using Azure ExpressRoute:
- Even if you have an ExpressRoute connection, DNS queries, certificate revocation list checking, and Azure Content Delivery Network requests are still sent over the public internet.
- ExpressRoute does provide private connectivity, but it isn’t encrypted.
- Use private peering to connect to Azure IaaS and PaaS services deployed inside Azure virtual networks. The resources that you access must all be located in one or more Azure virtual networks with private IP addresses. You can’t access resources through their public IP address over a private peering.
Before you can connect to Microsoft cloud services by using ExpressRoute, you need to have:
- An ExpressRoute connectivity partner or cloud exchange provider that can set up a connection from your on-premises networks to the Microsoft cloud.
- You can purchase ExpressRoute circuits for a wide range of bandwidths (starting from 50 Mbps to 10 Gbps). Be sure to check with your connectivity provider to determine the bandwidths they support.
- An Azure subscription that is registered with your chosen ExpressRoute connectivity partner.
- An active Microsoft Azure account that can be used to request an ExpressRoute circuit.
- An active Office 365 subscription, if you want to connect to the Microsoft cloud and access Office 365 services.
- Ensure that BGP sessions for routing domains have been configured. Depending on your partner, this might be their or your responsibility. Additionally, for each ExpressRoute circuit, Microsoft requires redundant BGP sessions between Microsoft’s routers and your peering routers.
- You or your providers need to translate the private IP addresses used on-premises to public IP addresses by using a NAT service. Microsoft will reject anything except public IP addresses through Microsoft peering.
- Reserve several blocks of IP addresses in your network for routing traffic to the Microsoft cloud. You configure these blocks as either a /29 subnet or two /30 subnets in your IP address space. One of these subnets is used to configure the primary circuit to the Microsoft cloud, and the other implements a secondary circuit. You use the first address in these subnets to communicate with services in the Microsoft cloud. Microsoft uses the second address to establish a BGP session.
Microsoft also provides an ultra-high-speed option called ExpressRoute Direct. This service enables dual 100-Gbps connectivity. It’s suitable for scenarios that involve massive and frequent data ingestion. It’s also suitable for solutions that require extreme scalability, such as banking, government, and retail. FastPath doesn’t support virtual network peering (where you have virtual networks connected together). It also doesn’t support user-defined routes on the gateway subnet. You can also enable ExpressRoute Premium, which provides cross-region accessibility. For example, if you access Microsoft through ExpressRoute in Germany, you’ll have access to all Microsoft cloud services in all regions globally.
You can pick a billing model that works best for you. Choose between the billing models listed as followed.
- Unlimited data. Billing is based on a monthly fee; all inbound and outbound data transfer is included free of charge.
- Metered data. Billing is based on a monthly fee; all inbound data transfer is free of charge. Outbound data transfer is charged per GB of data transfer. Data transfer rates vary by region.
- ExpressRoute premium add-on. ExpressRoute premium is an add-on to the ExpressRoute circuit. The ExpressRoute premium add-on provides the following capabilities:
- Increased route limits for Azure public and Azure private peering from 4,000 routes to 10,000 routes.
- Global connectivity for services. An ExpressRoute circuit created in any region (excluding national clouds) will have access to resources across every other region in the world. For example, a virtual network created in West Europe can be accessed through an ExpressRoute circuit provisioned in Silicon Valley.
- Increased number of VNet links per ExpressRoute circuit from 10 to a larger limit, depending on the bandwidth of the circuit.
For more information on ExpressRoute, see the following articles on Microsoft Docs:
Disclaimer: I work for Microsoft & my opinions are my own.