Microsoft recently announced partnerships with AT&T, Level 3 and Equinix to introduce a new WAN solution to connect on-premise clouds with Microsoft Azure via Multiprotocol Label Switching (MPLS) networks. It appeared that the rest of the world would enviously watch on as Microsoft focused (once again) on the home market in the USA. Last night, Microsoft announced new partnerships with BT and Verizon.
Connectivity to Microsoft Azure
There are three ways that you can connect to services in Azure: public connection, site-to-site VPN, and Azure ExpressRoute.
You can create endpoints in your cloud service(s), which is like punching holes through the Azure firewall into your virtual network(s). This is a publicly accessible connection that you optionally secure.
This option should normally only be used for services that you want to make available to the public. Typical examples would be HTTP or HTTPS services, or maybe RemoteFX (Remote Desktop) for desktop-as-a-service (DaaS). You would not use endpoints for internal or secure communications.
This is a private and encrypted channel across the public Internet. This option allows you to extend your networking into the virtual network(s) that you deploy within Azure. You can route quite happily between your Azure virtual network(s) and your private on-premise networks without opening up any holes in security boundaries and all data will be secured by the VPN tunnel.
There are some downsides to the site-to-site VPN option. The VPN tunnel traverses the public Internet. That means the stability and bandwidth of the connection is subject to the many variables between your network edge and Microsoft’s data center(s). Try running a tracert between you and an Azure cloud service to see how many ISPs and countries you might hop across!
The other issue affects larger multisite businesses that are deploying internal-facing services in Microsoft Azure instead of a local data center. Imagine that you have 20 branch offices in your WAN. You then have a primary VPN (from Site A) and failover (from Site B) site-to-site VPN connections into Microsoft Azure. Every branch office will route to Microsoft Azure via Site A, and this creates a choke point on your WAN and on the Site A Internet connection.
ExpressRoute is a new option that enables private connectivity to your cloud services in Microsoft Azure. You can add Azure to an MPLS WAN; your cloud services in Azure appear on the WAN and route like other sites. The choke point is removed, and the reliance on any one or two sites is removed.
You can also connect to Azure from an Express Route location. This is a peered service provider or data center.
One interesting scenario that some ExpressRoute partners could offer is the ability to add not just Azure, but also other public clouds or hosted private clouds appear as sites on your WAN. Now that is hybrid cloud computing!
Using an MPLS network gives you a private and secure connection to your services within Azure. But the biggest benefit is that you are now using a managed network that is subject to a service level agreement (SLA) from the ISP. This means that true hybrid cloud computing can be depended upon. Storage that is store remotely will have predictable performance. N-tier applications that span data centers can perform at expected levels without the vagaries of the Internet.
Up until now there didn’t appear to be any clear statements on the future schedule of ExpressRoute availability for the Microsoft data centers located outside of the United States. However, the BT announcement says that the “service is due to go live in summer 2014 in Europe through direct network connectivity to Microsoft Azure data centres in Dublin and Amsterdam.” This refers to the Europe North (Dublin) and Europe West data centers. They go on to say that this “will be followed by connections in Asia, then by additional locations around the world”.
I would expect that most small/medium enterprises will continue to use site-to-site VPN connectivity into Microsoft Azure. Larger businesses that operate an MPLS WAN will opt to use ExpressRoute assuming that their ISP is a partner, and importantly, both the ISP and Microsoft don’t screw up the pricing.