Skip to content

Latest commit

 

History

History
94 lines (80 loc) · 4.77 KB

3.2.1. Networking - Hybrid Connections (Site-to-Site VPN & ExpressRoute).md

File metadata and controls

94 lines (80 loc) · 4.77 KB

Hybrid Connections

Site-to-Site VPN Connections

  • A Site-to-Site (S2S) connection is a connection over IPsec/IKE (IKEv1 or IKEv2) VPN tunnel.
    • Azure-provided name resolution
      • No configuration, azure based address
      • Name resolution that uses your own DNS server
  • 📝 In order to do it with on-prem, following steps are followed:
    1. Create a new custom VNet and gateway subnet
      • Deploy VNet (addresses should be free on-prem)
    2. Create a VPN Gateway
      • Deploy Gateway Subnet in VNet
      • Deploy VPN Gateway
        • Settings:
          • VPN type
            • Policy based = static routing
            • Route based = dynamic routing
              • Most VPNs are route based.
          • SKU: Affects number of tunnels and the aggregate throughput benchmark.
          • Virtual Networks: Associate VNet with gateway.
            • Each VNet requires its own VPN gateway.
      • You can see IP address in portal after deployment.
    3. Add a local site (Local network gateway)
      • +Create a resource => Local network gateway
      • Register IP address and address space of on-prem network.
        • So the routing table can be built by Azure.
    4. Configure a VPN device
      • Microsoft lists VPN devices that works well with Azure
        • e.g. Cisco, Juniper, Ubiquiti, and Barracuda Networks.
      • Download & run configuration script for the VPN device.
    5. Create VPN connection
      • VNet Resource -> Overview -> Connected devices -> VPN Gateway > Connections > +Add
        • Connection type: Select Site-to-site(IPSec)
        • Shared Key: use key from your device or generate key & use in both places
    6. Verify VPN connection
      • In Connection object you should see "Succeeded"

ExpressRoute

  • With ExpressRoute, you can establish connections to Microsoft cloud services, such as Microsoft Azure, Microsoft 365, and CRM Online.
  • ExpressRoute connections do not go over the public Internet.
    • More reliable, faster speeds, lower latencies, higher security.
  • Good for scenarios like periodic data migration, replication for business continuity, disaster recovery, and other high-availability strategies

ExpressRoute pricing

  • You pay for Circuit bandwidth (50 MBPS to 10 50 etc)
  • If you choose metered not unlimited => Writing to Azure is free, fetching from Azure costs per GB
  • ❗ You can have up to 10 virtual networks connections on a standard ExpressRoute circuit, and up to 100 on a premium ExpressRoute circuit.

ExpressRoute connection options

  • Connectivity providers can offer one or more connectivity models.
  • Features and capabilities are identical.
  • CloudExchange Co-location (Layer 2: Data-link, or Layer 3: Network)
    • If you're in a facility with a cloud exchange, you can use their ethernet exchange.
  • Point-to-point ethernet connection (Layer 2: Data-link, or Layer 3: Network)
  • Any-to-any (IPVPN) Connection (typically Layer 3: Network)
    • You can integrate your WAN with Microsoft cloud.
      • WAN: Wide area network, geographically distributed private telecommunications network that interconnects multiple LANs.
    • Microsoft cloud can be connected to WAN like any other office branch.

ExpressRoute creation

  1. On portal select "Resources" => "Create ExpressRoute circuit"
  2. Select connectivity provider (Telia etc)
  3. Bandwidth => You can always increase, recommended to start low
  4. Billing model => Unlimited (flat fee), metered (pay only for data transfer outside Microsoft network, egress)
  5. Deployment is done => Microsoft is open to connections
  6. Then you enable connection on your side & configure via service key provided in Azure

ExpressRoute monitoring

  • Within Log Analytics you have NPM: Network Performance Monitor.
  • Enables you to monitor
    • throughput, latency, packet loss across various VNets
    • All paths in network in a network map, see latencies across the hubs
  • Requires installation of Log Analytics Agent
    • Both on Azure VMs and on-prem in at least one server of each VNet.
  • Can be integrated with SCOM (System Center Operations Management)
    • It works with Microsoft Windows Server and Unix-based hosts.
    • The agent watches several sources on that computer, including the Windows Event Log

Co-existence of ExpressRoute and Site-to-site

  • Why?
    • You can configure a Site-to-Site VPN as a secure failover path for ExpressRoute
    • Site-to-Site VPNs to connect to sites that are not part of your network, but that are connected through ExpressRoute
      • Requires two gateways, one type of VPN, other one type of ExpressRoute.
  • ❗ Limitations
    • Transit routing is not supported.
      • You cannot route (via Azure) between your local network connected via Site-to-Site VPN and your local network connected via ExpressRoute.
      • Transit routing is supported when VNets are peered instead.