What is Azure ExpressRoute? and How do I get Started?
In this blog we will try to answer some of the most common questions that comes to mind by every customer who is planning to get on Cloud Journey and trying to understand how to lay the foundation right for their workload in cloud.
So what is Azure ExpressRoute?
Azure ExpressRoute lets you create private connections between Azure datacenters and infrastructure on your premises or in a colocation environment. Microsoft Azure ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a dedicated private connection facilitated by a connectivity provider. With ExpressRoute, you can establish connections to Microsoft cloud services, such as Microsoft Azure, Office 365, and CRM Online. Connectivity can be from an any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual cross-connection through a connectivity provider at a co-location facility.
Microsoft provides 3 type of Connectivity with Single ExpressRoute Circuits as explained in this Diagram below to Services like O-365 , Azure VNET or , Azure PaaS services accessed via Public Ip Address
Why do you need it?
ExpressRoute is like a Toll Road , you pay bit extra but you get a reliable , predictable performance for your Enterprise level applications that are latency sensitive and provides a secure passage of data without traversing wild world of Internet.
Benefits of Azure ExpressRoute ?
ExpressRoute connections do not go over the public Internet. This allows ExpressRoute connections to offer more reliability, faster speeds, lower latencies, and higher security than typical connections over the Internet.
Key benefits include:
- Layer 3 connectivity between your on-premises network and the Microsoft Cloud through a connectivity provider. Connectivity can be from an any-to-any (IPVPN) network, a point-to-point Ethernet connection, or through a virtual cross-connection via an Ethernet exchange.
- Connectivity to Microsoft cloud services across all regions in the geopolitical region.
- Global connectivity to Microsoft services across all regions with ExpressRoute premium add-on.
- Dynamic routing between your network and Microsoft over industry standard protocols (BGP).
- Built-in redundancy in every peering location for higher reliability.
- Connection uptime SLA.
- QoS and support for multiple classes of service for special applications, such as Skype for Business.
Some Hidden Facts about ExpressRoute
- When you order ExpressRoute it come with redundant circuit by nature, so you don’t have to order 2 for redundancy and that’s how Microsoft provides SLA behind it.
- Size of ExpressRoute can range from as small as 50mbps to 10gbps and once circuit is up and running , You can increase the bandwidth of an ExpressRoute circuit without having to tear it down.
- Elasticity of ER bandwidth – basically bandwidth limit is a software defined config the customer controls on the Azure side and the network provider controls on their end. Changes up or down should take few hours/days, not weeks to provision.
- ExpressRoute Plan can be changed anytime from Metered to Un-metered.
- Read FAQ about ExpressRoute here
What is the Process to get started ?
At high-level below picture will provide overview of steps involved in Ordering ExpressRoute with both your Partner and Microsoft
What are all parties involved in planning for ExpressRoute?
Typically you will need following teams involved in Planning , Ordering and Deploying
1) Customer Network Team and/or SysAdmin team with some Powershell experience
2) Customer Procurement Team to engage with your Service Provider
3) ExpressRoute Service Provider Team (uch as AT&T, Equinix, Verizon, Level3 etc.) List of all Providers and their locations is here and/or
4) Your Microsoft Account team in some complex scenario but if you follow above documentation for exact Step-by-Step guide you will rarely need Microsoft Team for Standard ExpressRoute Deployment.
What is the alternative to ExpressRoute?
1) Site to Site VPN is good alternative to ExpressRoute to get stared, to build a secure connectivity between customer premises or Data Center to Azure and many options are available to deploy build secure encrypted tunnel.
a)Azure VPN Gateway (as of this writing is limited to max 200mbps) or
b)Azure Market Place offering such as Barracuda, Cisco (goes beyond 200mbps Azure gateway limits depending on specific models you chose to deploy can go as much as 1gbps) and many other Option from Azure Marketplace to choose from.
They all come with some good feature and limitations , but its’ generally a 1st step for many customer to jump start their connectivity to cloud and in parrell work on ExpressRoute for large workload deployment’s in the Cloud as they out-grown S2S VPN Capabilities or use S2S as fallback to ExpressRoute for redundancy.
Note: Because Site-to-Site VPN is over the internet , your network performance is still not as reliable or predictable as ExpressRoute, so if your application and security needs are meet you can certainly use S2S VPN for secure connectivity to cloud.
2) For Customer is Education Sector specifically also have Option to use Internet 2 as alternative to ExpressRoute in certain scenario, Advantages of using Internet 2 is described in additional blog here
The Internet2 NET+ Azure service is a focused effort between Microsoft and Internet2 to support the use of cloud infrastructure for academic research and instruction.
Azure Services meet many compliance higher education compliance needs (e.g. FERPA, HIPPA – see http://azure.microsoft.com/en-us/support/trust-center/compliance/).
What about Encryption? is my data encrypted in transit when I use ExpressRoute ?
Short answer is no, but there are certain requirements such as compliance that mandates your data should be encrypted in transit and you certainly can do that on top of ExpressRoute.
There are various way to encrypt your data on top of ExpressRoute and we will discuss some below,
- Build a Secure IPSec tunnel on Express Route, and example from one of our partner Barracuda is here , designed for this specific use case.
- You can use tools like SSH tunneling , scp at Application or Database layer to encrypt data before transits across the wire.
- You may be able to explore more options with your ExpressRoute providers to sign-up for additional service if they provide encryption on logical circuit they offer.
What is my Total Cost of Ownership for Azure ExpressRoute ?
ExpressRoute is offered in 2 Models – Metered and Unmetered Data Plan and Premium Add-On to either Data Plan.
To Calculate your total Cost of ExpressRoute you need to consider following:
1) Contact your Service Provider about Azure connection and get their cost for port fee and connectivity fee typically you will have a Onetime cost and Monthly On-going Cost from Service Provider ( Service Provider Fees)
2) Estimate your Charges from Microsoft based on your size and location of ER See Pricing here or contact your Microsoft account teams for your specific quotes. fee typically is Monthly On-going based of Data Plan you select.
Charge from your ER Service Provider + ER Charges from Microsoft based on plan above = Total Cost of ExpressRoute on Monthly basis
Where can I get more information and learn about Express Route?