Choose a solution for connecting an on-premises network to Azure

This article compares options for connecting an on-premises network to an Azure Virtual Network (VNet). For each option, a more detailed reference architecture is available.

VPN connection

A VPN gateway is a type of virtual network gateway that sends encrypted traffic between an Azure virtual network and an on-premises location. The encrypted traffic goes over the public Internet.

This architecture is suitable for hybrid applications where the traffic between on-premises hardware and the cloud is likely to be light, or you are willing to trade slightly extended latency for the flexibility and processing power of the cloud.

Benefits

  • Simple to configure.
  • Much higher bandwidth available; up to 10 Gbps depending on the VPN Gateway SKU.

Challenges

  • Requires an on-premises VPN device.
  • Although Microsoft guarantees 99.9% availability for each VPN Gateway, this SLA only covers the VPN gateway, and not your network connection to the gateway.

Reference architecture

Azure ExpressRoute connection

ExpressRoute connections use a private, dedicated connection through a third-party connectivity provider. The private connection extends your on-premises network into Azure.

This architecture is suitable for hybrid applications running large-scale, mission-critical workloads that require a high degree of scalability.

Benefits

  • Much higher bandwidth available; up to 10 Gbps depending on the connectivity provider.
  • Supports dynamic scaling of bandwidth to help reduce costs during periods of lower demand. However, not all connectivity providers have this option.
  • May allow your organization direct access to national clouds, depending on the connectivity provider.
  • 99.9% availability SLA across the entire connection.

Challenges

  • Can be complex to set up. Creating an ExpressRoute connection requires working with a third-party connectivity provider. The provider is responsible for provisioning the network connection.
  • Requires high-bandwidth routers on-premises.

Reference architecture

ExpressRoute with VPN failover

This options combines the previous two, using ExpressRoute in normal conditions, but failing over to a VPN connection if there is a loss of connectivity in the ExpressRoute circuit.

This architecture is suitable for hybrid applications that need the higher bandwidth of ExpressRoute, and also require highly available network connectivity.

Benefits

  • High availability if the ExpressRoute circuit fails, although the fallback connection is on a lower bandwidth network.

Challenges

  • Complex to configure. You need to set up both a VPN connection and an ExpressRoute circuit.
  • Requires redundant hardware (VPN appliances), and a redundant Azure VPN Gateway connection for which you pay charges.

Reference architecture

Hub-spoke network topology

A hub-spoke network topology is a way to isolate workloads while sharing services such as identity and security. The hub is a virtual network (VNet) in Azure that acts as a central point of connectivity to your on-premises network. The spokes are VNets that peer with the hub. Shared services are deployed in the hub, while individual workloads are deployed as spokes.

Reference architectures