Connections
Connecting the usable resources is a central point in cloud computing. The connection between the on-premises infrastructure and the cloud environment plays an important role in IT operational tasks, so as to make the most of all synergies of your own infrastructure.
The requirements depending on the specific case must be taken into account with regard to latencies, bandwidth and, especially, secure communication. In my latest blog article I’ll show you the ways of setting up a connection between your on-premises home constellation and the cloud infrastructure constellations.
Connecting to new constellations
“What’s with the „worm“ part? The worm thing. I-I don’t get that.“ – O’Neill
Wormhole connection technologies
There are two basic types of technologies for connecting Azure resources:
(IPsec) VPN:
VPNs are encrypted point-to-point connections (tunnels) via the internet. They protect the information flow against unauthorized reading of data and enable a safe connection between remote constellations networks despite use of the public network.
– Source: Microsoft/own representation
Express route:
Express routes are private connections between different locations, with the data traffic not flowing through the internet. Express routes are redundant by default and offer very low latencies at high bandwidths.
– Source: Microsoft/own representation
While both connection types require gateways, not every connection type is recommended for every application case.
There is no place like
Establishing a S2S VPN between Azure and your on-premises environment requires setting several parameters (the same ones on both ends). Target and home coordinates Required are remote and local gateway addresses, the IKE version (Internet Key Exchange), the networks (to be accessed behind the stargate gateway) and the parameters for phase 1 (key exchange) and phase 2 (data exchange).
An IPsec connection to Azure provides the following features:
- Secure (encrypted) connection (contemporary algorithms selectable)
- Azure VPN gateways are maintained and kept up to date by Microsoft (hence less administrative work)
- Policy-based and route-based routing
- High availability and guaranteed uptimes (SLA)
- Central monitoring of traffic
- Maximum bandwidth of 1.25 Gbps
Connection via an Azure S2S VPN is suitable for most application cases and significantly less expensive than connection by express route. If no requirements prohibit data traffic flow via a public channel (the internet), and no unusually high bandwidths (> 1.25 Gbps) or very low latencies are required, you should choose an S2S connection.
Unlike IPsec VPN, express route connections transmit data not through public channels, but through a backbone network from Microsoft and its partners. The partners perform the peering between your home world locations and the partner planets partner locations and from there to the Azure networks.
Express route connections include the following features:
- Layer 3 connections (BGP – dynamic routing)
- Private connections with low latencies
- High availability and guaranteed uptimes (SLA)
- Connection to all geopolitical Azure services
- Bandwidth up to 10 Gbps available
If requirements demand a private connection or a connection with very low latencies and unusually high bandwidths (up to 10 Gbps), an express route connection is recommended. VPN connections can also terminate on an express route stargate gateway.
Ancient gods
Author: Dominic Iselt, IT Security Engineering Expert
