Networking in a Hybrid Cloud
A traditional multi-site on-premises network may require connecting several regional offices to headquarters. Similarly, networking in a hybrid cloud involves using appropriate technologies to seamlessly interconnect users, applications, and data on-premises with applications and data hosted in the cloud.
In our scenario, Tailwind Traders must be able to securely connect its on-premises locations to the resources it runs in Azure. For Tailwind Traders’ staff, there should be no real difference between accessing a workload running in a Tailwind Traders on-premises data center and one running in Azure.
In this unit, you will learn about the networking technologies that link on-premises and cloud resources into a single hybrid cloud.
What is an Azure VPN?
An Azure VPN gateway allows you to connect your on-premises network to Azure using a secure VPN tunnel over the public internet. Azure VPN connections are similar to traditional VPN connections that may exist between a regional office and headquarters.
Each virtual network can have a single VPN gateway, but each VPN gateway can support multiple connections.
The following image shows a connection between the edge gateway device of an on-premises network and a VPN gateway on an Azure virtual network. It illustrates the connection between an Azure Stack device and a VPN gateway.
Networking in a Hybrid Cloud
In the Tailwind Traders example, the company could use Azure VPN gateways to enable connections from small regional offices that do not require the type of dedicated link provided by an Azure ExpressRoute connection.
The main drawback of Azure VPN gateways is that they depend on your Internet Service Provider (ISP) connection. If your ISP experiences an outage, VPN connections cannot be established. Likewise, if your ISP is heavily congested, the speed of the VPN connection between an on-premises site and Azure may be degraded.
Organizations that already have VPN connections between their regional sites are already familiar with the challenges associated with dedicated VPN connections.
What is Azure ExpressRoute?
Microsoft Azure ExpressRoute allows an organization to have a dedicated, private, high-speed connection between its on-premises network and Azure. This connection does not traverse the public internet. Functionally, it is a dedicated fiber-optic line running directly from an on-premises site to the nearest Azure data center.
Unlike a VPN gateway, the ExpressRoute provider manages the equipment that provides this connection. Because the provider manages all the equipment, it can offer a Service Level Agreement (SLA) in terms of reliability and bandwidth, which is not possible with Azure VPN connections.
The following image shows the ExpressRoute connection between the on-premises environment and workloads running in Azure. The ExpressRoute provider manages the ExpressRoute circuit and the local edge routers.
Networking in a Hybrid Cloud
In the Tailwind Traders example, the company could use Azure VPN gateways to enable connections from small regional offices that do not require the type of dedicated link provided by an Azure ExpressRoute connection.
The main drawback of Azure VPN gateways is that they depend on your Internet Service Provider (ISP) connection. If your ISP experiences an outage, VPN connections cannot be established. Likewise, if your ISP is heavily congested, the speed of the VPN connection between an on-premises site and Azure may be degraded.
Organizations that already have VPN connections between their regional sites are already familiar with the challenges associated with dedicated VPN connections.
What is Azure ExpressRoute?
Microsoft Azure ExpressRoute allows an organization to have a dedicated, private, high-speed connection between its on-premises network and Azure. This connection does not traverse the public internet. Functionally, it is a dedicated fiber-optic line running directly from an on-premises site to the nearest Azure data center.
Unlike a VPN gateway, the ExpressRoute provider manages the equipment that provides this connection. Because the provider manages all the equipment, it can offer a Service Level Agreement (SLA) in terms of reliability and bandwidth, which is not possible with Azure VPN connections.
The following image shows the ExpressRoute connection between the on-premises environment and workloads running in Azure. The ExpressRoute provider manages the ExpressRoute circuit and the local edge routers.
Azure DNS Private Resolver
As an alternative, Azure DNS Private Resolver is a service that allows querying Azure private DNS zones from an on-premises environment, and vice versa, without having to deploy DNS servers based on virtual machines. This private resolution service is fully managed and includes built-in high availability features.
Tailwind Traders can use Azure DNS Private Resolver to ensure that all workloads running in Azure can resolve the DNS names of hosts on Tailwind Traders’ internal network. It would also ensure that all hosts on Tailwind Traders’ internal network can resolve the DNS names of workloads running in the cloud.
What is Azure Virtual WAN?
Azure Virtual WAN allows an organization to use the Azure network in a hub-and-spoke architecture. The Azure network acts as a hub for transitive connectivity between endpoints that function as spokes.
Traditionally, you might have a network topology where each regional office has a VPN connection to the headquarters site. If traffic needs to pass from one regional office to another, it routes through the central site (hub).
If the headquarters and regional offices are all connected to Azure, either via VPN or ExpressRoute, these connections can form the spokes. Azure Virtual WAN can then act as the routing hub for traffic between on-premises locations.
The following image shows an Azure Virtual WAN topology.
Azure Virtual WAN
Azure Virtual WAN allows Tailwind Traders to no longer rely on VPN connections to link its regional offices and data centers in Sydney, Melbourne, and Auckland.
It provides a topology in which each office and data center has a VPN or ExpressRoute connection to Azure. The Azure Virtual WAN service manages the routing of traffic between the different locations.
