Misunderstanding in Microsoft Learn, Describe Azure ExpressRoute module

Aleksandra Sergeeva 20 Reputation points
2024-04-02T08:27:20.5133333+00:00

https://learn.microsoft.com/en-us/training/modules/describe-azure-compute-networking-services/11-expressroute

In the article above, in the last paragraph Security considerations, you state "With ExpressRoute, your data doesn't travel over the public internet, so it's not exposed to the potential risks associated with internet communications. " But in last sentence "Even if you have an ExpressRoute connection, DNS queries, certificate revocation list checking, and Azure Content Delivery Network requests are still sent over the public internet."

For me it looks like information is mismatching, could you please clarify?

Or I misunderstood something?

Azure Training
Azure Training
Azure: A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.Training: Instruction to develop new skills.
1,652 questions
0 comments No comments
{count} votes

Accepted answer
  1. TP 95,556 Reputation points
    2024-04-02T08:34:40.2133333+00:00

    Hi Aleksandra,

    At first glance it does seem to be conflicting, however, what they are doing is warning you that depending on the workload you are running on client PCs and/or the configuration of the client, there may be certain traffic that gets sent to public Internet and/or Azure CDN.

    Please see explanation I gave to someone else that asked essentially same question as you below:

    With ExpressRoute, does data travel over the public internet?

    A: If someone asks this without any context, the short answer would be No. The long answer is, depends on the specific workload/app as well as client network configuration.

    For example, if an on premises Office had ExpressRoute for Microsoft 365, it would be understandable to think (at first) that no Internet would be needed since the client PCs could communicate with Exchange Online, Sharepoint, etc., using ExpressRoute, however, public Internet access to DNS and Content Delivery Network (CDN) is required.

    Please see diagram from this documentation page:

    qna ER for M365 diagram

    I believe the above case is primary reason why the "Security Considerations" paragraph is there even though it can be true for other apps as well. As an aside Microsoft doesn't recommend ExpressRoute for Microsoft 365 for most people and thus authorization is required to use it.

    A simple example where no data would travel over the public Internet would be connecting to an Azure VM from on premises network using SSH. In this example you could connect to the private Azure IP from on premises PC with no need to use public DNS, CDN, check for certificate revocation using public endpoint, etc.

    I mentioned client network configuration in my long answer because you could have the on premises network configured to send all traffic through the ExpressRoute to servers in Azure and then out to the Internet (if needed). Or you could have a mix whereby some traffic that might normally go to the Internet is routed through the ExpressRoute link and other traffic still route to the Internet.

    Please click Accept Answer and upvote if the above was helpful.

    Thanks.

    -TP

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.