Connectivity to Azure
This section expands on the network topology to consider recommended models for connecting on-premises locations to Azure.
Design considerations:
Azure ExpressRoute provides dedicated private connectivity to Azure infrastructure as a service (IaaS) and platform as a service (PaaS) functionality from on-premises locations.
Azure VPN (S2S) gateway provides Site-to-Site shared connectivity over the public internet to Azure infrastructure as a service (IaaS) virtual networks from on-premises locations.
Azure ExpressRoute and Azure VPN (S2S) have different capabilities, costs and performance, a table is available for comparison.
You can use private links to establish connectivity to PaaS services, over ExpressRoute with private peering or VPN s2s from on-premises connected locations.
When multiple virtual networks are connected to the same ExpressRoute circuit, they'll become part of the same routing domain, and all virtual networks will share the bandwidth.
You can use ExpressRoute Global Reach, where available, to connect on-premises locations together through ExpressRoute circuits to transit traffic over the Microsoft backbone network.
ExpressRoute Global Reach is available in many ExpressRoute peering locations.
ExpressRoute Direct allows creation of multiple ExpressRoute circuits at no additional cost, up to the ExpressRoute Direct port capacity (10 Gbps or 100 Gbps). It also allows you to connect directly to Microsoft's ExpressRoute routers. For the 100-Gbps SKU, the minimum circuit bandwidth is 5 Gbps. For the 10-Gbps SKU, the minimum circuit bandwidth is 1 Gbps.
When enabled on an ExpressRoute circuit, FastPath sends network traffic directly to virtual machines in the virtual network, bypassing the gateway. FastPath is designed to improve the data path performance between your on-premises network and your virtual network without having a bottleneck on the gateway.
Design recommendations:
Use ExpressRoute as the primary connectivity channel for connecting an on-premises network to Azure. You can use VPNs as a source of backup connectivity to enhance connectivity resiliency.
Use dual ExpressRoute circuits from different peering locations when you're connecting an on-premises location to virtual networks in Azure. This setup will ensure redundant paths to Azure by removing single points of failure between on-premises and Azure.
When you use multiple ExpressRoute circuits, optimize ExpressRoute routing via BGP local preference and AS PATH prepending.
Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements.
Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions.
For scenarios that require bandwidth higher than 10 Gbps or dedicated 10/100-Gbps ports, use ExpressRoute Direct.
When low latency is required, or throughput from on-premises to Azure must be greater than 10 Gbps, enable FastPath to bypass the ExpressRoute gateway from the data path.
Use VPN gateways to connect branches or remote locations to Azure. For higher resilience, deploy zone-redundant gateways (where available).
Use ExpressRoute Global Reach to connect large offices, regional headquarters, or datacenters connected to Azure via ExpressRoute.
When traffic isolation or dedicated bandwidth is required, such as for separating production and nonproduction environments, use different ExpressRoute circuits. It will help you ensure isolated routing domains and alleviate noisy-neighbor risks.
Use ExpressRoute network insights to monitor your ExpressRoute components (peerings, connections, gateways). ExpressRoute uses network insights to provide a detailed topology mapping of all ExpressRoute components (peerings, connections, gateways) and has preloaded metrics dashboard for availability, throughput, packet drops, and gateway metrics.
- Use Connection Monitor for ExpressRoute to monitor connectivity between Azure cloud deployments and on-premises locations (branch offices, and so on.), detect network issues, identify and eliminate connectivity problems.
Don't explicitly use ExpressRoute circuits from a single peering location. This creates a single point of failure and makes your organization susceptible to peering location outages.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for