Hybrid connectivity options
For hybrid connectivity, it's important to consider what kind of deployment you want to offer and where it will be deployed. You'll need to consider whether you need to isolate network traffic per tenant, and whether you'll have an intranet or internet deployment.
- Single-tenant Azure Stack Hub: An Azure Stack Hub deployment that looks, at least from a networking perspective, as if it's one tenant. There can be many tenant subscriptions, but like any intranet service, all traffic travels over the same networks. Network traffic from one subscription travels over the same network connection as another subscription and doesn't need to be isolated via an encrypted tunnel.
- Multi-tenant Azure Stack Hub: An Azure Stack Hub deployment where each tenant subscription's traffic that's bound for networks that are external to Azure Stack Hub must be isolated from other tenants' network traffic.
- Intranet deployment: An Azure Stack Hub deployment that sits on a corporate intranet, typically on private IP address space and behind one or more firewalls. The public IP addresses aren't truly public because they can't be routed directly over the public internet.
- Internet deployment: An Azure Stack Hub deployment that's connected to the public internet and uses internet-routable public IP addresses for the public VIP range. The deployment can still sit behind a firewall, but the public VIP range is directly reachable from the public internet and Azure.
The following table summarizes the hybrid connectivity scenarios with the pros, cons, and use cases.
Scenario
Connectivity Method
Pros
Cons
Good For
Single tenant Azure Stack Hub, intranet deployment
Outbound Network Address Translation (NAT)
Better bandwidth for faster transfers. Simple to implement; no gateways required.
Traffic not encrypted; no isolation or encryption outside the stack.
Enterprise deployments where all tenants are equally trusted.
Enterprises that have an Azure ExpressRoute circuit to Azure.
Multi-tenant Azure Stack Hub, intranet deployment
Site-to-site VPN
Traffic from the tenant VNet to destination is secure.
Bandwidth is limited by site-to-site VPN tunnel.
Requires a gateway in the virtual network and a VPN device on the destination network.
Enterprise deployments where some tenant traffic must be secured from other tenants.
Single tenant Azure Stack Hub, internet deployment
Outbound NAT
Better bandwidth for faster transfers.
Traffic not encrypted; no isolation or encryption outside the stack.
Hosting scenarios where the tenant gets their own Azure Stack Hub deployment and a dedicated circuit to the Azure Stack Hub environment. For example, ExpressRoute and Multiprotocol Label Switching (MPLS).
Multi-tenant Azure Stack Hub, internet deployment
Site-to-site VPN
Traffic from the tenant VNet to destination is secure.
Bandwidth is limited by site-to-site VPN tunnel.
Requires a gateway in the virtual network and a VPN device on the destination network.
Hosting scenarios where the provider wants to offer a multi-tenant cloud, where the tenants don't trust each other and traffic must be encrypted.