At the heart of Microsoft’s Azure adoption strategy is the idea of the hybrid cloud, bridging on-premises datacenters and cloud computing. You don’t need to get rid of your old servers; instead, you connect them to the public cloud to take advantage of its scale and services, treating it as an extension of your existing datacenter.
There are two main ways of connecting to private virtual networks on Azure: you can use a VPN over the public internet, or you can set up a direct connection into Azure data centers with Microsoft’s ExpressRoute. For most use cases, the VPN option is the most economical because it uses your existing systems and so doesn’t require significant extra hardware or new leased lines.
Connecting to Azure over the public internet
Setting up a VPN to Azure is like setting up an IPSec VPN to any other network, much like configuring connections to branch offices or to a disaster recovery service. You need a VPN appliance from a Microsoft-approved vendor to provide the gateway to the VPN connection at your end, with an Azure VPN gateway set up in your Azure virtual network. Microsoft provides guidance on how to configure the network at both ends, with support for both policy- and route-based virtual network gateways.
If you’re using a relatively low bandwidth connection, there’s no need to buy any extra hardware because Azure is compatible with the VPN tools built into Windows Server’s Routing and Remote Access Service. That can make it easier to set up management networks for IaaS apps running on Azure, without having to build publicly accessible management web user interfaces.
At the Azure end of the connection, Azure VPN gateways are dedicated virtual machines that handle network connections for you, hosting IPSec tunnels for your network. They come in three versions:
- Basic version with up to 100Mbps throughput and 10 tunnels for VPN access
- Standard version with up to 100Mbps throughput and 10 tunnels for VPN access, plus support for ExpressRoute
- High Performance version with up to 200Mbps throughput and 30 tunnels for VPN access, plus support for ExpressRoute
If you need more bandwidth, Microsoft recommends using smaller virtual networks in Azure to add more VPN gateways.
Making a private connection to Azure with ExpressRoute
When a VPN isn’t enough, either due to network latency or demand for significant bandwidth, you can set up a private connection with ExpressRoute, which isn’t cheap. ExpressRoute is essentially an extension of an existing WAN, with its own dedicated lines into Microsoft’s Azure network—and ExpressRoute’s prices are comparable to a WAN’s.
But by avoiding the public internet, you get all the bandwidth you contract for, and you aren’t affected by other traffic. You’re also less likely to lose a link, because each ExpressRoute circuit has primary and secondary connections, reducing the risk of an outage.
ExpressRoute circuits support speeds from 50Mbps to 10Gbps. That makes it suitable for most cloud workloads, especially where there’s an expectation of low-latency connections. ExpressRoute also supports temporary bursts of up to twice the bandwidth you’ve bought, so you don’t have to worry about sudden spikes in traffic affecting a hybrid service that spans your datacenter and Azure.
Sending your data to Azure via physical storage
Even with 10Gbps ExpressRoute circuits, getting large amounts of data into services like Azure can be a problem. You can spend days uploading data, but the old adage “never underestimate the bandwidth of a pickup truck full of CD-ROMs” still applies. It’s far easier to put hundreds of terabytes of data onto physical media and send that to a cloud provider, ready to upload at network speeds. Sure, there’s latency in the transaction, but overnight FedEx Air and the time to copy data is often a lot less than uploading across the public internet.
Microsoft has long had the option of you sending hard drives to them for ingestion into Azure, but that’s not really a sustainable approach. For one thing, disks get lost or damaged en route. Then there’s the issue of buying all the disks needed—they’re not cheap. A new 10TB drive costs at least $350, and Microsoft doesn’t recommend reusing drives because of the corruption risk.
That’s why Microsoft is developing the Azure Data Box, a portable NAS that, when it b comes available, you order from the Azure portal that can handle 100TB of raw storage. Weighing about 45 pounds, it shouldn’t cost that much to send via courier services, and because it’s ruggedized it should survive shipping. Once it’s plugged in on your end, you load your data over standard SMB connections. Once back at an Azure data center, the data is offloaded into your Azure storage account.