What is Azure ExpressRoute?
ExpressRoute is an Azure service that helps to create a private connection between a Microsoft data centre and an infrastructure that resides on a customer’s premises or in a colocation facility.
It enables direct connection to Microsoft cloud services such as Azure, Office 365 and CRM Online avoiding the public Internet.
ExpressRoute is comprised of a pair of circuits for high availability that are attached to a single customer subscription and cannot be shared by multiple customers. Each circuit should be terminated in a different router to maintain the high availability.
Let’s explore its benefits.
What is it good for?
Azure ExpressRoute is recommended for businesses that require high volumes of data to be moved at speed. Best use cases would be for data migration, replication and backup and Disaster Recovery tasks.
It is also aimed at resource-hungry applications, such as those used for big data analytics or other high performance computing jobs.
The dedicated bandwidth, predictable performance and low latencies can make fast workload migrations more feasible – such as moving new virtual machines back and forward between Azure and the local data centre. Its fast connectivity might also benefit performance for hybrid workloads that span between the local data centre and the public cloud, such as those that use cloud bursting to increase compute capacity on-demand.
All this makes it feel pretty secure. Doesn’t it?
Security and Encryption
As a service that creates a private connection, it is important to explore the security aspect of ExpressRoute. The key point to understand is that it is not a complete security failsafe and does not provide network traffic encryption for its circuits.
Network Security Group rules can be used to control the incoming traffic to the network.
It is important to note that the privacy of any private circuit depends upon the correct configuration of the equipment. Even though the ExpressRoute circuits are dedicated to a specific customer, there is the possibility that the network provider could be breached, allowing an intruder to examine packet traffic. To address this potential, the customer or Cloud Service Provider can encrypt traffic over the connection using one of the following approaches:
- Application level encryption – using TLS/SSL protocol
- OS level encryption – define IPSec tunnel-mode policies for all traffic flowing between the on-premise infrastructure and Azure resources (refer to the optional tunnel mode spec in the below diagram)
- Firewall appliance – this requires the use of 3rd party VMs/appliances installed at both ends to encrypt traffic over the ExpressRoute circuit
All traffic to and from the internal or Azure network should pass through the security gateway for inspection. The traffic flows need to be considered properly as they can be either optimised or degraded depending on the chosen pattern.
Ensure that the appliance used has the capability to provide all the security functionalities, including application detection and prioritisation, Intrusion Prevention System, malware protection, URL filtering and even DDOS protection.
Key considerations when choosing Firewall appliances to secure ExpressRoute:
- Capability to allow comprehensive access control for all inbound/outbound traffic
- Providing visibility into specific traffic flowing through the ExpressRoute tunnel with the help of extensive logging and auditing tools
- Ensure safe and reliable connection between MPLS and ExpressRoute, in addition to retaining the QoS
- Switching to a baseline in case of MPLS router or line failure
High Availability and Performance
High availability and performance are key considerations for all the enterprises planning to move their workloads onto cloud.
Finally, Azure also offers the ability for co-existence of Site-to-Site Virtual Private Network (VPN) and Expressroute connections. Since the Site-to-Site VPN connectivity offers IPSec encryption by default, it can be used in below use cases
- To be configured as secure failover path for Expressroute
- To handle traffic directed to sites not connected through Expressroute
By AbdulKhader AbdulHanif, Cloud Solutions Consultant, SystemsUp
For a technical overview of ExpressRoute from Microsoft click here.
To find out how SystemsUp can help you implement a secure public cloud solution click here.