Notes from MS Learn AZ-700 Module 3: Design and Implement Azure ExpressRoute – Unit 2: Explore Azure ExpressRoute
ExpressRoute extends on-prem to Microsoft cloud via private connection with assistance of a provider. Creates connections to MS Cloud Services like Azure and MS 365. It can be any-to-any (IP VPN), point-to-point Ethernet, or virtual cross-connect through provider colo. Since no internet ExpressRoute connections are more reliable, faster, latency consistent, higher security.
- ExpressRoute Capabilities
- Key benefits
- L3 connection between on-prem and MS Cloud via provider
- Can be any-to-any (IPVPN), Point-to-Point Ethernet, Virtual Cross-Connect through an Ethernet Exchange
- Connection to MS Cloud Services over all regions in a geopolitical region
- Global connectivity to MS across all regions (with ExpressRoute premium)
- Built-in redundancy in every peering location
- Used to create private connectivity between Azure DC/infrastructure on-prem or a colo
- Increased reliability, speed, and lower latency since it doesn’t go over the internet
- Key benefits
- Understand Use Cases for Azure ExpressRoute
- Faster/Reliable connection to Azure
- Not reliant on internet
- Can be cheaper for on-prem or colo facility data transfer to Azure
- Storage/Backup/Recovery
- Gast Reliable connection to Azure
- Bandwidths up to 100 Gbps
- Great for periodic data migration/replication/DR/addition HA strategy
- Extend DC Capabilities
- Connect and add computer/storage capacity to existing DCs
- High throughput and low latencies feel like natural extension
- Predictable/reliable/high throughput connectivity
- Build apps that span on-prem and Azure without compromising privacy/performance
- Example run intranet app in Azure with auth against on-prem AD
- Corp customers don’t have to route over public internet
- Faster/Reliable connection to Azure
- ExpressRoute Connectivity Models
- Many models available for on-prem/colo to the cloud in Azure. Examples
- Co-location at Cloud Exchange
- Facility with cloud exchange virtual cross-connects to MS cloud from providers Ethernet exchange
- Colo provider offer either L2 or managed L3 cross connection between infrastructure and MS Cloud
- Point-to-Point Ethernet
- Provider can offer L2 or L3 between on-prem and MS Cloud
- Any-to-Any (IPVPN)
- Provider offer any-to-any between branch offices and DCs
- MS Cloud can be interconnected to your WAN to look as a branch office
- WAN provider typically offer manage L3
- Direct from ExpressRoute
- Dual 100 GbPS or 10Gbps
- Active/Active at scale
- Co-location at Cloud Exchange
- Many models available for on-prem/colo to the cloud in Azure. Examples
- Design Consideration for ExpressRoute Deployments
- Choose model based on key considerations
- ExpressRoute Direct
- Connects direct to MS global network at peering location (distributed around world)
- Dual 100 or 10 Gbps
- Active/Active
- Can work with any SP for ExpressRoute Direct
- Features
- Massive Data Ingest into services E.g. Storage and Cosmos DB
- Physical isolation for regulated industries E.g. Bank, Gov, Retail
- Granular control of circuit distribution per business unit
- ExpressRoute Direct vs. Service Provider (Table from MS Learn)
- ExpressRoute Direct
- Choose model based on key considerations
- Design Redundancy for an ExpressRoute deployment
- Two ways to plan redundancy
- Configure ExpressRoute and Site-to-Site coexisting
- Advantages
- Secure failover path for ExpressRoute
- Connect to sites not connected through ExpressRoute
- Zero downtime when adding new gateway or gateway connection
- Network Limits and limitations
- Route-Based VPN gateways only
- ASN of Azure VPN Gateway must be 65515
- Gateway subnet must be /27 or shorter
- Dual stack VNet not supported
- Advantages
- Create zone redundant virtual network gateway in Azure Availability Zones
- VPN and ExpressRoute gateways can be deployed in Availability Zones
- This physically and logically separates gateways in a region
- Protects on-prem to Azure from zone-level failures
- Zone-redundant gateways
- Automatically deploy virtual network gateways across availability zones by using zone-redudant virtual gateways.
- These benefit from zone-resiliency for mission critical services in Azure
- Zonal Gateways
- Used to. Deploy gateway in specific zone
- When deployed, all instance deployed in same Availability Zone
- Gateway SKUs
- SKUs similar to corresponding existing SKKUs for ExpressRoute and VPN Gateway
- Exception: they are specific SKU’s identifiable by AZ in SKU name
- Public IP SKUs
- Both Zone-redundant and Zonal GW require Azure Public IP resource Standard
- Configure ExpressRoute and Site-to-Site coexisting
- Two ways to plan redundancy
- Configure a Site-to-Site VPN as a Failover Path for ExpressRoute
- Applies only to VNets linked to Azure private peering path
- No VPN-based failover for services reachable through Azure MS Peering
- ExpressRoute circuit always primary
- Data through Site-to-Site VPN only if ExpressRoute circuit failure
- Avoid asymmetrical routing, local config should also prefer ExpressRoute over Site-to-Site path
- Set higher local pref to ExpressRoute received routes