There are multiple ways to access Microsoft Azure via a secure network connection, including Point-to-Site VPN, Site-to-Site VPN, and ExpressRoute (ExR), a less descriptive name to a private link that allows you to interconnect Data Centers to Azure or Office 365 offerings. ExR is a great choice for customers looking to isolate the traffic to Azure from the internet, increase the bandwidth, and reduce latency. Other cloud providers have similar options.
But let’s focus on the reason we’re here today – to talk about a great feature that allows ExR customers to use Microsoft’s network backbone, one of the largest networks in the world, to interconnect dispersed regions.
Azure has several regions, and for discussion sake, let’s assume you have a workload in US West, and another workload in North Europe, and for some reason, they have a requirement to connect to each other. In a normal situation, you would use the internet to interconnect both environments, either through VPN or not. That option poses few challenges, including latency and the fact you are sending the traffic over the internet, which requires you to take additional measures to protect your information as it leaves from one region to another.
But what if you could use Microsoft’s backbone, with built-in security and better latency than the Internet? In case you have ExR, connecting VNets from different regions is possible, making them part of the same routing domain and they will use Microsoft’s backbone for network traffic. That simplifies your setup and it makes the VNets sharing the same ExR circuit as part of the same routing domain. The following diagram illustrates what we’re talking about:
In our example there are two regions, “US West” and “North Europe”, and because we configured them to share the same ExR circuit, they are now part of the same routing domain, allowing networks 10.82.0.0/16 and 192.168.0.0/16 to reach each other without any added complexity to the configuration. For this example, there is a caveat though, both regions are part of what we call different ExR geopolitical region, requiring you to have have Premium ExR to benefit from such capability. If you want to interconnect VNets from different regions within the same geopolitical region, e.g.: “US West” to “US East”, you don’t need to have Premium ExR.
One of the reasons I find this a great capability, is the fact you don’t need to order an ExR circuit for both regions – in our example, you may have a circuit connecting your Data Center to US West, and then you are entitled to use Microsoft’s backbone everywhere else.
Note: Regions with data residency or sovereignty requirements such as Azure China, Azure Germany, and Azure Government, are not allowed to interconnect with other regions in that model.
To accomplish such configuration, you can use Azure Portal or PowerShell, and the following examples illustrates how to do it via PowerShell:
# Stores the information from a circuit called "MyCircuit" into a variable name $circuit $circuit = Get-AzureRmExpressRouteCircuit -Name "MyCircuit" -ResourceGroupName "MyRG" # Stores the information from a virtual network gateway called "ExpressRouteGw" into a vriable named $gw $gw = Get-AzureRmVirtualNetworkGateway -Name "ExpressRouteGw" -ResourceGroupName "MyRG" # Connects the VNet gateway to an existing circuit $connection = New-AzureRmVirtualNetworkGatewayConnection -Name "ERConnection" -ResourceGroupName "MyRG" -Location "East US" -VirtualNetworkGateway1 $gw -PeerId $circuit.Id -ConnectionType ExpressRoute
The scenario above considers that both VNets are in the same subscription, which is equivalent to having two VPCs in the same root account at AWS (yes, we speak Cloud with no religion!), but let’s assume they are in different subscriptions, would that be supported? The answer is yes! There are some additional steps you should perform, e.g.: authorizing a given subscription to access the ExR circuit as explained here.
This is a cool feature that I realize not everyone is aware of it, and in case you already have ExR, I encourage you to try it out and see for yourself how Microsoft’s backbone, one of the largest networks in the world, can be at your service!
Last but not least, as of 04/2017, the ExR pricing documentation informs that there is no additional cost over existing plan charges for interconnecting to other regions, with the caveat that you need premium add-on for inter geo connections.