TechEd NA 2014–Extending Your Premises To Microsoft Azure With Virtual Networks And ExpressRoute

Speakers: Ganesh Srinivasan (Azure Networking), Jai Desai (StorSimple), Jon Ormond (MSIT).

Legacy Connections for Site-Site in Azure

  • Secure point-site VPN: for developers. POCs. Small scale deployments. VPN in from a machine. Based on STP.
  • Secure site-to-site VPN: This is for SMB and enterprises. Connect your business to Azure compute. IaaS and PaaS workloads. Configuration generally done on and on-rem edge device. Based on IPsec.

Now added: Private site-to-site called ExpressRoute. For SMB (with WAN) and enterprises. Mission critical workloads. Backup/DR, Media, HPC. Based on services provided by WAN ISP that are Azure networking partners.

Virtual Network Recap

Software defined private network in Azure. You carve out your own IP space/subnets. Can punch holes through Azure firewall for public presence. VPN connects to the virtual network via an edge subnet.

In-Region VNet to VNet

You want security between tiers or services so you put them in different virtual networks. In the same region, there are no data transfer costs. You can punch holes through firewalls to let services communicate.

Cross-region VNet to VNet

Need local presences across the glob but with interconnectivity. For HA/DR also. Can communicate securely using private IP addresses.

Multi-site VNet Connectivity

Up to 10 on-prem sites can connect into a single VNet in Azure. They may be geographically dispersed.

VPN Partners

Watchguard, OpenSwan, Cisco, Fortinet, Brocade, Sonicawall, Checkpoint, Juniper, F5, Allie Telesis, and Windows Server 2012 R2.


Other techs go via public internet so you have dependencies on many ISPs between you and Microsoft. Lots of chokepoints. It might be secure (IPsec), but you cannot build SLA on this. ExpressNetwork brings Azure VNets into your WAN. Now you connect to Azure via a private, SLA controlled WAN connection managed by your ISP, subject to your contract with them.

Enterprise Workloads

All services are made available, and not just VNets. VPN is limited to VPN. You also have controlled and predictable latency. This means there are lots more workloads that you can do over ExpressRoute:

  • Storage/backup/recovery
  • Dev/test lab
  • BI/big data
  • Media
  • Hybrid apps
  • Productivity apps

SharePoint has generated lots of interest as a service over ExpressRoute from customers.

Two Flavours

  • Depoy “on prem” at a colo facility such as provided by Equinox. You can route via colo facility to Azure. Probably requires lots of work for you and additional h/w.
  • Use an Azure ExpressRoute partner as your WAN provider. Then your sites connect direct to Azure. Almost a light switch. Probably no additional h/w.


Equinix, TelecityGroup, BT, AT&T, Level3, Verizon, SingTel

BT important for UK/Ireland. Telecity are important for Europe. If you are not with any of these, “talk to us” according to the speaker, and “we will figure it out”.

ExpressRoute Tiers

Unlimited inbound data transfer. You get some outbound data for free and above that there is a charge.

  • 200 Mbps + 3 TB Month free
  • 500 Mbps and 7.5 TB/month free
  • 1 Gbps + 15 TB/month free
  • 10 Gbps and 250 TB free/month

Customer Connectivity

If you do VPN then you can only access compute that runs in VNets. If you do ExpressRoute then you can access anything. And of course, if you punch holes in firewalls, then you can make services available publicly.

Common misconception: stuff you place in Azure is public. No: it’s only public if you make it that way. Your Azure services can be completely private if you want.

Customer Sign Up Experience

Talk to MSFT and ask for partners in a location. You get a key. Pass that on to the service provider. They query Microsoft and then they create a cross connection between you and Azure. You then set up BGP routes between you and Azure. And then you are connected.

In the case of a WAN provider, the routing is done for you.


He creates an ExpressRoute connection via the web ONLY using MSFT WAN and AT&T. The whole process is basically orchestrated. Should take no more than 5 minutes to complete after walking through the wizards.

He VPNs into Microsoft and can ping and Azure VM over the new WAN connection.

Another ping demo: between 1-2 MS latency between a MSFT office in California and a SharePoint farm in Azure over ExpressRoute (think he said US East region).

Fails over the SharePoint SQL database (guest OS install) from one region to another – takes about 3-4 seconds.

We now get Jon Ormond of MS IT to talk about how they are using ExpressRoute.


LOTS of internal little apps that they have no interest in rewriting as PaaS apps. They use IaaS to run those VMs in Azure – doing that lift & shift now. Need a robust network connection. This is why they use ExpressRoute. They want to end up with 95% of VMs in “the cloud” both private (WAP) and public (Azure).

He does a demo using PowerShell to create the connection. Can also do this using REST API.

Jai Desai, a TSP takes over to talk StorSimple. I tune out here … a StorSimple talk.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.