extending your on-premises network into azure using expressroute
TRANSCRIPT
Ganesh SrinivasanSenior Program Manager, Azure Networking
Extending your on-premises network into Azure using ExpressRoute
3-618
Review of Hybrid scenarios in AzureExpressRoute overview
Agenda slide
Windows Azure hybrid offeringsCloud Customer Segment and workloads
Secure point-to-site connectivity
Virtual Network (Point-to-Site)
• Developers• POC Efforts• Small scale
deployments• Connect from
anywhereSecure site-to-site VPN connectivityVirtual Network (Site-to-Site)
• SMB, Enterprises• Connect to Azure
Compute• IaaS and PaaS workloads
Private site-to-site connectivity
ExpressRoute
• SMB & Enterprises• Mission critical workloads• Backup/DR, Media, HPC• Connect to all hardware
Windows Azure Virtual NetworkExtend your infrastructureNetworking on-ramp for migrating apps and services
Your “virtual” branch office / datacenter in the cloud
Run “hybrid” apps that span cloud and your premises
Secure private networks fully contained in Windows Azure
Extend your trust boundary - IaaS and PaaS better together
Virtual Network
Your Datacenter
Internet
Active Directory
SharePoint SQL Server
Windows Azure
Virtual Networks & P2S Connectivity
Connect from anywhere securely No software installation
required! Easy to setup and use Ideal for prototyping,
development, demos P2S and S2S coexist
P2SVPNs
Active Directory
SharePoint SQL Server
Windows Azure
Existing Datacenter
S2S VPN
What’s newOn
-pre
mise
S2S VPN
Existing Datacenter
P2SVPNs
Active Directory
SharePoint SQL Server
Windows AzureExciting capabilities
Point-to-site Generally Available
Dynamic Routing Gateways generally available
More VPN devices options
ExpressRoute
Reluctance to adopt public cloud
60% Cited performanceas a key challenge for Cloud
66% Cited data and network securityas a key challenge for Cloud
Private network
Hoster
Private cloud
Private cloud
Performance
Predictability
Security
Expensive
Performance
Predictability
Security
Expensive
Internet
Azure
What Customers Want
PerformanceAssured bandwidth to Azure
SecurityAzure is connected to the customer’s WANNo internet in the path
AvailabilityNo single point of failure
Private network
Hoster
Private cloud
Private cloud
InternetAzure
WAN
Cloud on your WAN• Avoids risks from exposure to Internet• Avoids complexity and added costs• Provides lower latency, higher bandwidth
and greater availability
Public cloud
WAN
Customer DC
Customer site 1
Customer site 2
Public internet
Customers want Windows Azure on their network
IPsec VPN over Internet• Greater networking costs and latency since data is hair
pinned through a customer data center• Data travels over the open Internet to connect to cloud• Bandwidth is limited
Public cloud
WAN
Customer DC
Customer site 1
Customer site 2
Public internet
High throughput
Security
Lower cost
Predictable performance
What is ExpressRoute?ExpressRoute provides organizations a private, dedicated, high-throughput network connection between Windows Azure datacenters and their on-premises IT environment.
Enable mission critical workloads Dev/test lab BI/big data
Media Productivity apps
Storage, backup, and recovery
Hybrid apps
ExpressRoute ConnectivityWindows AzurePublic services
Windows Azure Compute
Azure Edge
Connectivity Provider
Infrastructure
Customer’s network
Customer’s dedicated connection
Traffic to public IP addresses in Windows Azure
Traffic to Virtual Networks in Windows Azure
Public and Private peering
Contoso (10.0.0.0/16)
Exchange
AD/DNS
IIS ServersSQL Farm Proxy/Internet edge
Monitoring
Netbound–ExpressRoute Circuit
Windows Azure
Storage SQL Websites
Direct internet trafficCross PremisesInternet bound
Azure service access
Contoso virtual networks/Vms
Azure public services
AD/DNS
Internet
Virtual Network and ExpressRoute
Connect via an encrypted link over public internet
Peer at an ExpressRoute location, an Exchange Provider facility
Connection from a WAN provided by Network Service Provider. Azure becomes another site on the customer’s WAN network.
Scenario 1: IPSec VPN over internet
Scenario 2: Exchange Provider
Scenario 3: Network Service Provider
Windows AzureCustomer DC
Virtual Network - Compute only.
ExpressRoute - Provides customer choice and include access to compute, storage, and other Azure services.
Customer site ExpressRoutepartner location
Windows Azure
Customer site 1
Customer site 2
Customer site 3 Windows Azure
WAN
Publicinternet
Publicinternet
Publicinternet
Exchange Provider Network Service Provider scenario
Customer
Tiers/pricing
Customer already using co-location facility; or wants to meet Azure at Exchange Provider location for a simple point to point connection• Connect to Windows Azure directly through a virtual cross
connection• Higher flexibility• Control over routing• Place your hardware in the Exchange Provider’s datacenter• Throughput based tiers, data charges separate• Upto 10 GBps
Customer already getting managed WAN services (like MPLS VPN)• Connect to Windows Azure through VPN provider• Easy to onboard• Use your existing VPN to connect to Azure• Access from any site
• Throughput based tiers (with unlimited data)• Connection speeds of up to 1 GBps
Two flavors of ExpressRoute
Customer site ExpressRoutepartner location
Windows Azure
Customer site 1
Customer site 2
Customer site 3 Windows Azure
WAN
ExpressRoute PartnersExchange Provider Network Service Provider
scenario
Customer site ExpressRoutepartner location
Windows Azure
Customer site 1
Customer site 2
Customer site 3 Windows Azure
WAN
Publicinternet
Publicinternet
ExpressRoute and Exchange Providers
Equinix and ExpressRoute
• Secure and private• Consistent throughput• Flexible and dynamic• Reduced provisioning
times
equinixcloud exchange
1G Bandwidth1G Bandwidth10 G Bandwidth
Microsoft managed
ExpressRoute
Seamless automated provisioning
Customer cage
Customer cage
Customer cage
2. Customer requests
connectivity through Exchange
Provider
1. Customer signs up for ExpressRoute
3. Customer get s-key
IXP
Customer Experience : Exchange Provider Workflow
Customer
MicrosoftWindows Azure
Exchange Provider
4. Customer passes s-key & other details
5. Customer configures routing6. Customer links services
Customer signs up for ExpressRoute• Signs up for a Windows Azure
subscription• Signs up for ExpressRoute service
Customer requests connectivity through Exchange Provider• Customer provided with list of
connectivity providers, locations, and supported bandwidths
• Customer selects best option and makes a request
• Customer receives a service key (s-key) in response to the request
Customer configures routing between their premises and Azure• Customer sets up 2 pairs of BGP
sessions (one for public peering and one for private peering)
• Customer specifies IP subnets for BGP sessions, AS number and MD5 hash (optional)Customer links services
• Links virtual networks to private peering BGP sessions
• Connectivity to public peering services and NAT enabled as soon as BGP session has been configured
Configuration complete• Customer connects to all Azure
services via ExpressRoute circuitExchange Provider enables connection for customer• Customer passes service key (s-key) and
other details to Exchange Provider necessary to facilitate peering
• Exchange Provider enables a pair of virtual crossconnects for customers per circuit
• Exchange Provider sends confirmation to Microsoft (programmatically) and other customers
ExpressRoute and Network Service Providers
Extend your AT&T VPN to Windows Azure
*Storage will be supported upon service launch
AT&T NetBond and Windows Azure ExpressRoute seamlessly integrate to allow you to extend your MPLS VPN into Windows Azure isolating your traffic from other cloud traffic
Storage*
Compute
Users
Internal IT
VPN access – Today: fixed connectionsFuture: on demand, self service, consumptionbased connections
Private Cloud
VPN
VPN
Base or persistent loads
IT resources – on demand, self service, consumption based, dynamically scalable, logically isolated
Enterprise A
Enterprise B
Windows Azure
WAN
2. Customer requests
connectivity through Network
Service Provider
1. Customer signs up for ExpressRoute
3. Customer get s-key
IXP
Customer Experience : Network Service Provider Workflow
Customer
MicrosoftWindows Azure
Network Service Provider
4. Customer passes s-key & other details
5. Customer links services
Customer signs up for ExpressRoute• Signs up for a Windows Azure
subscription• Signs up for ExpressRoute service
Customer requests connectivity through NSP• Customer provided with list of
connectivity providers, locations, and supported bandwidths
• Customer selects best option and makes a request
• Customer receives a service key (s-key) in response to the request
Customer links services• Links virtual networks to private
peering BGP session• Connectivity to public peering
services and NAT enabled as soon as BGP session has been configured
Configuration complete• Customer connects to all Azure
services via ExpressRoute circuit from WAN
NSP enables connection for customer• Customer passes on service key (s-key) to
NSP along with other details necessary to facilitate peering and routing
• NSP enables connectivity and configures routes for both public and private peering sessions
• NSP sends confirmation to Microsoft (programmatically) and customer
MICROSOFT CONF IDENTIAL – INTERNAL ONLY
ExpressRoute PowerShell CommandletsExpressRoute commandlets Description
Get-AzureDedicatedCircuitServiceProvider
Lists all ExpressRoute service providers including carriers and internet exchange points offering connectivity across all regions in Windows Azure.
Get-AzureDedicatedCircuit Lists all ExpressRoute circuits and details of each circuit. Get-AzureDedicatedCircuitLink Lists the link state of a particular virtual network and an ExpressRoute circuit.New-AzureDedicatedCircuit Creates a new ExpressRoute circuit in a Windows Azure subscription. New-AzureDedicatedCircuitLink Creates a link between an ExpressRoute circuit and a virtual network in the
current Windows Azure subscription. Remove-AzureDedicatedCircuit Removes an ExpressRoute circuit.Remove-AzureDedicatedCircuitLink Removes the link between a Virtual Network and an ExpressRoute circuit.
BGP Configuration commandlets Description
Get-AzureBGPPeering Returns an object with bgp configuration information of an ExpressRoute circuit.New-AzureBGPPeering Creates a new BGP peering configuration for an ExpressRoute circuit.Remove-AzureBGPPeering Removes the routing configuration for an ExpressRoute circuit.Set-AzureBGPPeering Updates a BGP peering configuration for an ExpressRoute circuit.
During public preview• Washington D.C. • Silicon Valley, CA
Additional locations coming soon
Locations:ExpressRoute Locations
Global datacenters
ExpressRoute locationsPublic preview
ExpressRoute PricingExchange Provider Network Service Provider
Per month:
$12,000
Per month:
$7,200
Per month:
$1,800
Per month:
$1,200
Per month:
$6001 Gbps500
Mbps
100 Mbps
50 Mbps
10 Mbps
Tiers with hard caps on bandwidth + unlimited data transfer
Monthly fee with included data transfer1Gbps Port + 15 TB included egressPer month:$600
Free Ingress
Overage:$0.035/GB Zone 1 $0.07/GB Zone 2
10Gbps Port + 250 TB included egressPer month:$10,000
Free Ingress
Overage:$0.035/GB Zone 1 $0.07/GB Zone 2
Windows Azure page for Networking services Virtual Network ExpressRoute
Tutorials and How To guides Virtual networks and connectivity ExpressRoute with Exchange Providers
Whitepapers Windows Azure Network Security
Resources
Your Feedback is ImportantFill out an evaluation of this session and help shape future events. Scan the QR code to evaluate this session on your mobile device. You’ll also be entered into a daily prize drawing!
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.