ExpressRoute Overview
Microsoft provides two main ways to connect a datacenter to Microsoft Azure.
- Site-to-Site VPN using IPSEC encryption over the Interent
- ExpressRoute dedicated private WAN connection
ExpressRoute has a distinct advantage over the Site-to-Site VPN approach because it involves a dedicated private connection through a WAN provider, and does not involve using the public Internet for transferring data. For datacenter environments that require a high-performance network link to Microsoft Azure in addition to a higher level of data isolation and security, ExpressRoute provides a more stable and reliable connection, as well as increased speeds at lower latency.
For example, a Site-to-Site VPN used a dynamic routing gateway for its interface to Microsoft Azure networking. The fastest gateway available performs up to 200 Mbps. ExpressRoute leverages a BGP-based routing gateway that can achieve a performance of up to 10 Gbps.
ExpressRoute offers two different provider models:
- Network Service Provider – leverages Multiprotocol Label Switching (MPLS) technology to provide WAN connectivity between the customer network and Microsoft Azure.
- Exchange Provider – leverages direct Ethernet connections to extend the customer datacenter to Microsoft Azure.
In addition, ExpressRoute offers some desirable advantages for enterprise level applications in the areas of cost and privacy.
ExpressRoute provider models implement two different cost approaches. A Network Service Provider usually offers an “all you can use” model. In other words, you pay a flat fee and you are not charged for ingress or egress traffic. In contrast, an Exchange Provider charges you a base flat fee and sets a transfer quota that is based on circuit size. If you do not exceed the quota, there is no additional charge due. If you exceed the quota, then you pay additional charges for the data overage.
In terms of privacy, since ExpressRoute offers a private dedicated connection that does not use the Internet as a transport medium, your traffic never traverses the public Internet to flow from the on premise datacenter to the Microsoft Azure datacenter.
You should be aware that ExpressRoute entails two sides to the connectivity costs. Customers must pay for connectivity to the Microsoft Azure datacenter and the ExpressRoute provider for the connection and transport of the traffic across the dedicated private network.
ExpressRoute Connection Limitations
While using ExpressRoute which provides a high-speed dedicated circuit, there are limitations that should be taken into consideration when planning ExpressRoute connectivity. A single ExpressRoute circuit can only establish a maximum of 10 connections to vNets in Microsoft Azure. If you need to connect your datacenters to more than 10 vNets, then you must purchase additional ExpressRoute circuits.
If you need a single ExpressRoute circuit to connect to multiple subscriptions, then the maximum it can support is 10 subscriptions for each single circuit. Therefore, if you want to connect a single circuit to ten subscriptions, then the maximum number of vNets that can exist in each subscription is one vNet.
If you need a single vNet to connect to multiple circuits, then the limit is a maximum of one vNet for every four circuits.
ExpressRoute Region versus Microsoft Azure Region
Microsoft Azure is composed of multiple regions with one or more datacenters within each region. For example, in North America, the Microsoft Azure regions as East, West, North Central, and South Central. In contrast, ExpressRoute Regions are based on a larger continent model versus a smaller territory model. As such, the Microsoft Azure regions in North America (East, West, North Central, and South Central) are in a single ExpressRoute network region.
Network Service Provider Model
As shown in Figure 1, the Network Service Provider model is a MPLS cloud based provider model where the MPLS cloud is connected to the Microsoft Azure network at multiple locations. The connection to the Microsoft Azure datacenter is typically a high speed 10 Gbps connection that is shared between multiple customers. The Network Service Provider separates each customer traffic flow across the MPLS cloud using label switching. Once the traffic flows to the edge of the MPLS cloud at the Microsoft Azure datacenter, the traffic converts from the label switching approach to a VLAN approach. A VLAN is established for every ExpressRoute circuit that is created.
Figure 1: Network Service Provider Model
ExpressRoute circuits can be ordered from a Network Service Provider in the following speed increments: 10 Mbps, 50 Mbps, 100 Mbps, 500 Mbps, and 1 Gbps. Each speed has a monthly cost associated to it on the Microsoft Azure side as well as on the provider side. The advantage of a network service provider model is that no matter how much data you transfer per month, there are no additional ingress or egress costs.
The other advantage of the Network Service Provider model is the routing and the high-availability of the ExpressRoute circuit, as well as having the network managed by the provider. This reduces the customer overhead costs of managing a network extension from the customer datacenter to Microsoft Azure.
ExpressRoute and PowerShell
Configuring ExpressRoute requires Microsoft Azure PowerShell and the ExpressRoute cmdlet library. While the ExpressRoute library is installed with the latest Azure PowerShell SDK, it is not loaded by default in the Azure PowerShell command window. In order to load the ExpressRoute library, use can use the following command:
Import-Module ‘C:\Program Files (x86)\Microsoft SDKs\Azure\PowerShell\ServiceManagement\Azure\ExpressRoute\ExpressRoute.psd1’
After the ExpressRoute library is loaded in the Azure PowerShell command window, you can get ExpressRoute provider information using the Get-AzureDedicatedCircuitServiceProvider cmdlet.
Running this cmdlet will retrieve the latest list of Network Service Providers and Exchange Providers, the locations that they have connections to Microsoft Azure datacenters, and the currently supported bandwidths. Figure 2 shows the current available service providers.
Figure 2: ExpressRoute Service Provider Information
Once you have identified the latest information for the Network Service Provider that will enable your connection to Microsoft Azure, you can proceed to establish the dedicated circuit connection.
The following steps are required:
- Create a dedicated circuit with the Network Service Provider at the desired bandwidth to the desired location using Azure PowerShell
- Configure the vNets, subnets, and gateway in Microsoft Azure
- Create the Virtual Network Connection (VNC) and the VLAN on the provider side
- Establish the dedicated circuit link from the VLAN to the Microsoft Azure vNet using Azure PowerShell
Create the Dedicated Circuit to the Network Service Provider
To create the dedicated circuit to the Network Service Provider, you need the following 4-tuple of information:
- Network service provider name
- Location for the Azure connection
- Bandwidth of the circuit
- Circuit name
All of this information, except for the circuit name, is available by using the Azure PowerShell Get-AzureDedicatedCircuitServiceProvider cmdlet. For this article example, we will use AT&T as the network service provider.
If you look at the information displayed in Figure 2 for AT&T, there are two locations to connect (Silicon Valley, Washington DC), and the following bandwidth circuits are available: 10Mbps, 50 Mbps, 100 Mbps, 500 Mbps, and 1 Gbps.
You can create the new dedicated circuit using the New-AzureDedicatedCircuit cmdlet and by providing the 4-tuple of information (service provider, location, bandwidth, circuit name). For example, to create a new dedicated circuit using AT&T, with a location of Silicon Valley, a bandwidth of 500 Mbps, and a circuit name of WestDedicatedCircuit, you could use the following commands:
$ServiceProvider = “at&t”
$Location = “Silicon Valley”
$Bandwidth = 500
$CircuitName = “WestDedicatedCircuit”
New-AzureDedicatedCircuit -CircuitName $CircuitName -ServiceProviderName $ServiceProvider -Bandwidth $Bandwidth -Location $Location
The output from running the New-AzureDedicatedCircuit cmdlet will be something similar to the following information:
Bandwidth : 500
CircuitName : WestDedicatedCircuit
Location : Silicon Valley
ServiceKey : 11111111-2222-3333-4444-555555555555
ServiceProviderName : at&t
ServiceProviderProvisioningState : NotProvisioned
Status : Enabled
You can also retrieve the information using the Get-AzureDedicatedCircuit cmdlet which will list every defined dedicated circuit.
Configure the vNets, Subnets, and Gateway for ExpressRoute
Before you can continue, you must determine the address space for each vNet that will be defined, how that address space will be broken up to make subnets (including a gateway subnet with a CIDR of /28), and create the gateway for the vNet. Completing these steps have been covered in previous articles and additional details can be found at Configure a Virtual Network and Gateway for ExpressRoute on the Microsoft MSDN site.
Create the Virtual Network Connection and VLAN
The next step is to create the Virtual Network Connection (VNC) that establishes a connection to the Microsoft Azure datacenter and establishes the bandwidth for the circuit. Once that is done, you must configure the VLAN that established the circuit on the provider side to the Microsoft Azure edge routers. To accomplish this step, you need a dedicated address CIDR for a /29 network that can be used by the provider to divide into two /30 networks to establish the redundant VLAN networks.
Most Network Service Providers have a self-service portal that customers can use to perform these steps. At TechEd North America 2014, AT&T demonstrated the self-service portal in session DCIM-B423. You can watch this session using the following link: http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/DCIM-B423#fbid.
Establish the Dedicated Circuit Link from the VLAN to the Microsoft Azure vNet using Azure PowerShell
Once the Network Service Provider VLAN has been created and shows as provisioned in the self-service portal, you can proceed to establish the Microsoft Azure side of the dedicated circuit link. You use the New-AzureDedicatedCircuitLink cmdlet in Azure PowerShell to accomplish this step.
Before you proceed, you need to know the vNet that the circuit will connect to and the Service Key created when you executed the New-AzureDedicatedCircuit cmdlet. The Service Key will be in the format 11111111-2222-3333-4444-555555555555.
$Vnet = “MyTestVNet”
$ServiceKey = “11111111-2222-3333-4444-555555555555”
New-AzureDedicatedCircuitLink -ServiceKey $ServiceKey -VNetName $Vnet
If the dedicated circuit link is successful, then you will get a response that says Provisioned. If you receive an error, then you need to troubleshoot all the values to ensure that they are correct.
In order to verify that the circuit is provisioned, you can run the Get-AzureDedicatedCircuit cmdlet and verify that the ServiceProviderProvisioningStateshows as Provisioned.
Conclusion
ExpressRoute provides a high-speed, low latency, dedicated private network for connecting your datacenter to a virtual network in the Microsoft Azure datacenter. Leveraging ExpressRoute using the Network Service Provider model allows you to have a high-performance, high security network link from your datacenter to Microsoft Azure with a predictable monthly cost model while reducing your network management overhead for a dedicated connection to Microsoft Azure.
Do the network service providers charge separately for provisioning the dedicated circuit?