Recommend a connectivity solution that connects Azure resources to on-premises networks
5 minutes
5 Questions
When designing connectivity solutions between Azure resources and on-premises networks, Azure Solutions Architects have several options to consider based on requirements for bandwidth, security, and reliability.
**VPN Gateway** is the most common starting point. It establishes encrypted tunnels ov…When designing connectivity solutions between Azure resources and on-premises networks, Azure Solutions Architects have several options to consider based on requirements for bandwidth, security, and reliability.
**VPN Gateway** is the most common starting point. It establishes encrypted tunnels over the public internet using IPsec/IKE protocols. Site-to-Site VPN connects entire on-premises networks to Azure virtual networks, supporting up to 10 Gbps with VpnGw5 SKU. This solution is cost-effective and suitable for moderate bandwidth needs.
**Azure ExpressRoute** provides private, dedicated connections through connectivity providers. ExpressRoute bypasses the public internet entirely, offering consistent latency, higher throughput (up to 100 Gbps), and enhanced reliability with 99.95% SLA. This is ideal for enterprise workloads requiring predictable performance and handling sensitive data. ExpressRoute Global Reach extends this connectivity between on-premises sites through Microsoft's backbone.
**ExpressRoute with VPN failover** combines both solutions for maximum resilience. The VPN connection serves as a backup path when the ExpressRoute circuit experiences issues, ensuring business continuity.
**Azure Virtual WAN** simplifies large-scale connectivity by providing a unified hub for managing multiple VPN and ExpressRoute connections. It offers automated branch connectivity, optimized routing, and integrated security through Azure Firewall.
**Recommendations based on scenarios:**
- Development/testing environments: Site-to-Site VPN
- Production workloads with moderate requirements: VPN Gateway with zone redundancy
- Mission-critical applications: ExpressRoute with private peering
- Global enterprises with multiple branches: Azure Virtual WAN with ExpressRoute
- Hybrid scenarios requiring Microsoft 365 integration: ExpressRoute with Microsoft peering
**Key considerations include:**
- Bandwidth requirements and growth projections
- Latency sensitivity of applications
- Compliance and data sovereignty requirements
- Budget constraints
- Redundancy and failover needs
Architects should implement Network Security Groups, Azure Firewall, and proper route tables to secure traffic flowing through these connections.
Recommend a Connectivity Solution That Connects Azure Resources to On-Premises Networks
Why This Topic Is Important
As an Azure Solutions Architect, one of your primary responsibilities is designing hybrid connectivity solutions. Most enterprises have existing on-premises infrastructure that must communicate securely with Azure resources. Understanding the various connectivity options and when to recommend each one is critical for the AZ-305 exam and real-world implementations.
What Are Azure to On-Premises Connectivity Solutions?
Azure provides several methods to establish secure, reliable connections between your on-premises network and Azure virtual networks:
1. VPN Gateway (Site-to-Site VPN) A VPN Gateway creates an encrypted tunnel over the public internet between your on-premises network and Azure. It uses IPsec/IKE protocols to secure traffic.
2. Azure ExpressRoute ExpressRoute provides a private, dedicated connection through a connectivity provider. Traffic does not traverse the public internet, offering higher reliability, faster speeds, and lower latencies.
3. ExpressRoute with VPN Failover This hybrid approach uses ExpressRoute as the primary connection with Site-to-Site VPN as a backup for high availability scenarios.
4. Azure Virtual WAN A networking service that brings together VPN, ExpressRoute, and point-to-site connectivity into a single operational interface for large-scale branch connectivity.
How Each Solution Works
Site-to-Site VPN: - Requires a VPN device on-premises with a public-facing IP address - Supports up to 10 Gbps with VpnGw5 SKU - Uses IPsec tunnels encrypted over the internet - Suitable for dev/test workloads or smaller production environments
ExpressRoute: - Connects through Microsoft Enterprise Edge (MSEE) routers - Offers bandwidths from 50 Mbps to 100 Gbps - Provides private peering for Azure VNets and Microsoft peering for Microsoft 365 and Dynamics 365 - Supports Global Reach to connect on-premises sites through Microsoft backbone
Choosing the Right Solution
Consider these factors when recommending a solution:
- Bandwidth requirements: ExpressRoute for high bandwidth needs (over 1 Gbps consistently) - Latency sensitivity: ExpressRoute for latency-critical applications - Security requirements: Both are secure, but ExpressRoute traffic stays off public internet - Cost considerations: VPN is more cost-effective for lower bandwidth needs - Reliability requirements: ExpressRoute offers SLA-backed uptime; combine with VPN for maximum availability - Time to deploy: VPN can be set up in hours; ExpressRoute requires weeks for circuit provisioning
Exam Tips: Answering Questions on This Topic
Key Decision Points to Remember:
1. When to choose VPN Gateway: - Budget constraints are mentioned - Bandwidth requirements are under 1 Gbps - Quick deployment is needed - Internet connectivity is acceptable
2. When to choose ExpressRoute: - Large data transfers or migrations are required - Low latency is critical (real-time applications) - Consistent, predictable performance is needed - Compliance requires private connectivity - Bandwidth exceeds 1 Gbps regularly
3. When to combine both: - High availability is the top priority - Business continuity requirements exist - ExpressRoute is primary with VPN as failover
4. Watch for these keywords in questions: - "Mission-critical" or "production workload" often points to ExpressRoute - "Cost-effective" or "limited budget" suggests VPN - "Regulatory compliance" or "private connection" indicates ExpressRoute - "Failover" or "redundancy" suggests combining solutions
5. Remember SKU differences: - VPN Gateway SKUs determine throughput and features - ExpressRoute circuits have Local, Standard, and Premium tiers - Premium ExpressRoute enables global connectivity across regions
6. Common exam scenarios: - Migrating large databases: ExpressRoute - Connecting a small branch office: Site-to-Site VPN - Connecting multiple global offices: ExpressRoute with Global Reach or Virtual WAN - Hybrid application with strict latency requirements: ExpressRoute