Ganesh SrinivasanSenior Program Manager, Azure Networking

Extending your on-premises network into Azure using ExpressRoute

3-618

Review of Hybrid scenarios in AzureExpressRoute overview

Agenda slide

Windows Azure hybrid offerings

Cloud Customer Segment and workloads

Secure point-to-site connectivity

Virtual Network (Point-to-Site)

• Developers• POC Efforts• Small scale

deployments• Connect from

anywhereSecure site-to-site VPN connectivityVirtual Network (Site-to-Site)

• SMB, Enterprises• Connect to Azure

Compute• IaaS and PaaS workloads

Private site-to-site connectivity

ExpressRoute

• SMB & Enterprises• Mission critical workloads• Backup/DR, Media, HPC• Connect to all hardware

Windows Azure Virtual Network

Extend your infrastructureNetworking on-ramp for migrating apps and services

Your “virtual” branch office / datacenter in the cloud

Run “hybrid” apps that span cloud and your premises

Secure private networks fully contained in Windows Azure

Extend your trust boundary - IaaS and PaaS better together

Virtual Network

Your Datacenter

Internet

Active Directory

SharePointSQL Server

Windows Azure

Virtual Networks & P2S Connectivity

Connect from anywhere securely

No software installation required!

Easy to setup and use

Ideal for prototyping, development, demos

P2S and S2S coexist

P2SVPNs

Active Directory

SharePointSQL Server

Windows Azure

Existing Datacenter

S2S VPN

What’s newO

n-p

rem

ise

S2S VPN

Existing Datacenter

P2SVPNs

Active Directory

SharePointSQL Server

Windows Azure

Exciting capabilitiesPoint-to-site Generally Available

Dynamic Routing Gateways generally available

More VPN devices options

ExpressRoute

Reluctance to adopt public cloud

60% Cited performanceas a key challenge for Cloud

66% Cited data and network securityas a key challenge for Cloud

Private network

Hoster

Private cloud

Private cloud

Performance

Predictability

Security

Expensive

Performance

Predictability

Security

Expensive

Internet

Azure

What Customers Want

PerformanceAssured bandwidth to Azure

SecurityAzure is connected to the customer’s WANNo internet in the path

AvailabilityNo single point of failure

Private network

Hoster

Private cloud

Private cloud

InternetAzure

WAN

Cloud on your WAN• Avoids risks from exposure to Internet• Avoids complexity and added costs• Provides lower latency, higher bandwidth

and greater availability

Public cloud

WAN

Customer DC

Customer site 1

Customer site 2

Public internet

Customers want Windows Azure on their network

IPsec VPN over Internet• Greater networking costs and latency since data is hair

pinned through a customer data center• Data travels over the open Internet to connect to cloud• Bandwidth is limited

Public cloud

WAN

Customer DC

Customer site 1

Customer site 2

Public internet

High throughput

Security

Lower cost

Predictable performance

What is ExpressRoute?ExpressRoute provides organizations a private, dedicated, high-throughput network connection between Windows Azure datacenters and their on-premises IT environment.

Enable mission critical workloads Dev/test lab BI/big data

Media Productivity apps

Storage, backup, and recovery

Hybrid apps

ExpressRoute ConnectivityWindows AzurePublic services

Windows Azure Compute

Azure Edge

Connectivity Provider

Infrastructure

Customer’s network

Customer’s dedicated connection

Traffic to public IP addresses in Windows Azure

Traffic to Virtual Networks in Windows Azure

Public and Private peering

Contoso (10.0.0.0/16)

Exchange

AD/DNS

IIS ServersSQL Farm Proxy/Internet edge

Monitoring

Netbound–ExpressRoute Circuit

Windows Azure

Storage SQL Websites

Direct internet trafficCross PremisesInternet bound

Azure service access

Contoso virtual networks/Vms

Azure public services

AD/DNS

Internet

Virtual Network and ExpressRoute

Connect via an encrypted link over public internet

Peer at an ExpressRoute location, an Exchange Provider facility

Connection from a WAN provided by Network Service Provider. Azure becomes another site on the customer’s WAN network.

Scenario 1: IPSec VPN over internet

Scenario 2: Exchange Provider

Scenario 3: Network Service Provider

Windows AzureCustomer DC

Virtual Network - Compute only.

ExpressRoute - Provides customer choice and include access to compute, storage, and other Azure services.

Customer site ExpressRoutepartner location

Windows Azure

Customer site 1

Customer site 2

Customer site 3 Windows Azure

WAN

Publicinternet

Publicinternet

Publicinternet

Exchange Provider Network Service Provider scenario

Customer

Tiers/pricing

Customer already using co-location facility; or wants to meet Azure at Exchange Provider location for a simple point to point connection• Connect to Windows Azure directly through a virtual cross

connection• Higher flexibility• Control over routing• Place your hardware in the Exchange Provider’s datacenter• Throughput based tiers, data charges separate• Upto 10 GBps

Customer already getting managed WAN services (like MPLS VPN)• Connect to Windows Azure through VPN provider• Easy to onboard• Use your existing VPN to connect to Azure• Access from any site

• Throughput based tiers (with unlimited data)• Connection speeds of up to 1 GBps

Two flavors of ExpressRoute

Customer site ExpressRoutepartner location

Windows Azure

Customer site 1

Customer site 2

Customer site 3 Windows Azure

WAN

ExpressRoute PartnersExchange Provider Network Service Provider

scenario

Customer site ExpressRoutepartner location

Windows Azure

Customer site 1

Customer site 2

Customer site 3 Windows Azure

WAN

Publicinternet

Publicinternet

ExpressRoute and Exchange Providers

Equinix and ExpressRoute

• Secure and private• Consistent throughput• Flexible and dynamic• Reduced provisioning

times

equinixcloud exchange

1G Bandwidth1G Bandwidth

10 G

BandwidthMicrosoft managed

ExpressRoute

Seamless automated provisioning

Customer cage

Customer cage

Customer cage

2. Customer requests

connectivity through Exchange

Provider

1. Customer signs up for ExpressRoute

3. Customer get s-key

IXP

Customer Experience : Exchange Provider Workflow

Customer

MicrosoftWindows Azure

Exchange Provider

4. Customer passes s-key & other details

5. Customer configures routing6. Customer links services

Customer signs up for ExpressRoute

• Signs up for a Windows Azure subscription

• Signs up for ExpressRoute service

Customer requests connectivity through Exchange Provider• Customer provided with list of

connectivity providers, locations, and supported bandwidths

• Customer selects best option and makes a request

• Customer receives a service key (s-key) in response to the request

Customer configures routing between their premises and Azure• Customer sets up 2 pairs of BGP

sessions (one for public peering and one for private peering)

• Customer specifies IP subnets for BGP sessions, AS number and MD5 hash (optional)

Customer links services• Links virtual networks to private

peering BGP sessions• Connectivity to public peering

services and NAT enabled as soon as BGP session has been configured

Configuration complete• Customer connects to all Azure

services via ExpressRoute circuit

Exchange Provider enables connection for customer• Customer passes service key (s-key) and

other details to Exchange Provider necessary to facilitate peering

• Exchange Provider enables a pair of virtual crossconnects for customers per circuit

• Exchange Provider sends confirmation to Microsoft (programmatically) and other customers

ExpressRoute and Network Service Providers

Extend your AT&T VPN to Windows Azure

*Storage will be supported upon service launch

AT&T NetBond and Windows Azure ExpressRoute seamlessly integrate to allow you to extend your MPLS VPN into Windows Azure isolating your traffic from other cloud traffic

Storage*

Compute

Users

Internal IT

VPN access – Today: fixed connectionsFuture: on demand, self service, consumptionbased connections

Private Cloud

VPN

VPN

Base or persistent loads

IT resources – on demand, self service, consumption based, dynamically scalable, logically isolated

Enterprise A

Enterprise B

Windows Azure

WAN

2. Customer requests

connectivity through Network

Service Provider

1. Customer signs up for ExpressRoute

3. Customer get s-key

IXP

Customer Experience : Network Service Provider Workflow

Customer

MicrosoftWindows Azure

Network Service Provider

4. Customer passes s-key & other details

5. Customer links services

Customer signs up for ExpressRoute

• Signs up for a Windows Azure subscription

• Signs up for ExpressRoute service

Customer requests connectivity through NSP• Customer provided with list of

connectivity providers, locations, and supported bandwidths

• Customer selects best option and makes a request

• Customer receives a service key (s-key) in response to the request

Customer links services• Links virtual networks to private

peering BGP session• Connectivity to public peering

services and NAT enabled as soon as BGP session has been configured

Configuration complete• Customer connects to all Azure

services via ExpressRoute circuit from WAN

NSP enables connection for customer• Customer passes on service key (s-key) to

NSP along with other details necessary to facilitate peering and routing

• NSP enables connectivity and configures routes for both public and private peering sessions

• NSP sends confirmation to Microsoft (programmatically) and customer

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

ExpressRoute PowerShell CommandletsExpressRoute commandlets Description

Get-AzureDedicatedCircuitServiceProvider

Lists all ExpressRoute service providers including carriers and internet exchange points offering connectivity across all regions in Windows Azure.

Get-AzureDedicatedCircuit Lists all ExpressRoute circuits and details of each circuit.

Get-AzureDedicatedCircuitLink Lists the link state of a particular virtual network and an ExpressRoute circuit.

New-AzureDedicatedCircuit Creates a new ExpressRoute circuit in a Windows Azure subscription.

New-AzureDedicatedCircuitLink Creates a link between an ExpressRoute circuit and a virtual network in the current Windows Azure subscription.

Remove-AzureDedicatedCircuit Removes an ExpressRoute circuit.

Remove-AzureDedicatedCircuitLink Removes the link between a Virtual Network and an ExpressRoute circuit.

BGP Configuration commandlets Description

Get-AzureBGPPeering Returns an object with bgp configuration information of an ExpressRoute circuit.

New-AzureBGPPeering Creates a new BGP peering configuration for an ExpressRoute circuit.

Remove-AzureBGPPeering Removes the routing configuration for an ExpressRoute circuit.

Set-AzureBGPPeering Updates a BGP peering configuration for an ExpressRoute circuit.

During public preview• Washington D.C. • Silicon Valley, CA

Additional locations coming soon

Locations:

ExpressRoute Locations

Global datacenters

ExpressRoute locationsPublic preview

ExpressRoute PricingExchange Provider Network Service Provider

Per month:

$12,000

Per month:

$7,200

Per month:

$1,800

Per month:

$1,200

Per month:

$6001 Gbps500

Mbps

100 Mbps

50 Mbps

10 Mbps

Tiers with hard caps on bandwidth + unlimited data transfer

Monthly fee with included data transfer

1Gbps Port + 15 TB included egress

Per month:

$600Free Ingress

Overage:$0.035/GB Zone 1 $0.07/GB Zone 2

10Gbps Port + 250 TB included egressPer month:

$10,000

Free Ingress

Overage:$0.035/GB Zone 1 $0.07/GB Zone 2

Windows Azure page for Networking services Virtual Network ExpressRoute

Tutorials and How To guides Virtual networks and connectivity ExpressRoute with Exchange Providers

Whitepapers Windows Azure Network Security

Resources

Your Feedback is Important

Fill out an evaluation of this session and help shape future events.

Scan the QR code to evaluate this session on your mobile device.

You’ll also be entered into a daily prize drawing!

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.