Express Route and VPN together

Suwarna S Kale 301 Reputation points
2023-10-17T12:02:02.0033333+00:00

Our scenario: We are planning to use Express Route, VWAN integrated with Azure Firewall in East US (primary site) and West US (secondary/DR site) and we will be connecting the on-premise data center with Express Route.

Questions:

  1. If we are using the express route, does that provide redundant connections to the on-premise data center from each Azure region? How we can make sure we have redundant connectivity? what are best practices or recommendations?
  2. Do we still need to have a VPN connection along with the express route to have redundant connectivity to our on-prem data center? what are best practices or recommendations?
  3. With our current connectivity components (VWAN, Express route, Azure Firewall), what happens if the entire region goes down and are these components resilient to failure? what are best practices or recommendations?

Please provide as much as possible info around the above components and scenarios so that we can review and make the best possible decision according to different scenarios.

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
197 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
598 questions
Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
341 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. msrini-MSFT 9,266 Reputation points Microsoft Employee
    2023-10-18T00:37:27.6566667+00:00

    Hi,

    With respect to the redundancy of ER, you can consider following:

    1. Having 2 circuits from different ISPs and preferring one over the other and during the time of ISP failure you will have redundant link to reach On-Premises.
    2. If you think the #1 is costlier, you can go with the co-existing setup which you mentioned earlier with ER + VPN gateway.
    3. You can deploy another Hub in West US and have the same setup and in case of DR, you can reach West US via this path.

    Regards,

    Karthik Srinivas

    0 comments
  2. GitaraniSharma-MSFT 49,011 Reputation points Microsoft Employee
    2023-10-25T13:11:50.3333333+00:00

    Hello @Suwarna S Kale ,

    I understand that you are planning to use Azure ExpressRoute, Azure VWAN integrated with Azure Firewall in East US (primary site) and West US (secondary/DR site) and you will be connecting the on-premises data center with ExpressRoute and have some questions about this setup. Please find the answers below.

    If we are using the express route, does that provide redundant connections to the on-premises data center from each Azure region? How we can make sure we have redundant connectivity? what are best practices or recommendations?

    When you say that you are planning to use Express Route, VWAN integrated with Azure Firewall in East US (primary site) and West US (secondary/DR site), does that mean you will configure 2 ExpressRoute circuits, one for each region or it will be a single ExpressRoute circuit connecting to both regions?

    For disaster recover, it is generally recommended to use multiple ExpressRoute circuits.

    Refer: https://video2.skills-academy.com/en-us/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering

    https://video2.skills-academy.com/en-us/azure/expressroute/expressroute-faqs#how-is-redundancy-implemented-for-private-peering

    So, if you have multiple ExpressRoute circuits from different peering locations, it will provide high availability in case a single circuit becomes unavailable. You can then assign higher weights to one of the local connections to prefer a specific circuit. It's recommended that your setup has at least two ExpressRoute circuits to avoid single points of failure.

    If you have a single circuit, then make sure to operate both the primary and secondary connections of your ExpressRoute circuit in active-active mode.

    Refer: https://video2.skills-academy.com/en-us/azure/expressroute/designing-for-high-availability-with-expressroute

    Running the primary and secondary connections of an ExpressRoute circuit in active-passive mode face the risk of both the connections failing following a failure in the active path. The common causes for failure on switching over are lack of active management of the passive connection, and passive connection advertising stale routes.

    Do we still need to have a VPN connection along with the express route to have redundant connectivity to our on-prem data center? what are best practices or recommendations?

    It completely depends on your requirement and existing network architecture. If you need a failover path and don't want to go with multiple ExpressRoute circuits, then you can go with ExpressRoute and Site-to-Site coexisting connections.

    You can configure a Site-to-Site VPN connection as a backup for ExpressRoute. This connection applies only to virtual networks linked to the Azure private peering path. There's no VPN-based failover solution for services accessible through Azure Microsoft peering. The ExpressRoute circuit is always the primary link. Data flows through the Site-to-Site VPN path only if the ExpressRoute circuit fails. To avoid asymmetrical routing, your local network configuration should also prefer the ExpressRoute circuit over the Site-to-Site VPN. You can prefer the ExpressRoute path by setting higher local preference for the routes received the ExpressRoute.

    Refer: https://video2.skills-academy.com/en-us/azure/expressroute/how-to-configure-coexisting-gateway-portal#configuration-designs

    With our current connectivity components (VWAN, Express route, Azure Firewall), what happens if the entire region goes down and are these components resilient to failure? what are best practices or recommendations?

    If you want resiliency across regions, you can connect to multiple Azure Virtual WAN hubs.

    While the concept of Virtual WAN is global, the actual Virtual WAN resource is Resource Manager-based and deployed regionally. If the virtual WAN region itself were to have an issue, all hubs in that virtual WAN will continue to function as is, but the user won't be able to create new hubs until the virtual WAN region is available.

    Refer: https://video2.skills-academy.com/en-us/azure/virtual-wan/virtual-wan-faq#how-are-availability-zones-and-resiliency-handled-in-virtual-wan

    https://video2.skills-academy.com/en-us/azure/virtual-wan/disaster-recovery-design

    https://video2.skills-academy.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology

    For ExpressRoute, as mentioned before, the recommendation is to use another ExpressRoute circuit in a different region for failover.

    Refer: https://video2.skills-academy.com/en-us/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution

    Same goes for Azure Firewall. The recommendation is to deploy one firewall per region.

    Refer: https://video2.skills-academy.com/en-us/azure/firewall/firewall-faq#what-is-the-typical-deployment-model-for-azure-firewall

    https://video2.skills-academy.com/en-us/azure/firewall/firewall-multi-hub-spoke

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments