Hub and spoke topology: expressroute MS peering with NVA

JohnKim 1 Reputation point
2020-07-13T06:05:54.667+00:00

Hi,

Sorry if this is a silly question.

If I have ER (MS peering) enabled with FW for hub and spoke topology, does the traffic from on-prem flow through the FW in hub like private peering? For example, let's say I use ASR and traffic replication flows through MS peering. This traffic would have to go through FW in hub or would it go out to Azure backbone to reach PaaS?

Thanks in advance for the help.

Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
340 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Mubarak Tanseer 1 Reputation point Microsoft Employee
    2020-07-13T19:48:03.673+00:00

    Hi,

    Please note the firewall has to be deployed in a Virtual Network. The Azure PaaS services are not pat of the VNET and they span across the MS network. An Express Route circuit with only MS Peering does not have to connect with VNET.

    So the traffic on MS peering would take the Microsoft network and communicates with PaaS service resources.

    Hope this clarifies !

    0 comments
  2. GitaraniSharma-MSFT 49,006 Reputation points Microsoft Employee
    2020-07-15T10:10:50.207+00:00

    Hello @JohnKim ,

    Azure PaaS services are multi-tenant shared services and they exist outside your Vnet and span across the Microsoft network but a Firewall or NVA is always deployed within your Vnet.

    Connectivity to Microsoft online services (Office 365 and Azure PaaS services) occurs through Microsoft peering. And this traffic goes through the Azure backbone and not through your Vnet.
    Please refer the diagram in the following article for clarity : https://video2.skills-academy.com/en-us/azure/expressroute/expressroute-circuit-peerings#routingdomains

    Hence, the traffic on Microsoft peering would take the Microsoft backbone network and communicate directly with PaaS service resources.

    However, if you would like to access the Azure PaaS Services from your on-premises privately, you may opt for Azure Private link/Endpoint. There's no need to set up public/Microsoft peering or traverse the internet to reach the service. Private Link provides a secure way to migrate workloads to Azure.
    Please refer : https://video2.skills-academy.com/en-us/azure/private-link/private-link-overview
    https://video2.skills-academy.com/en-us/azure/private-link/private-endpoint-overview

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.