This reference architecture shows how to connect an on-premises network to an Azure virtual network by using Azure ExpressRoute, with a site-to-site virtual private network (VPN) as a failover connection.
Architecture
Download a Visio file of this architecture.
Workflow
The architecture consists of the following components.
- On-premises network. A private local-area network running within an organization.
- VPN appliance. A device or service that provides external connectivity to the on-premises network. The VPN appliance can be a hardware device, or it can be a software solution such as the Routing and Remote Access Service (RRAS) in Windows Server 2012. For a list of supported VPN appliances and information on configuring selected VPN appliances for connecting to Azure, see About VPN devices for Site-to-Site VPN Gateway connections.
- ExpressRoute circuit. A layer 2 or layer 3 circuit supplied by the connectivity provider that joins the on-premises network with Azure through the edge routers. The circuit uses the hardware infrastructure managed by the connectivity provider.
- ExpressRoute virtual network gateway. The ExpressRoute virtual network gateway enables the Azure virtual network to connect to the ExpressRoute circuit that's used for connectivity with your on-premises network.
- VPN virtual network gateway. The VPN virtual network gateway enables the Azure virtual network to connect to the VPN appliance in the on-premises network. The VPN virtual network gateway is configured to accept requests from the on-premises network only through the VPN appliance. For more information, see Connect an on-premises network to a Microsoft Azure virtual network.
- VPN connection. The connection has properties that specify the connection type (IPSec) and the key shared with the on-premises VPN appliance to encrypt traffic.
- Azure virtual network. Each virtual network resides in a single Azure region, and can host multiple application tiers. Application tiers can be segmented using subnets in each virtual network.
- Gateway subnet. The virtual network gateways are held in the same subnet.
Components
Scenario details
This reference architecture shows how to connect an on-premises network to an Azure virtual network by using ExpressRoute, with a site-to-site virtual private network (VPN) as a failover connection. Traffic flows between the on-premises network and the Azure virtual network through an ExpressRoute connection. If there's a loss of connectivity in the ExpressRoute circuit, traffic is routed through an IPSec VPN tunnel. Deploy this solution.
Note that if the ExpressRoute circuit is unavailable, the VPN route will handle only private peering connections. Public peering and Microsoft peering connections pass over the Internet.
Recommendations
The following recommendations apply for most scenarios. Follow these recommendations unless you have a specific requirement that overrides them.
The virtual network and GatewaySubnet
Create the ExpressRoute virtual network gateway connection and the VPN virtual network gateway connection in the same virtual network with a Gateway object already in place. They'll both share the same subnet named GatewaySubnet.
If the virtual network already includes a subnet named GatewaySubnet, ensure that it has a /27 or larger address space. If the existing subnet is too small, use the following PowerShell command to remove the subnet:
$vnet = Get-AzVirtualNetwork -Name <your-vnet-name> -ResourceGroupName <your-resource-group>
Remove-AzVirtualNetworkSubnetConfig -Name GatewaySubnet -VirtualNetwork $vnet
If the virtual network doesn't contain a subnet named GatewaySubnet, create a new one using the following PowerShell command:
$vnet = Get-AzVirtualNetwork -Name <your-vnet-name> -ResourceGroupName <your-resource-group>
Add-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet -AddressPrefix "10.200.255.224/27"
$vnet = Set-AzVirtualNetwork -VirtualNetwork $vnet
VPN and ExpressRoute gateways
Verify that your organization meets the ExpressRoute prerequisite requirements for connecting to Azure.
If you already have a VPN virtual network gateway in your Azure virtual network, use the following PowerShell command to remove it:
Remove-AzVirtualNetworkGateway -Name <your-gateway-name> -ResourceGroupName <your-resource-group>
Follow the instructions in Configure a hybrid network architecture with Azure ExpressRoute to establish your ExpressRoute connection.
Follow the instructions in Configure a hybrid network architecture with Azure and On-premises VPN to establish your VPN virtual network gateway connection.
After you've established the virtual network gateway connections, test the environment as follows:
- Make sure you can connect from your on-premises network to your Azure virtual network.
- Contact your provider to stop ExpressRoute connectivity for testing.
- Verify that you can still connect from your on-premises network to your Azure virtual network using the VPN virtual network gateway connection.
- Contact your provider to reestablish ExpressRoute connectivity.
Considerations
These considerations implement the pillars of the Azure Well-Architected Framework, which is a set of guiding tenets that can be used to improve the quality of a workload. For more information, see Microsoft Azure Well-Architected Framework.
Security
Security provides assurances against deliberate attacks and the abuse of your valuable data and systems. For more information, see Overview of the security pillar.
For general Azure security considerations, see Microsoft cloud services and network security.
Cost optimization
Cost optimization is about looking at ways to reduce unnecessary expenses and improve operational efficiencies. For more information, see Overview of the cost optimization pillar.
For ExpressRoute cost considerations, see these articles:
Operational excellence
Operational excellence covers the operations processes that deploy an application and keep it running in production. For more information, see Overview of the operational excellence pillar.
For ExpressRoute DevOps considerations, see the Configure a Hybrid Network Architecture with Azure ExpressRoute guidance.
For site-to-site VPN DevOps considerations, see the Configure a Hybrid Network Architecture with Azure and On-premises VPN guidance.
Deploy this scenario
Prerequisites. You must have an existing on-premises infrastructure already configured with a suitable network appliance.
To deploy the solution, perform the following steps.
Select the link below.
Wait for the link to open in the Azure portal, then select the Resource group you would like to deploy these resources into or create a new resource group. The Region and Location will automatically change to match the resource group.
Update the remaining fields if you would like to change the resource names, providers, SKU, or network IP addresses for your environment.
Select Review + create and then Create to deploy these resources.
Wait for the deployment to complete.
Note
This template deployment only deploys the following resources:
- A resource group (if you create new)
- An ExpressRoute circuit
- An Azure virtual network
- An ExpressRoute virtual network gateway
In order for you to successfully establish private peering connectivity from on-premises to the ExpressRoute circuit, you'll need to engage your service provider with the circuit service key. The service key can be found on the overview page of the ExpressRoute circuit resource. For more information on configuring your ExpressRoute circuit, see Create or modify peering configuration. Once you have configured private peering successfully you can link the ExpressRoute virtual network gateway to the circuit. For more information, see Tutorial: Connect a virtual network to an ExpressRoute circuit using the Azure portal.
To complete the deployment of site-to-site VPN as a backup to ExpressRoute, see Create a site-to-site VPN connection.
Once you've successfully configured a VPN connection to the same on-premises network you configured ExpressRoute, you'll then have completed the setup to back up your ExpressRoute connection if there's total failure at the peering location.
Contributors
This article is maintained by Microsoft. It was originally written by the following contributors.
Principal author:
- Sarah Parkes | Senior Cloud Solution Architect
To see non-public LinkedIn profiles, sign in to LinkedIn.
Next steps
- ExpressRoute Documentation
- Azure Security baseline for ExpressRoute
- How to create an ExpressRoute circuit
- Azure Networking Blog
- Configure ExpressRoute and Site-to-Site coexisting connections using PowerShell