Connecting on-premises to Azure
Posted by Matthew Bradley
As ClearCloud is part of the UKFast Group, I often have conversations with clients who want to make use of both cloud platforms and require secure communication between the two environments.
A lot of those clients want to continue using UKFast’s eCloud platform to have dedicated hardware for their VMs, rather than being on the shared Hyper-V environment that Azure runs on. But also to get the most out of the range of hardware out there.
So even if your core infrastructure isn’t in Azure, there are times when you will need a connection to it so that you can make use of some of the cool features that Azure offers.
If you’re like me and get excited about secure communication, then hold on to your hats as you’re in for a real treat!
There are several ways to configure a secure connection between cloud providers and it depends on what products you’re using in each as to which is the most appropriate.
For most people, a S2S VPN is going to be the most common. S2S VPNs are used when you have multiple things at each location that need to communicate with each other. This type of VPN works by adding routes and ACLs to the firewall/VPN Gateway device, which control the traffic flow between sites.
An Azure, VPN Gateway on the ‘Basic’ tier comes in at a low £20 per month in the UK –which is incredibly cheap! This allows you to have up to 10 S2S connections. However it is limited to 100Mbps and this tier is not zone redundant. A zone redundant one (VpnGw1AZ) is around £200 a month but gives up to 30 S2S connections and up to 650Mbps. (This is typically the one I go for as it can sustain the loss of an entire data centre without you losing your connection.)
As the configuration for S2S VPNs is on a gateway device, they’re pretty reliable and aren’t affected by any machine reboots.
P2S VPNs are less common on server infrastructure and are more used by remote workers. They require a VPN client to be installed on the end machine (so this is only used for laptops or virtual machines). If you have one or 2 servers that you want secure communication between sites, and you don’t want to pay for a VPN Gateway or require a permanent connection, then this may be an option for you. But I would always suggest a S2S VPN over this for any server to server comms.
When you connect to the P2S VPN, the local machine downloads routes from the destination firewall, which are then used for the communication. But do note that if the client VPN software is installed and the server reboots, the VPN may not automatically connect again on startup, so this isn’t suitable in most cases.
This one comes with a hefty price tag and is aimed at large Enterprises (think an MPLS connection between multiple sites). You can get far more bandwidth with Express Route than any other connection between sites (up to 10Gbps), but you do pay for that link and for the peered connection too.
If you have multiple sites and the size of your wallet matches the size of the data link you require then this is something to consider.
Local Data Gateways
A Local Data Gateway is a tool offered by Azure for communication from on-premises to Azure. It is used for connectivity to databases or PaaS offerings on Azure. It’s easy to set up: just download the client and install it onto an on-prem server. This then allows you to securely connect to resources over HTTPS. For example, you may have a database on an on-prem server and want to allow Azure Logic Apps or Analysis Services to connect to that database.
Although this is limited in which resources it can be used for, it is a pretty nifty tool. Mainly because you don’t need to open ANY inbound ports on your on-prem firewall; it just needs a couple of outbound ports opening (data connection is over port 443, which is likely already open on your firewall if you’re able to browse the internet).
Routing and Remote Access (Windows Server)
Let’s not forget about the VPN capabilities that you get built into Windows Server, which uses the Routing and Remote Access Server Role. This is also a P2S offering but it integrates nicely with Active Directory and so you can grant access to users and groups to make the connection more secure.
I’ll be honest, this method won’t be used very often and it is more for smaller environments but it is built into Windows and so it is worth a mention.
Although there are many ways to connect on-premise infrastructure to Azure, you will probably only use Site-to-Site VPN and the Local Data Gateway (or Express Route if you have the cash). If you want to connect a bunch of servers from one site to a bunch of servers at another site then Site-to-Site is the way to go. If you have multiple sites to connect and require a large dedicated connection then take a look at Express Route. However, if you just want to use tools in Azure like Logic Apps or Analysis Services etc to connect to an on-prem database then Local Data Gateway is the tool you want.
There are so many use cases for having a multi-cloud environment like the above and so it is a good idea to familiarise yourself with the different ways that you can connect between them.