Detangling the Many Ways of Plugging into Azure
Azure networking VP Yousef Khalidi explains the cloud provider’s network strategy.
December 19, 2019
ExpressRoute. A new peering service for enterprise-grade connections over the public internet. A Virtual WAN. A Private Link service that connects to Azure data and storage services on your own private IP address over Microsoft’s backbone network. An Application Gateway Ingress Controller for Azure Kubernetes Service. Why are there so many ways to connect to Azure, and how do you choose between them?
Think of this wealth of connectivity options as “version one” of the Azure networking strategy, which is to let you build your own networks virtually, using the physical Azure infrastructure, corporate VP for Azure Networking Yousef Khalidi told Data Center Knowledge. “This version-one strategy is what we’re going to coalesce all these concepts around. It’s basically an abstraction for our wide area network, and we’ve turned the crank on this v1 implementation and feature set around integrating this plethora of features within the VWAN. Now we have the ability to have all traffic terminate or come into the VWAN and then exit the VWAN to go anywhere else, including to go over the internet.”
These integrations deliver what Khalidi calls the version-two approach, where the Azure VWAN becomes more of a core service with different options. “Architecturally, the locus going forward will be centered around the VWAN as a concept and a resource to tie everything together. You can now talk branch to branch, branch to VWAN, branch to the internet, VWAN to VWAN, and the traffic can be brought either through the internet through VPN services or any internet connectivity like peering, or can be brought in privately through ExpressRoute. It's like a jigsaw puzzle of all possible ways [to connect] and we've completed the puzzle.”
There will still be a lot of different features that can be used independently, because they’re all needed for specific scenarios. Private Link is there because organizations want to access Azure services privately. It connects to a small number of services initially, but Khalidi indicated that in the longer term all Azure services would be available through private connections.
Regulated customers will also welcome support for point-to-point encryption on ExpressRoute Direct using MACsec and commodity routers, managing their own encryption keys through Azure Key Vault. MACsec was already supported in the Azure backbone, but customers like banks can now encrypt traffic between two cages at the exchange point for their ExpressRoute endpoint.
The new AKS ingress controller for managing traffic is another of these special-purpose features. It’s something you could always do by hand, but the service has been warmly received because, as Khalidi admitted, “it was hard to do by hand.”
“It’s the same thing throughout our portfolio of networking services. Yes, we have the plumbing and you can always do it by hand. You can do your own firewall or ingress controller and the like, but if I can get you something as a service that’s available from the Azure portal, that’s fully managed with the Azure Resource Manager model, that can have RBAC and Azure policy controls, I'm going to do that.”
Removing Cost and Complexity with Higher-Order Services
More customer requests are for sophisticated high-end features rather than the networking basics, Khalidi said, and customers want more services that sit at the intersection of connectivity and security.
The new peering service for Azure and Office 365 is a reflection of the shift Microsoft is seeing among customers from MPLS to cloud and internet connectivity (although Khalidi doesn't expect MPLS to disappear any time soon).
That matches what HPE’s Aruba Networks is seeing in the MPLA market, according to Conrad Menezes, a VP at Aruba. “I think MPLS is dying and I think what’s killing it is the cost. For a 100 Mbps access circuit with 20 Mbps bandwidth speed, the average cost in the US is around $2,000. Compare that with the broadband circuit that’s 100 Mbps down speed and 20 Mbps up, that’s $200.”
Typically, organizations replace their second MPLS circuit with broadband, and once they’ve found that reliable, they move to dual broadband connections – but they don’t use consumer broadband. “A lot of the large enterprises are relying on dedicated internet access from a service provider, because they want someone to provide some level of SLA, and because you get what you pay for. 100 Mbps, $100 internet access at home is not necessary what an enterprise is going to rely on for their primary business.”
The Azure Peering Service is effectively a catalog of ISPs with the guaranteed connectivity, redundancy, and latency that enterprises want, where the connection uses a single hub rather than cheaper routes with transfers, and there’s no charge on the Azure side to use one of these peering connections. But if you want extra monitoring and protection from BGP issues, that’s available as an extra service.
“We can check for BGP problems and route hijacking and ensure the connection stays with your ISP even if the route has been hijacked,” Khalidi explained. That covers both deliberate BGP hijacking and innocent mistakes by ISPs. “If they advertise a network range, they can redirect traffic the wrong way, whether it’s done on purpose or not. There are some that are malicious, but there are many [BGP issues] that happen because the protocol is frankly insecure and error-prone.”
With proposed improvements to BGP still under development and likely beyond the capabilities of many lower-tier ISPs, defensive measures are required, he said. “We know the relationship between us and the ISP, we monitor all of these routes, millions of them, every few seconds. We have a complete history, so we know a route will change approximately this way and if we find an anomaly, we quarantine the routes.”
That BGP protection is how Microsoft has been protecting Azure’s own networking for a long time. Now it’s available to customers. This is the kind of easy-to-use and highly scalable solution that Azure networking will continue to introduce now that it’s unified the patchwork quilt of connectivity options, Khalidi said.
“Our job in Azure networking is to connect you and your customers to the cloud reliably and securely, in a performant fashion. We’re about connecting and extending your network to the cloud, protecting your traffic, delivering your applications and monitoring, and knowing what’s going on in the cloud.”
About the Author
You May Also Like