As hybrid cloud and multicloud architectures become the norm for enterprise networks, we examine three ways to connect workloads in AWS VPCs to Microsoft Azure VNets.
Hybrid cloud and multicloud architectures have become common for enterprise IT departments seeking greater network reliability, security, and cost-efficiency in support of optimal application performance. As more and more enterprise workloads migrate to the cloud, it’s only natural that organizations seek ways to connect AWS and Microsoft Azure, the top two hyperscalers, to future-proof their network and ensure the lowest latency between workloads.
Let’s say you’re like one of our customers, a global retail brand who hosts their eCommerce presence with AWS and Azure, deploying mirror applications in both clouds. To comply with your security policy, you backhaul some of your traffic to your data centre where that policy is applied – but not all of your traffic needs to be subject to the security policy. To save network resources in your data centre, you want to keep the remaining traffic at the edge of each cloud, decreasing latency between AWS and Azure.
In this case, there are three ways to connect an AWS environment to a Microsoft Azure one, each with its pros and cons. One method, the VPN tunnel, is far and away the most common, but as you might have guessed if you read this blog regularly, it’s not the best one.
VPN unstable? Connect to the cloud with Megaport.
1. Set up VPN tunnels
There are plenty of resources online about how you can set up a VPN tunnel over a public internet connection between AWS and Microsoft Azure. It’s a tried and true traditional method of connecting between clouds, but there are many disadvantages to connecting your cloud environments this way. Here are a few:
Con: limited throughput
For higher compute workloads, you’ll have to build numerous tunnels to support the throughput you need. You’ll also likely have to spend a lot of time managing ECMP (Equal-Cost Multi-Path Routing) or load balancing to make sure that the bandwidth you need stays available, and VPN tunnels don’t get congested and fail.
Con: unpredictable routing via the public internet
Anyone who’s ever logged onto their workstation with a VPN token knows firsthand that data transfer through the public internet, through a VPN tunnel, can be balky. That’s because routing protocols on the internet behave in complex and inconsistent ways; there’s only so much control you have over the routes your data packets traverse. Unpredictable routing means higher latency, which means poorer application performance.
I’ve written about this before for ONUG, discussing virtual routing on the edge.
Con: compromised security due to BGP route hijacking
Year on year, the incidence of cyberattacks continues to grow. Now more than ever, CIOs are being kept up at night by cybersecurity concerns.
The same trusting nature of Border Gateway Protocol (BGP) that makes the internet so scalable is exactly what makes it vulnerable to route hijacking attacks from threat-actors. BGP relies on Automomous Systems such as ISPs to announce routes to blocks of IP addresses. Shady actors can hijack these announcements and cause traffic to be redirected to “black holes” or, in the case of a 2018 Russian attack on the cryptocurrency site MyEtherWallet, to a phishing site that gathered account information to steal $152,000 USD.
Con: AWS and Azure data transfer fees
Perhaps the biggest downside to connecting cloud environments over VPN tunnels is the cost of data coming out of each environment and going through the public internet back to your servers inside a data centre or on-premises. This also applies when routing data between your private environments in the public cloud, when traffic flows from one cloud to another. These fees are applied per GB by the cloud providers on egress.
Data transfer pricing details for AWS and Azure can be found here and here. AWS even has a handy Cost Explorer where you can analyze your data transfer costs.
These fees can be prohibitive – in the case of one of our customers, potential egress fees totaled $43,000 USD per month before Megaport!
2. Build private lines
The second way you can connect your AWS and Azure environments is to build private lines to the two hyperscalers by buying dedicated circuits from your telco provider. These circuits will give you a private connection to the cloud providers with traffic that isn’t routed over the unpredictable, vulnerable public internet.
But there are also many disadvantages to this approach:
Con: more costly with long-term contracts
Your telco will likely lock you into 18-24 month contracts for your dedicated circuits, with 45-90 day installation windows. So if you’re looking to increase bandwidth capacity, it might take you months. If you’re looking to decrease bandwidth capacity, you’ll have to live with unused circuits because of those long-term contracts.
In the end, building private lines is likely the most costly option to connect between AWS and Microsoft Azure.
Con: latency still an issue due to backhaul traffic
Even with private circuits to each cloud, you’ll still need to backhaul traffic to your data centre or on-premises routing equipment. In other words, your data will still need to go out of AWS through your private connection back to your on-premises or colocation environment only to shoot back through your other private connection to your Microsoft Azure environment, if you want the workloads in both environments to exchange data. Consequently, latency will still be an issue even if your private circuits to AWS and Microsoft Azure will likely offer you more reliability than a VPN tunnel.
Con: additional capex for WAN capacity
Even with your own private connections to the hyperscalers, you’ll continue to need on-premises infrastructure or a significant colocation presence. And this, of course, means more capex to account for in your annual budget.
3. Set up private connectivity with a virtual router (like Megaport Cloud Router)
While the most common way to connect workloads to different cloud environments is to use a VPN tunnel, a way that’s becoming increasingly common is to set up private connectivity with a virtual router like Megaport Cloud Router (MCR).
With MCR, you can get private connectivity and the security, reliability, and lower costs that come with not having to send data through the public internet. Plus, you won’t have to:
- hairpin your traffic back to your on-premises environment
- sign on to long-term contracts with your telco provider
- add any extra equipment to turn up connectivity
- pay high AWS and Azure data transfer fees for egress data going through the internet.
If you want to scale your bandwidth needs, you can do it with a few clicks on Megaport’s global, on-demand Software Defined Network (SDN) or you can even automate changes to your capacity needs through our API. The MCR is set up in the physical location where the AWS and Microsoft Azure edges reside. In some cases, MCR and both cloud service providers are available on the same data centre campus.
Let’s say you’re our customer again – that global retail brand. Your eCommerce store is hosted with AWS US-East (Northern Virginia) with applications in US-East with Azure. You want to route directly between the two clouds but also retain the ability to manage a primary and secondary peer back to your data center in the Washington DC area to manage your security policy.
MCR simplifies this traffic routing back to the data center for the security check; you’re able to maintain a single peer between your data center and the MCR. As additional cloud links are added, additional peers aren’t required at the data center because you can easily manage these peers on your MCRs.
Furthermore, the latency between the two cloud environments, privately connected via our virtual router, is just a three-to-four-millisecond round trip. This lowest-latency path between AWS and Azure, enabled by the MCR’s direct connection, means optimal application performance.
Learn More
To learn more about how Megaport Cloud Router can help you connect between AWS and Azure, click here.
Subscribe to the Megaport Blog
'); // Wrap Label jQuery(this).wrap(''); // Add Value jQuery(this).val(label); // Add Label Copy jQuery(this).parent('label').append(label); // Add Checkbox Styling jQuery(this).parent('label').append(''); }); //////////////////////////////////////////////////////////////////////////////////// // ELSE Single Checkbox //////////////////////////////////////////////////////////////////////////////////// } else { // Label Value var label = jQuery(this).siblings('label').text(); // Remove Labels jQuery(this).siblings('label').remove(); jQuery(this).children('label').remove(); // Add Input Classes jQuery(this).children('input').addClass('form-check-input'); // Add DIV wrap jQuery(this).wrap('
'); // Add Value jQuery(this).val(label); // Wrap Input in Label jQuery(this).children('input').wrap(''); // Add Checkbox Styling jQuery(this).children('.form-check-label').append(''); } }); //////////////////////////////////////////////////////////////////////////////////// // Assign Radio Button Classes //////////////////////////////////////////////////////////////////////////////////// jQuery( '.mktoRadioList ' ).each(function( index ) { if(jQuery(this).find('input').length) { // Remove Labels jQuery(this).find('label').remove(); // Foreach Input jQuery(this).find('input').each(function( index, i ) { // Retrieve Label Copy var label = jQuery(this).attr('placeholder'); // Add / Remove Required Classes jQuery(this).addClass('form-check-input'); // Add DIV wrap jQuery(this).wrap('
'); // Wrap Label jQuery(this).wrap(''); // Add Value jQuery(this).val(label); // Add Label Copy jQuery(this).parent('label').append(label); // Add Checkbox Styling jQuery(this).parent('label').append(''); // Add Checked Attribute if(index == 0) { jQuery(this).prop('checked', true); } }); } }); //////////////////////////////////////////////////////////////////////////////////// //Only show validation messages when trying to submit the form //////////////////////////////////////////////////////////////////////////////////// form.onValidate(function(native) { jQuery('.mktoRequiredField').addClass('mktoShowInvalid'); jQuery('.mktoRequired.mktoCheckboxList').addClass('mktoShowInvalid'); jQuery('.mktoRequired.mktoField').addClass('mktoShowInvalid'); //////////////////////////////////////////////////////////////////////////////////// // Modify mkto form to have framework validation classes //////////////////////////////////////////////////////////////////////////////////// jQuery('.mktoInvalid').addClass('form-control-danger').closest('.form-group').addClass('has-danger').removeClass('has-success'); jQuery('.mktoValid').addClass('form-control-success').closest('.form-group').addClass('has-success').removeClass('has-danger'); }); //////////////////////////////////////////////////////////////////////////////////// // Blur Select onChange so validation can be checked //////////////////////////////////////////////////////////////////////////////////// jQuery(document).on('change', 'select', function() { jQuery(this).blur(); }); //////////////////////////////////////////////////////////////////////////////////// // If input type is valid, remove validation (flashing) //////////////////////////////////////////////////////////////////////////////////// jQuery(document).on('keyup blur change', 'input, select, textarea', function() { // Default Field if(jQuery(this).hasClass('mktoValid')) { jQuery(this).removeClass('mktoShowInvalid'); } // Checkbox if(jQuery(this).attr('type') == 'checkbox') { jQuery(this).parents('.mktoRequiredField').removeClass('mktoShowInvalid'); jQuery(this).parents('.mktoRequired').removeClass('mktoShowInvalid'); } }); //Add an onSuccess handler form.onSuccess(function(values, followUpUrl){ window.dataLayer.push({ 'event': 'mktoformComplete', 'formID': '2948', 'formType': 'content' }); //get the form's jQuery element and hide it form.getFormElem().hide(); document.getElementById('mktoForm_2948_successMessage').style.display = 'block'; //redirect location.href = location.href.split('#')[0] + (location.href.match(/[\?]/g) ? '&' : '?') + 'success'; //return false to prevent the submission handler from taking the lead to the follow up url. return true; }); }); MktoForms2.onFormRender(function(form) { });
FAQs
How do I connect to Azure environment? ›
...
Grant subscription access
- Go to Subscriptions.
- Select a subscription.
- Select Access control (IAM).
- Select + Add > Add role assignment.
- Select a role, and then assign access to a user, group, or service principal.
4 Different Ways To Connect To Azure resources - AzureLib.com.
Can you use AWS and Azure together? ›You can deploy your . NET applications directly to AWS from within the Azure DevOps interface with either AWS CodeDeploy or AWS Elastic Beanstalk.
How do I connect to AWS? ›- In the navigation pane, choose Instances.
- Select the instance and choose Connect.
- Choose EC2 Instance Connect.
- Verify the user name and choose Connect to open a terminal window.
- Step 1: Configure the source SMB location. Configure the source Azure Files SMB file share as a DataSync SMB location. ...
- Step 2: Configure the destination location. Configure the destination location as Amazon S3. ...
- Step 3: Create the replication task. ...
- Step 4: Start the DataSync task.
SERVICE CONNECTIONS | Connect Your AZURE SUBSCRIPTION and ...
What are the ways to connect networking from on-premises to Azure? ›You can use the Routing and Remote Access Service (RRAS) in Windows Server 2016 or Windows Server 2012 to establish an IPsec site-to-site VPN connection between the on-premises network and the Azure virtual network. You can also use other options, such as Cisco or Juniper Networks VPN devices.
How do I link my Azure to premise database? ›Unfortunately, you cannot directly connect on-premise database to Azure Synapse notebooks. The best way to work with this is to pull the data into Azure Data Lake store, and then run your notebook on the storage account and then write it back to your on-prem servers.
What are the different ways you can login to Azure? ›Currently, there are 3 forms of login identity supported in the platform out of box i.e. Mobile Number, Personal Email Address (or Social Account) and Azure AD.
What are the different ways we can access Azure resource manager? ›All capabilities that are available in the portal are also available through PowerShell, Azure CLI, REST APIs, and client SDKs. Functionality initially released through APIs will be represented in the portal within 180 days of initial release.
Which of the following options can you use to link virtual networks? ›
Through VNet Peering: You can connect virtual networks to each other, enabling resources in either virtual network to communicate with each other, using virtual network peering. The virtual networks you connect can be in the same, or different, Azure regions. To learn more, see Virtual network peering.
How do I link my Azure AD to AWS directory service? ›Add AWS from the gallery
On the left pane, select the Azure AD service you want to work with. Go to Enterprise Applications, and then select All Applications. To add an application, select New application. In the Add from the gallery section, type Amazon Web Services in the search box.
It lets you use the normal Azure AD login (including MFA) from a command line to create a federated AWS session and places the temporary credentials in the proper place for the AWS CLI and SDKs.
Which AWS service is the same as Azure VM? ›Azure Functions is the primary equivalent of AWS Lambda in providing serverless, on-demand code. AWS Lambda functionality also overlaps with Azure WebJobs, which let you schedule or continuously run background tasks.
Does Azure have a transit gateway? ›Aviatrix Transit for Azure
It deploys one Aviatrix gateway (two for redundancy) in each VNet. The Transit gateway is deployed in the transit VNet and connects to on-prem over Express Route or Internet. The Transit Gateway is then peered to each spoke VNET gateway to provide end to end communication.
Azure VPN Gateway connects your on-premises networks to Azure through Site-to-Site VPNs in a similar way that you set up and connect to a remote branch office. The connectivity is secure and uses the industry-standard protocols Internet Protocol Security (IPsec) and Internet Key Exchange (IKE).
What do you mean by VPC peering? ›A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network.
Is ExpressRoute a VPN? ›TL;DR: ExpressRoute provides direct connectivity to Azure cloud services and connects Microsoft's global network. All transferred data is not encrypted, and do not go over the public Internet. VPN Gateway provides secured connectivity to Azure cloud services over the public Internet.
What is Azure equivalent of AWS Direct Connect? ›The biggest difference between Azure ExpressRoute and AWS Direct Connect is that customers can not directly connect to Microsoft via a Optical service. AARNet has multiple 10Gbps private connections to Microsoft Azure in each location.
What is Azure Direct Connect? ›Azure ExpressRoute Direct
Connect directly to the Microsoft global network. Dedicated dual capacity is available in 10 Gbps and 100 Gbps. ExpressRoute Direct provides massive data ingestion into services like Cosmos DB, physical isolation for regulated industries, and control of circuit distribution by business unit.
What is Azure equivalent of AWS transit gateway? ›
With Azure ExpressRoute, there is only one type of gateway: VNet Gateway. VNet Gateway: A VNet gateway is a logical routing function similar to AWS's VGW. ExpressRoute VNet Gateway is used to send network traffic on a private connection, using the gateway type 'ExpressRoute'.
How do I connect to Azure VPN? ›- On the client computer, go to VPN settings.
- Select the VPN that you created. ...
- Select Connect.
- In the Windows Azure Virtual Network box, select Connect. ...
- When your connection succeeds, you'll see a Connected notification.
Azure DNS is a hosting service for DNS domains that provides name resolution by using Microsoft Azure infrastructure. By hosting your domains in Azure, you can manage your DNS records by using the same credentials, APIs, tools, and billing as your other Azure services. You can't use Azure DNS to buy a domain name.
What are different kind of VPNS in Azure? ›Azure supports three types of Point-to-site VPN options: Secure Socket Tunneling Protocol (SSTP). SSTP is a Microsoft proprietary SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses. OpenVPN.