At last week’s Ignite conference Microsoft announced a set of new networking capabilities for its Azure cloud described as being ‘for a consistent, connected and hybrid cloud’. The new capabilities include improvements to ExpressRoute, Azure’s Internet bypass offering, availability of ExpressRoute for SaaS offerings such as Office 365 and Skype for Business, additional VPN capabilities and enhancement of virtual networks in Azure’s IaaS.
Azure has had virtual networks (VNETs) for some time in order to provide network containment around a group of VMs and control over IP addressing (where it’s worth noting that users aren’t limited to RFC1918 addresses as they are in many other clouds). Although VNETs may have multiple subnets there hasn’t been any way to control the routing table or use virtual appliances as routers/gateways, things that have been possible in Amazon’s and Google’s competing offerings. Microsoft have now addressed those deficiencies with custom routing tables and the ability to enable IP forwarding through virtual appliances. The new capabilities are initially only available in a limited number of regions, but they will be rolled out to the entire Azure estate in due course.
Now that virtual appliances can be used for routing Microsoft has also announced an Azure network virtual appliance ecosystem that includes many brand name networking providers for firewalls, intrusion prevention systems (IPS), WAN optimisation, load balancing and application delivery controllers (ADC). Whilst some of those capabilities overlap with services built in to Azure itself, the partner ecosystem offers greater control over application network service configuration to end users, and the possibility of integrating aspects of cloud network management with existing tools and skills used for on premises deployments.
Since the launch of its IaaS Azure has offered ‘cloud services’ that map user defined DNS names and ports to underlying virtual machines. Reserved IP addresses (the Azure equivalent to Amazon’s elastic IPs) were added more recently, and these are now more flexible with the ability to move IPs between services (a set of one or more VMs) and directly associate IPs with specific VMs (known as an instance level public IP). Control over new features for reserved IPs, routes and forwarding hasn’t yet been incorporated into the Azure portal or cross platform CLI, meaning that these new features can only be managed from Azure PowerShell.
Internet bypass services where cloud customers connect directly between their own data center and the cloud service provider have become commonplace. Azure call theirs ExpressRoute, whilst Amazon’s brand of ‘Direct Connect’ is often used as an industry generic term. ExpressRoute Premium adds the ability to fan out from one connection into all of Azure’s other locations, which should be much simpler and cheaper from a customer perspective versus setting up numerous dedicated point to point connections. This in essence allows customers to exploit Microsoft’s investment in its back end WAN rather than having to build their own. The Premium cost is $3000/month regardless of the bandwidth of the underlying connection, so it’s a relatively small addition to a $8700/month 1Gbps connection (and a large premium for users paying $872/month for 50Mbps).
ExpressRoute has also been extended to Microsoft’s SaaS offerings such as Office 365 and Skype for Business. This means that the same dedicated connection may now be used to connect to IaaS, SaaS and public IP addresses with consistent bandwidth and latency, and the expectation of improved privacy. Microsoft have partnered with AT&T, British Telecom and Equinix to launch the improved Internet bypass services.
Whilst large customers will be happy to pay for Internet bypass from their primary sites, it’s less practical and cost effective for smaller offices and remote data centers, where a virtual private network (VPN) over the Internet is often preferred. Microsoft are addressing those needs by the introduction of a new site-to-site (S2S) VPN service. S2S connections may be used as a backup for ExpressRoute, or combined with ExpressRoute connections into Azure services.
Many of the new capabilities announced by Azure are necessary for it to catch up with competing services from Amazon, Google and others. There are however some areas where Microsoft are taking the lead, and its ability to bundle services and connectivity to those services will make it easier for customers to adopt Azure.