Overview
Azure Virtual Network Connectivity options
Why do you need Hybrid Cloud?
What is Azure VPN Gateway?
Monitoring Azure Virtual Network Gateways

Overview

Azure Virtual Network (Azure VNet) is likely one of the most important components in your Azure Infrastructure deployment. Azure VNet uses Software-defined Networking solution that connects most of your virtual resources via a primary virtual container. Azure VNet enables you to Scale, Control and Secure your virtual network with agility. By default, Azure VNets are isolated and secured, so much so that even resources within a single Azure subscription will not be able to connect with each other through the VNet unless specifically allowed. You have total control over specifically allowed connections. Using VNets, Azure administrators can multi-tier networks in the cloud.

Azure VNet can also extend your on-premises private network to the cloud. Azure VNet enables you to create a hybrid network between your on-premises network, various regions in the Azure cloud or even another cloud service provider. It allows you to control network traffic segmentation and virtual appliance support with features such as Network Security Groups and User defined routes. You can deploy resources such as Virtual Machines, Cloud Services or App Services in this virtual container.

Microsoft Azure provides numerous mechanisms to deploy your infrastructure resources using ARM (Azure Resource Management), REST-based API, Azure SDK, Azure PowerShell, Azure CLI and Azure Portal.

Azure Virtual Network Connectivity options

There is a number of different connectivity options available in Azure.

Cloud-Only VNet

It is the default connectivity option for resources in Azure. In this model, you can deploy multiple VM’s, Cloud services or App Services that can communicate with each other. By default, all resources can connect to each other in a VNet even if they may be part of different subnets. This is possible due to “Default Route” which is created by default in Azure.

Azure Cloud-Only VNet

Hybrid connectivity

Hybrid connectivity is the ability to connect your on-premises datacenter to your resources running in a datacenter in Microsoft Azure or to other cloud service providers. To enable Hybrid connection, you need to deploy an Azure VPN Gateway. It exposes an endpoint over IPSec tunnel for other VPN connectivity. Azure provides 3 different options for hybrid connectivity.

Point-to-Site (P2S)

This option allows you to create a secure VPN connection from a single source like a laptop or a computer to resources in Azure. You do not need a VPN device for this type of deployment. The ideal use scenario of P2S connectivity is to allow access to a handful of client computers from a remote location.

Point-to-Site VNet

Site-to-Site (S2S)

This option allows you to use secure IPSec VPN to connect one or more networks from on-premises directly to Azure or from Azure to Azure. You would need a VPN device in your on-premises location to connect to Azure VPN Gateway. This type of connection enables a secure connection between resources on-premises and in the cloud. You do not need to create separate connections for different client computers on your local network to access resources in the cloud. The S2S connection further enables connectivity options like Site-to Multi-Site and VNet-to-VNet.

  • In Multi-Site connection, you can connect multiple on-premises sites to a single virtual network in Azure.
  • VNet-to-VNet enables connecting cross-regional Azure VNets with each other. This connection is over IPSec tunnel and you do not need a VPN device.

Site-to-Site VNet

Express Route

It provides organizations a Private, Dedicated, High-throughput network connection between Microsoft Azure datacenters and their on-premises IT environment. It is a much more scalable solution for hybrid connectivity. It is basically an extension of your on-premises network in the cloud. It also involves third-party express route partner. It comes in two flavors:

  • Exchange Provider or an ISP where you can have a connection from your data center directly into Azure. The bandwidth ranges from 200 Mbps to 10 Gbps per circuit.
  • Network Service Provider, performs similar functionality like Exchange Provider except that this model is basically for companies who would want to establish new or extend their existing WAN. With Network Service Provider, you are extending WAN with Azure. The bandwidth ranges from 10 Mbps to 1 Gbps per circuit.

ExpressRoute

Why do you need Hybrid Cloud?

Pointers provided by research study:

  • According to a research study conducted by Avanade, 74% of enterprise believe hybrid cloud will enable their business growth.
  • IDC predicts more than 65% of enterprise IT organizations will commit to hybrid cloud technologies before 2016.
  • IDC press release predicts 6x growth of IT spending on public cloud services.

Now that you know what the IT trends looks like what are the benefits of deploying a Hybrid Cloud.

  • Deploy VM’s in Azure directly joined to an on-premises Active Directory.
  • Implement Backup and Disaster Recovery for on-premises applications in the cloud.
  • Lift and Shift packaged apps directly in the cloud.
  • Creating Dev/Test Infrastructure in the cloud enables KTLO savings by automating resource de-allocation or switch-off VM’s during non-working hours.
  • Enables you to create Cloud-native applications development.
  • Ability to dynamically scale your infrastructure as needed.

What is Azure VPN Gateway?

Azure VPN Gateway enables Azure VNet to connect to your network on-premises or between virtual networks in Azure or with another cloud service provider. Your Azure VPN Gateway connectivity with your on-premises network will depend on the compatibility of your VPN device as per Microsoft recommendations. Check out the list of compatible VPN devices as per Microsoft.

NOTE

It is very important to plan and design your Virtual Network before deploying any other resources in Azure. You still do not have the ability to move your existing Azure resources from one VNet to another.

There are two types of Azure VPN Gateways, static route, and dynamic route. A static route is policy-based VPN that directs packets through IPSec tunnel whereas dynamic route is route-based VPN configuration.

NOTE

The routing option you select will depend on the type of route your VPN device supports.

Monitoring Azure Virtual Network Gateways

Using Native Azure Monitoring

There is no UI to monitor Azure VNet Gateway. The only way you can check the status of your Azure VNet Gateway is by using the portal which shows Data-In (Ingress), Data-Out (Egress) and Connection Status. While this seems very limited information, the goal of these metrics is to ensure that different sites are connected to each other and the data is flowing between them.

Name Description Metrics type
Data In (Ingress) Data flowing in the VNet Kb
Data Out (Egress) Data going out of the VNet Kb
State Status of the VNet connectivity Succeeded, Suspended, Disconnected, Connecting

The figure below shows what Azure Portal would show.

Native Azure VNet status and metrics

Using CloudMonix to monitor Azure Virtual Network Gateway?

Now that the default monitoring data shows enough information, it is important to have some sort of alert mechanism, comparison method to check if the VNet Gateway is working as expected.

Expression based analysis

CloudMonix uses expression based analysis to check the resource state. Expression based monitoring are comparison statements which can be used to evaluate the condition of the resources. The figure shows you an alert from CloudMonix of an VNet Gateway going down or disconnected.

The figure below shows the “Alert from CloudMonix” when VNets get disconnected.

VNet disconnected alert from CloudMonix

Custom Monitoring in CloudMonix

CloudMonix enables you to create custom metrics. More often than not Azure Portal would show the connection state of VPN Gateway as “Connected” but you also need to know the working condition of the VNets. The figure below shows how to configure Aggregate expression that compares Data In (Ingress) in a VNet Gateway in a time span of every 5 minutes. You can also configure alerts if the Ingress has stayed constant for 5 minutes which means there is no data transfer between VNets for 5 minutes. Such comparison metrics can be of great use. Some of the great examples of such back date monitoring is when you want to check what was the last time a particular event fired or when a particular error occurred etc.

Aggregrate Expression sample

For more information about how CloudMonix can help with monitoring Azure Virtual Networks, refer to CloudMonix Azure Virtual Network Monitoring.