ExpressRoute or Virtual Network VPN – What’s right for me?
We’ve had several people ask about the capabilities of various connectivity options currently supported by Azure and guidance on when to pick what connectivity option. We have three hybrid connectivity solutions currently to connect a customer’s premises to Azure.Virtual Network Point-to-site
A point-to-site VPN also allows you to create a secure connection from your Windows-based computer to your virtual network without having to deploy any special software. We provide you with VPN policies that you can download into your computer and use Windows’ built in VPN client. You can securely connect to the virtual network just the way you use VPN clients to connect to your company’s corporate network. Since we use standard Secure Sockets Tunneling Protocol (SSTP), you will be able to securely connect to Azure from anywhere. This capability enables you to quickly setup connectivity to Azure for prototyping, development, testing and simulation purposes. You can use the same setup and configuration to work with some site-to-site connectivity options.Virtual Network Site-to-site
A site-to-site VPN allows you to create a secure connection between your on-premises site and your virtual network. We use industry standard IPsec VPN in Azure. So we are interoperable with most VPN devices. You can refer to a list of known compatible devices and sample configurations in the Azure website. You can use this service to connect up to 10 on-premises sites and virtual networks to each other securely. Once a site-to-site VPN is setup you have IP level connectivity between your premises and virtual networks in Azure. This enables you to build truly hybrid applications in Azure. Use this service in cases where your cross-premises connectivity throughput is nominal (~ 100 Mbps).ExpressRoute
ExpressRoute lets you create private connections between Azure datacenters and infrastructure that’s on your premises or in a co-location environment. ExpressRoute connections do not go over the public Internet, and offer more reliability, faster speeds, lower latencies and higher security than typical connections over the Internet. With ExpressRoute, you can establish connections to Azure at an ExpressRoute location (Exchange Provider facility) or directly connect to Azure from your existing WAN network (such as a MPLS VPN) provided by a network service provider. You can learn more about ExpressRoute from my previous blog post.
I have attempted to put together a small table to summarize the capabilities, features and use cases for each of these services.
|Virtual Network (Point-to-site)||Virtual Network (Site-to-site)||ExpressRoute – Exchange Provider||ExpressRoute – Network Service Provider|
|Azure services supported||Cloud ServicesVirtual Machines||Cloud ServicesVirtual Machines||Refer to validated list.||Refer to validated list.|
|Typical Bandwidths||Typically < 100 Mbps aggregate||Typically < 100 Mbps aggregate||200 Mbps, 500 Mbps, 1 Gbps and 10 Gbps||10 Mbps, 50 Mbps, 100 Mbps, 500 Mbps, 1 Gbps|
|Protocols Supported||Secure Sockets Tunneling Protocol (SSTP)||IPsec (Refer to VPN page for more details)||Direct connection over VLANs||NSP’s VPN technologies (MPLS, VPLS, …)|
|Routing||Static||Static – We support policy—based (static routing) and route-based (dynamic routing VPN)||BGP||BGP|
|Typical use cases||· Prototyping, dev / test / lab scenarios for cloud services and virtual machines||· Dev / test / lab scenarios and small scale production workloads for cloud services and virtual machines||· Access to all Azure services (validated list)· Enterprise-class and mission critical workloads. · Backup · Big Data · Azure as a DR site||· Access to all Azure services (validated list)· Enterprise-class and mission critical workloads. · Backup · Big Data · Azure as a DR site|
|Technical Documentation||OverviewHow to guide||OverviewHow to guide||OverviewHow to guide||OverviewHow to guide|