Question: HA routing to Microsoft Azure remote servers ?

20 July 2015 at 10:50am
  • Like
    0Likes
  • Unlike
    0Likes

Hi all.

We are looking to dip our toe in the water of hosting some servers remotely in MS Azure.

My part would be the network connectivity.
I took a look at MS's guide ( https://azure.microsoft.com/en-gb/documentation/articles/virtual-network... ) on how to create a L2L ipsec tunnel between us and them and quickly spotted the obvious flaw which is that there is no dynamic routing at the MS end.

I'm completely unsurprised by this as MS are a software house and not a network house.

Without a dynamic routing protocol in play at both the A & B ends, or at a minimum some type of IPSLA/Tracking/Floating-Route strategy it would not be possible for dynamic reaction to breaks in the path between the A & B end networks.
For example in our case we have two campuses each with a JANET link. We might terminate a IPSEC tunnel to Azure at one of our edge DMZ's for the purpose of enabling client networks to talk to server networks in Azure.

In the case of other systems we have resilient routing in our design to use our other campus JANET link (via private cross-campus links). In the case of this potential Azure server connectivity I can see that a tunnel to each site, one as a backup, would not work without some form of dynamic routing in place at the Azure end.

The only solution I can see would be to only use a single IPSEC tunnel and cover the HA by placing the VPN gateway inside our network and thus ensure it is always reachable via our infrastructure design.

But this then means that it has to be placed at either campus 1 or campus 2 and then clients NOT on its base campus would need to use our private cross-site links to reach it.

Extending the data-centre outside but degrading the level of control/flexibility of the local/AS networking seems less than great.

Just opening a hopeful discussion thread around this area to see if anyone else has any views on this ?

Azure
  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo

Answers

0
+1 -1

Just a little follow -up. This document from MS goes on a little from the basic L2L offering to detail how multi-site can be achieved:

https://msdn.microsoft.com/en-us/library/azure/dn690124.aspx

However this is just 'A' (azure) end talking to B-Z (service consumer) end, so one- to-many with the consumer subnets known to the server end.

Not what I would want to see which is the the concept of their being alternate paths in between the consumer end sites and traditional dynamic use of those paths.

Submitted by Simon Daniels on Mon, 2015-07-20 11:51
0
+1 -1

hi Simon,
I'm thinking that you'll probably get more responses on either O365 or the Azure jiscmail lists because they have more members that participate. Are you a member if either of those lists? If not, and if you wish, I can copy your messages above to the Azure list and see how that goes.

kind regards,
Phyllis
cloud services manager
cloud@jisc.ac.uk

Submitted by Phyllis Callinan on Thu, 2015-07-23 12:32
0
+1 -1

Hi Phyllis, yes, thanks that would be great if you can copy it to a better location. Many thanks.

Submitted by Simon Daniels on Thu, 2015-07-23 12:34
+1
+1 -1

Simon

These is a Dynamic Routing VPN gateway available on Azureā€¦ https://azure.microsoft.com/en-gb/documentation/articles/vpn-gateway-abo...

Create a dynamic gateway with two connections, one to site A and one to site B? See https://azure.microsoft.com/en-gb/documentation/articles/vpn-gateway-top... .

A good contact at Microsoft the UKs IT Pro Technical Evangelist Marcus Robinson marrobi@microsoft.com https://twitter.com/techdiction he is the best person to ask specifics around this

Submitted by Lee Stott on Mon, 2016-04-11 12:33