Blog ENG - MS Azure - Post 9 2024
In today’s interconnected world, seamless connectivity between virtual networks is crucial for businesses to maintain efficient operations. One of the robust solutions provided by Microsoft Azure is ExpressRoute, which offers private connections between Azure data centers and on-premises infrastructure or colocation environments. Let’s delve into how connectivity between virtual networks over ExpressRoute works and why VNet peering is often recommended for optimal performance.
ExpressRoute Private Peering and Virtual Network Connectivity
ExpressRoute private peering supports connectivity between multiple virtual networks. To achieve this, an ExpressRoute virtual network gateway is deployed into each virtual network. This gateway establishes a connection to the ExpressRoute circuit, enabling connectivity to virtual machines (VMs) and private endpoints from on-premises. When multiple virtual networks are linked to an ExpressRoute circuit, VNet to VNet connectivity is enabled by default. However, Microsoft advises against relying solely on this default behavior for inter-VNet connectivity due to potential performance issues.
The Role of Virtual Network Gateways
Virtual networks connected to an ExpressRoute circuit utilize a virtual network gateway, which facilitates both the management plane and data path connectivity to VMs and private endpoints within the virtual network. These gateways, however, come with limitations in terms of bandwidth, connections-per-second, and packets-per-second. When VNet to VNet connectivity is routed through ExpressRoute, the virtual network gateway can become a bottleneck, affecting both bandwidth and data path performance.
Advantages of VNet Peering
To circumvent the limitations imposed by virtual network gateways, configuring VNet peering is recommended. Unlike ExpressRoute, VNet peering does not place the virtual network gateway in the data path, thereby eliminating the associated bandwidth and control plane limitations. This results in more efficient and direct connectivity between virtual networks.
ExpressRoute Connectivity Management
ExpressRoute connectivity is managed by a pair of Microsoft Enterprise Edge (MSEE) devices located at ExpressRoute peering locations, which are physically separate from Azure regions. When VNet to VNet connectivity is enabled via ExpressRoute, traffic from the virtual network exits the origin Azure region, passes through the MSEE devices at the peering location, and then traverses Microsoft’s global network to reach the destination Azure region. This additional hop through the MSEE devices can introduce latency.
In contrast, VNet peering allows traffic to flow directly from the origin Azure region to the destination Azure region using Microsoft’s global network, bypassing the MSEE devices. This direct path reduces latency and enhances the overall performance of applications and network traffic.
Enabling VNet to VNet and VNet to Virtual WAN Connectivity
By default, VNet to VNet and VNet to Virtual WAN connectivity is disabled through an ExpressRoute circuit. To enable this connectivity, you must configure the ExpressRoute virtual network gateway to allow such traffic. This configuration ensures that your network architecture can support the necessary connectivity requirements while maintaining optimal performance.
Conclusion
While ExpressRoute provides a robust solution for connecting virtual networks, leveraging VNet peering can significantly enhance performance by reducing latency and avoiding the limitations of virtual network gateways. By understanding the intricacies of these connectivity options, businesses can make informed decisions to optimize their network infrastructure and ensure seamless operations.