Network Architecture between your Institution premises or data center to your Azure subscription
There are 2 key elements of the network architecture, however, it is imperative to understand that private peering is primarily required for IaaS based services and for strict compliance reasons around data security. Most PaaS and SaaS services provide data access over RESTful interface where data is encrypted over Https/TLS protocols.
- Connection between university premises and Cloud subscription: At a high level, there are 3 options to connect between your premises/data center and your Azure subscription, consider these as good-better-best (in that sequence) for bandwidth and performance aspects.
- Site to Site VPN (Good): An IPSec encrypted S2S VPN is a good starter option to establish secure connectivity between university premises or Data Center to Azure and several options are available to deploy and build secure encrypted tunnel (Basic, Standard and High performance). For a select few institutions (e.g. an R1 institution) this tunnel is built through Internet2 (which is more protected than public internet but still shared with other schools) hence the network performance is subjected to fluctuations depending upon the Internet2 usage/bandwidth. There is no QoS SLA provided by Microsoft. Key challenge here is the network capacity is capped at 100 Mbps for Basic and Standard and 200 Mbps for High performance gateway hence works well as a starter option. You can have upto 10 Basic and Standard and upto 30 High performance tunnels under one Azure subscription, few universities have deployed as many as 12-15 tunnels before consider more advanced options.
- Third-party network appliance in Azure Market place (Better): Azure Market Place offerings such as Barracuda, Cisco, Palo Alto (and many others..) network appliances and these go beyond 200 Mbps Azure gateway limits depending on specific models you chose to deploy (some can go upto 1.4 Gbps). These appliances provide several additional features like firewall, redundant connection etc. however comes at a premium charge payable to the market place vendors. The connection is still an encrypted VPN tunnel built over Internet2 or public internet and primarily used by customers that have out-grown S2S VPN Capabilities or need larger bandwidth but not ready to go for ExpressRoute, just yet. There is no QoS SLA provided by Microsoft on this option either.
- ExpressRoute (Best): Azure ExpressRoute is a private connection between Azure data centers and infrastructure on your premises or in a colocation environment. ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a dedicated private connection facilitated by a connectivity provider serving a range of bandwidth options from 50 Mbps to 10 Gbps. With ExpressRoute you can establish connections to all Azure services, , Office 365 and CRM Online. Connectivity can be from an any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual cross-connection through a connectivity provider at a co-location facility. ExpressRoute is like a toll road where you pay additional cost and get a reliable , predictable performance for your Enterprise level applications that are latency sensitive and provides a secure passage of data without traversing through shared Internet. This is an add-on to Internet2/Public Internet and does not use any of these resources. This is supported by a QoS SLA from Microsoft and is highly recommended for VOIP (Skype), Video streaming and Research use cases. Read more details here , FAQs here and pricing.
- Network design of the Cloud subscription (considering security, policies, firewalls, resiliency and performance): This is a very important element of your Cloud architecture and Microsoft has provided various reference architectures that can be readily deployed using JSON templates or Power Shell with little or no modification. These range from single VM, Multiple VMs, N-tier, Reliable N-tier and High availability (multiple region) architectures. Read all the reference architecture and detailed considerations here.
How are other institutions setting up their cloud connectivity? How it has been accomplished?
It differs from case to case and the purpose of leveraging Azure in short to medium term. Institutions leveraging Azure from a research focus (and other services) and advance their ongoing research OR institutions that have a large infrastructure footprint and plan to run their operations in Hybrid mode (on-premise and cloud) have decided to upfront install ExpressRoute and scale it up and down based on their needs/patterns to manage their cost. Other institutions have commenced their cloud journey using Site to Site VPN and have added additional gateways as their demands grow, they have self-architected their VPN connections to be resilient by building a full-mesh topology or redundant connections between their cloud subscriptions (multiple regions) and data centers (multiple locations). One such example of Express Route usage is here and other S2S options of Full-mesh, Daisy Chain and Hub-spoke model are here.
In almost all cases, the network design (both aspects above) is a team exercise between institution’s infrastructure team and Microsoft Azure specialist team white-boarding several scenarios, discussing pros and cons and then finalizing an architecture. In certain cases, customers have requested Azure network specialists to help perform an independent review of the end state architecture.
Please read more specific details on these services, limits and prices on Azure documentation.