It is a common scenario that an organization is placing most cloud infrastructures such as virtual machine, database and redis cache in one region to serve local access. On the other hand, there is still requirement for global access and below is the traditional approach via internet. Even though this deployment is easy and also doesn't need consider data consistence across multiple regions, there could be performance issue via internet especially for some business which is sensitive to network latency.
In order to solve the network latency problem, Azure Application Gateway will be helpful because it can talk to instances outside of the virtual network that it is in as long as there is IP connectivity. That means we can still keep most infrastructures in a major data center while have multiple application gateways in different regions. What we need to do is make sure all the application gateways can access the major region's virtual network via internal ip and this can be achieved by global VNET Peering or VPN Gateway. We will talk about global VNET peering below.
Basically, Virtual network peering enables us to seamlessly connect two Azure virtual networks. Once peered, the virtual networks appear as one, for connectivity purposes. Network traffic between peered virtual networks is private. Traffic between the virtual networks is kept on the Microsoft backbone network, that means there is no public Internet, gateways, or encryption is required in the communication between the virtual networks, and thus improve the network transmission performance a lot.
Currently, peering virtual networks in different regions is still in preview in US West Central, Canada Central, US West 2, Korea South, UK South, UK West, Canada East, India South, India Central, and India West. Before peering virtual networks in different regions, you must first register your subscription for the preview, otherwise there will be error when attempting to create a peering between virtual networks in different regions. You may check Azure Roadmap and Azure Update for latest Azure release news.Global vnet peering has been GA in March.
Below diagram is a practice for global VNET peering in multiple Azure regions to achieve low latency cross-region access.
- Azure Traffic Manager. Traffic Manager routes incoming requests to one of the regions. During normal operations, it routes requests to the primary region. If that region becomes unavailable, Traffic Manager fails over to the secondary region.
- VNets. Create a separate VNet for each region. Make sure the address spaces do not overlap.
- Load Balancer. The load balancer distributes incoming requests to the backend VM instances.
- Application Gateway. Each application gateway's backend pool is pointing to major region's internal load balancer.
In the above diagram, I am using internal load balancer as backend pool of the application gateway. You certainly can use virtual machines directly. Notice that because current azure portal can only show all the virtual machines which are located in the same region as the application gateway for backend pool, we need add the virtual machine's internal ip instead of it's network interface. This can also be achieved by PowerShell command Set-AzureRmApplicationGatewayBackendAddressPool and Set-AzureRmApplicationGateway.