Public cloud connectivity: which highway to the Microsoft cloud?

A few months ago, I was a speaker at an ICT event where I presented the major challenges of the public cloud. Connectivity, then still embryonic, was one of those. Recent developments by cloud and telecom operators have clarified the different options opened to candidates willing to use the high speed Microsoft cloud.


As it is mostly the case with our customers, site-to-site VPN connectivity is the norm. The reason is simple, it's an option fully integrated with Microsoft's core offering. Its standard form is offered free to all customers. These tunnels allow Azure resources to be connected with "on-prem" resources by establishing an encrypted tunnel over the Internet.

If this solution is very easy to set up, the Azure gateway being configured in a few clicks, the only complexity you may encounter, if you are a novice with the Firewall, is the configuration and tunnelling on your side.

If this connectivity is 100% simple, it also has its limitations:

  • Limited bandwidth in the free version (100Mbps)
  • No SLA for stability or performance
  • No guarantee in terms of throughput, latency or performance to connect to the tunnel due to the use of an Internet transport between both ends of the tunnel

According to Microsoft, this type of connectivity should be limited to dev/test scenarios.

To address some of these limitations and to support production scenarios, Microsoft recently introduced more efficient VPN solutions in Azure consoles at increased costs. The VPNGW1, VPNGW2 and VPNGW3 will allow going from 600Mb/s to 1.25Gb/s while increasing the number of authorized s2s sessions or guaranteeing better availability SLAs (up to 99.95%).

These tunnels remain dependent on the contingency of your Internet provider or the overall latency of the "network of networks".


Fortunately, through Express Route subscriptions, the collaboration between Microsoft and telecom operators allows customers to set up secure, redundant connections and of course guaranteed, between customer sites and the public cloud.

This type of connection is divided into 4 major parts.

  • #1 The Express Route
    It corresponds purely to the Microsoft part of the connection. It could be represented by a port on a switch in your public cloud on Azure, and like any port, it is limited to a certain bandwidth that you define according to your need and budget. Let us remember that in the field of connectivity, the rule stating "the bigger, the more expensive" is the one that always prevails!
  • #2 The peering partner
    The second part is provided by a peering partner chosen by Microsoft and established in one of the data centres of the Microsoft network. On our part, the partner is Equinix and the point of entry, Amsterdam. This counterpart will allow, to some extent, to patch the router of your operator (or yours if you have the resources) with your Express Route.
  • #3 The international connectivity
    The international connectivity is the third component you must subscribe to reach this peering partner. For POST Luxembourg, this is a TERALINK International type connectivity. Again, our connectivity offering will depend on the bandwidth, SLA and latency you need.
  • #4 The router on your site
    This is the router through which you establish BGP routing to the Microsoft computing centre. As Express Route connections are considered 100% pro, they are always provided as a minimum of 2 circuits and thus 2 active-active BGP sessions guaranteeing a high level of SLA even in cases of minor failure (router, circuit ...). On your side, you will ideally need two routers in HA mode. They may also be provided to you in the form of a service contract.


In the case of Express Route Standard subscriptions, your subscription gives you access, ideally in higher availability, to a circuit in a region (Europe for instance). Through the circuit of this subscription, you can access all services and data centres in this region (Europe North, Europe West, UK West, UK South and soon France Central and France South).

For the global enterprise, Microsoft also makes available to its customers Express Route Premium subscriptions to use Microsoft's backbone to pass traffic between regions. This solution is particularly interesting for the media industry for example, since it allows pushing data to different CDNs distributed around the world.


If you think that the VPN is the best option because you have a small budget, the costs of outbound traffic must be considered. This traffic induces an unpredictability factor in managing costs due to the unknown or poorly managed nature of the volume of traffic consumed in Gb or Tb.

For the Microsoft subscription, the cost of an Express Route connection may be agreed as a flat fee or as a metered model. It will be important to compare these two options for which financial differences are somewhat more complex to evaluate.

VPN, Express Route, basic, standard, premium, flat fee, metered… New connectivity options open to Microsoft Cloud (Azure Private, Azure Public and Office 365).

We can now create simple or complex WANs, expensive or cheap, powerful and redundant in order to build the optimal solution for each project; you just have to enter the highway to the cloud!

Do you want my expert advise on what solutions is the best fit for your business, book a call directly with me and I'll be glad to help!

Nouveau call-to-action