|
| 1 | +--- |
| 2 | +title: 'Interoperability of ExpressRoute, Site-to-site VPN, and VNet Peering - Control Plane Analysis: Backend Connectivity Features Interoperability | Microsoft Docs' |
| 3 | +description: This page provides the control plane analysis of the test setup created to analyze the interoperability of ExpressRoute, Site-to-site VPN, and VNet Peering features. |
| 4 | +documentationcenter: na |
| 5 | +services: networking |
| 6 | +author: rambk |
| 7 | +manager: tracsman |
| 8 | + |
| 9 | +ms.service: expressroute,vpn-gateway,virtual-network |
| 10 | +ms.topic: article |
| 11 | +ms.workload: infrastructure-services |
| 12 | +ms.date: 10/18/2018 |
| 13 | +ms.author: rambala |
| 14 | + |
| 15 | +--- |
| 16 | + |
| 17 | +# Interoperability of ExpressRoute, Site-to-site VPN, and VNet-Peering - Control Plane Analysis |
| 18 | + |
| 19 | +In this article let's go through the control plane analysis of the test setup. If you want to review the Test Setup, see the [Test Setup][Setup]. If you want to review the Test Setup configuration detail, see [Test Setup Configuration][Configuration]. |
| 20 | + |
| 21 | +Control plane analysis essentially examines routes exchanged between networks within a topology and thereby how different network view the topology. |
| 22 | + |
| 23 | +##Hub and Spoke VNet perspective |
| 24 | + |
| 25 | +The following diagram illustrates the network from Hub VNet and Spoke VNet (highlighted in blue) perspective. The diagram also shows the Autonomous System Number (ASN) of different network and routes exchanged between different networks. |
| 26 | + |
| 27 | +[![1]][1] |
| 28 | + |
| 29 | +Note that the ASN of VNet's ExpressRoute gateway is different from the ASN of Microsoft Enterprise Edge Routers (MSEEs). ExpressRoute gateway uses a private ASN (65515) and MSEEs use public ASN (12076) globally. When you configure ExpressRoute peering, because MSEE is the peer, you use 12076 as the peer ASN. On the Azure side, MSEE establishes eBGP peering with ExpressRoute GW. The dual eBGP peering that the MSEE establishes for each ExpressRoute peering is transparent at the control-plane level. Therefore, when an ExpressRoute route table is viewed, you see the VNet’s ExpressRoute GW ASN for the VNet’s prefixes. A sample ExpressRoute route table screenshot is shown below: |
| 30 | + |
| 31 | +[![5]][5] |
| 32 | + |
| 33 | +Within Azure, the ASN is only significant from a peering perspective. So if you configure both ExpressRoute GW and VPN GW within a VNet (as in the case of Hub VNet in the test setup), they don’t necessarily need to be configured with the same ASN number (by default they both share the same ASN – 65515). |
| 34 | + |
| 35 | +##On-Premises Location-1 and Remote VNet perspective via ExpressRoute 1 |
| 36 | + |
| 37 | +On-Premises Location-1 and Remote VNet are both connected to Hub VNet via ExpressRoute 1 and therefore they share the same perspective of the network, as shown in the below diagram. |
| 38 | + |
| 39 | +[![2]][2] |
| 40 | + |
| 41 | +##On-Premises Location-1 and Branch VNet perspective via Site-to-Site VPN |
| 42 | + |
| 43 | +On-Premises Location-1 and Branch VNet are both connected to Hub VNet’s VPN GW via Site-to-Site VPN connections and therefore they share the same perspective of the network, as shown in the below diagram. |
| 44 | + |
| 45 | +[![3]][3] |
| 46 | + |
| 47 | +##On-Premises Location-2 perspective |
| 48 | + |
| 49 | +On-Premises Location-2 is connected to Hub VNet via private peering of ExpressRoute 2. |
| 50 | + |
| 51 | +[![4]][4] |
| 52 | + |
| 53 | +## Next Steps |
| 54 | + |
| 55 | +For data plane analysis of the test setup and for Azure network monitoring features view of the different data-paths of the test setup, see [Data-Plane Analysis][Data-Analysis]. |
| 56 | + |
| 57 | +To learn how many ExpressRoute circuits you can connect to an ExpressRoute Gateway, or alternatively how many ExpressRoute Gateways you can connect to an ExpressRoute circuit, or to learn other scale limits of ExpressRoute, see [ExpressRoute FAQ][ExR-FAQ] |
| 58 | + |
| 59 | +## Further Reading |
| 60 | + |
| 61 | +### Using ExpressRoute and Site-to-Site VPN connectivity in Tandem |
| 62 | + |
| 63 | +#### Site-to-Site VPN over ExpressRoute Microsoft Peering |
| 64 | + |
| 65 | +Site-to-Site VPN can be configured over ExpressRoute Microsoft peering to privately exchange data between your on-premises network and your Azure VNets with confidentiality, anti-replay, authenticity, and integrity. For further details regarding how to configure Site-to-Site IPSec VPN in tunnel mode over ExpressRoute Microsoft peering, see [Site-to-site VPN over ExpressRoute Microsoft-peering][S2S-Over-ExR]. |
| 66 | + |
| 67 | +The major limitation of configuring S2S VPN over Microsoft peering is the throughput over the IPSec tunnel is limited by the VPN GW capacity, which is typically limited compared to ExpressRoute throughput. In such scenarios, leveraging the IPSec tunnel for high secure traffic and private peering for all other traffic would help optimize the ExpressRoute bandwidth utilization. |
| 68 | + |
| 69 | +#### Site-to-Site VPN as a secure failover path for ExpressRoute |
| 70 | +ExpressRoute is offered as redundant circuit pair to ensure high availability. You can configure geo-redundant ExpressRoute connectivity in different Azure regions. As done in our test setup, within a given Azure region, if you want a failover path for your ExpressRoute connectivity, you can do so using Site-to-Site VPN. When the same prefixes were advertised over both ExpressRoute and S2S VPN, Azure prefers ExpressRoute over S2S VPN. To avoid asymmetrical routing between ExpressRoute and S2S VPN, particularly if stateful network entities such as NAT and/or Firewall exists in the path, on-premises network configuration should also reciprocate preferring ExpressRoute over S2S VPN connectivity. |
| 71 | + |
| 72 | +For further details regarding how to configure ExpressRoute and Site-to-Site VPN coexisting connections, see [ExpressRoute and Site-to-Site Coexistence][ExR-S2S-CoEx]. |
| 73 | + |
| 74 | +### Extending Backend Connectivity to Spoke VNets and Branch Locations |
| 75 | + |
| 76 | +#### Spoke VNet connectivity using VNet peering |
| 77 | + |
| 78 | +Hub-and-spoke Vnet architecture is widely used. The hub is a virtual network (VNet) in Azure that acts as a central point of connectivity between your spoke VNets and to your on-premises network. The spokes are VNets that peer with the hub and can be used to isolate workloads. Traffic flows between the on-premises datacenter and the hub through an ExpressRoute or VPN gateway connection. For further details regarding the architecture, see [Hub-and-Spoke Architecture][Hub-n-Spoke] |
| 79 | + |
| 80 | +VNet peering within a region allows spoke VNets to use hub VNet gateways (both VPN and ExpressRoute gateways) to communicate with remote networks. |
| 81 | + |
| 82 | +#### Branch VNet connectivity using Site-to-Site VPN |
| 83 | + |
| 84 | +If you want branch Vnets (in different regions) and on-premises networks communicate with each other via a hub vnet, the native Azure solution is site-to-site VPN connectivity using VPN gateways (alternative option is to use an NVA for routing in the hub). |
| 85 | + |
| 86 | +For configuring VPN gateways, see [Configuring VPN Gateway][VPN]. For deploying highly available NVA, see [Deploy highly available NVA][Deploy-NVA]. |
| 87 | + |
| 88 | + |
| 89 | +<!--Image References--> |
| 90 | +[1]: ./media/backend-interoperability/HubView.png "Hub and Spoke VNet Perspective of the Topology" |
| 91 | +[2]: ./media/backend-interoperability/Loc1ExRView.png "Location-1 and Remote VNet Perspective via ExpressRoute 1 of the Topology" |
| 92 | +[3]: ./media/backend-interoperability/Loc1VPNView.png "Location-1 and Branch VNet Perspective via S2S VPN of the Topology" |
| 93 | +[4]: ./media/backend-interoperability/Loc2View.png "Location-2 Perspective of the Topology" |
| 94 | +[5]: ./media/backend-interoperability/ExR1-RouteTable.png "ExpressRoute 1 RouteTable" |
| 95 | + |
| 96 | +<!--Link References--> |
| 97 | +[Setup]: https://docs.microsoft.com/en-us/azure/networking/connectivty-interoperability-preface |
| 98 | +[Configuration]: https://docs.microsoft.com/en-us/azure/networking/connectivty-interoperability-config |
| 99 | +[ExpressRoute]: https://docs.microsoft.com/en-us/azure/expressroute/expressroute-introduction |
| 100 | +[VPN]: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways |
| 101 | +[VNet]: https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-connect-virtual-networks-portal |
| 102 | +[Configuration]: https://docs.microsoft.com/en-us/azure/networking/connectivty-interoperability-config |
| 103 | +[Control-Analysis]:https://docs.microsoft.com/en-us/azure/networking/connectivty-interoperability-CtrlPln |
| 104 | +[Data-Analysis]: https://docs.microsoft.com/en-us/azure/networking/connectivty-interoperability-DataPln |
| 105 | +[ExR-FAQ]: https://docs.microsoft.com/en-us/azure/expressroute/expressroute-faqs |
| 106 | +[S2S-Over-ExR]: https://docs.microsoft.com/en-us/azure/expressroute/site-to-site-vpn-over-microsoft-peering |
| 107 | +[ExR-S2S-CoEx]: https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager |
| 108 | +[Hub-n-Spoke]: https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke |
| 109 | +[Deploy-NVA]: https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/dmz/nva-ha |
| 110 | +[VNet-Config]: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering |
| 111 | + |
| 112 | + |
| 113 | + |
| 114 | + |
0 commit comments