Connecting to on-premise data centers

Virtual networks can be connected to on-premise data centers such that both Azure and an on-premise data center becomes a single Wide Area Network (WAN). Connecting on-premise network needs deployment on gateways and virtual private networks on both sides of the network. There are three different technologies available for this purpose:

• Site to site VPN: This should be used when both Azure network and on-premise should be connected to form a WAN where any resource on both networks can access any other resource on them irrespective of Azure or an on-premise data center. VPN gateways are required to be available on both sides of networks for security reasons. Also, Azure gateways should be deployed on their own subnets on the virtual network connecting to on-premise data centers. Public IP addresses must be assigned to on-premise gateways for Azure to connect to it over the public network.

• Point to site VPN: This is similar to site-to-site VPN connectivity, however, there is a single server or computer attached to the on-premise data center. It should be used when there are very few users or clients that would connect to Azure securely from remote locations. Also, there is no need for public IP and gateway on the on-premise side in this case.

• ExpressRoute: Both site-to-site and point-to-site VPN work using the public internet. They encrypt the traffic between the network using VPN and certificates technology. However, there are applications that are deployed in hybrid mode. Some of its resources are hosted on Azure and others on on-premise data center. Even though resources are hosted on Azure, these resources should not use public internet for connectivity to on-premise data center.  Azure ExpressRoute is the best solution for them, although a costly option compared to Site to site and point to site VPN connectivity. It is highly secure and reliable connectivity providing much greater speed and reduced latency compared to other VPN technologies. This is because the traffic never uses public internet but rather used dedicated connections with service providers. Azure ExpressRoute helps in extending on-premises networks into Azure over a dedicated private connection facilitated by a connectivity provider

The following figure shows all three types of hybrid networks:

It is a good practice for virtual networks to have separate subnets for each logical component having separate deployments from security and isolation perspectives.