Back to all videos

Connect Clouds in Azure, AWS, GCP and More Together with Hybrid Cloud Networking

By John Savill's Technical Training

Cloud ComputingNetworking
Share:

Key Concepts

  • Multicloud Connectivity: Connecting resources and services across multiple cloud providers (e.g., Azure, AWS, GCP, OCI).
  • Azure Virtual Network (VNet): The fundamental building block for private networks in Azure, defined by IPv4/IPv6 address ranges, bound to a specific subscription and region.
  • Delegated Subnet: A subnet within an Azure VNet where specific Azure services (e.g., databases) can deploy their components, allowing private IP connectivity.
  • Private Endpoint: A special network interface that takes an IP address from a VNet subnet, enabling private and secure access to specific instances of Azure services.
  • Azure Private DNS Zones: Used for private DNS resolution within and across Azure VNets, crucial for TLS-encrypted connections.
  • Microsoft Global Network: Microsoft's extensive private network infrastructure connecting all Azure regions (60+), spanning over 165,000 miles of fiber optic and undersea cables.
  • Points of Presence (PoPs): Global network locations (over 185) where the Microsoft Global Network connects to other networks, including the internet and private interconnects, often in carrier-neutral facilities.
  • Public Connectivity: Network connections over the public internet.
  • Private Connectivity: Dedicated, private network connections that bypass the public internet.
  • Site-to-Site VPN: An encrypted tunnel over the public internet connecting an on-premises network or another cloud network to an Azure VNet, typically limited to ~1 Gbps and subject to internet latency/jitter.
  • ExpressRoute: Azure's private connectivity service, providing a dedicated, high-bandwidth, low-latency connection from on-premises networks or other clouds to Azure.
  • ExpressRoute Gateway: A specific gateway deployed within an Azure VNet to terminate ExpressRoute circuits.
  • ExpressRoute Circuit: Represents the physical connection(s) to the Microsoft Global Network, typically comprising two connections for resiliency.
  • ExpressRoute Metro: An ExpressRoute option using two different buildings within the same city for enhanced resiliency against single-building failures.
  • Hub-Spoke Architecture: A common network topology in Azure where a central "hub" VNet provides shared services and connectivity (e.g., to on-premises or other clouds), and "spoke" VNets peer with the hub for connectivity.
  • VNet Peering: Connects two Azure VNets, allowing resources in each VNet to communicate using private IP addresses, requiring non-overlapping IP spaces.
  • Azure Virtual WAN: A managed networking service providing a hub-spoke architecture, managed connectivity, and routing services.
  • Azure Virtual Network Manager (Connected Group): A service for centrally managing network configurations at scale, enabling direct spoke-to-spoke communication without hair-pinning through the hub.
  • AWS Virtual Private Cloud (VPC), GCP Virtual Private Cloud (VPC), OCI Virtual Cloud Network (VCN): The equivalent private network constructs in other major cloud providers.
  • AWS Direct Connect, GCP Cloud Interconnect, OCI FastConnect: Private connectivity services offered by AWS, GCP, and OCI, respectively, conceptually similar to Azure ExpressRoute.
  • ExpressRoute Direct / Dedicated (other clouds): Options for customers to manage their own routers and BGP peering for direct, high-capacity (up to 100 Gbps) private connections.
  • Cloud Exchange Providers (Equinix, Megaport): Third-party providers that simplify multicloud private connectivity by managing the physical cross-connects and routing.
  • DNS Conditional Forwarding: A DNS configuration where requests for specific domains are forwarded to a different DNS server, essential for cross-cloud DNS resolution.
  • ExpressRoute Fast Path: An optimization that allows traffic to bypass the ExpressRoute Gateway for lower latency when communicating with resources in the VNet or peered VNets.
  • BGP (Border Gateway Protocol): The routing protocol used for exchanging routing information between networks, including cloud private connections.
  • Azure Arc: A service that extends Azure management and governance capabilities to resources located outside of Azure, including other clouds and on-premises.

Comprehensive Summary of Multicloud Connectivity

This video focuses specifically on the network connectivity aspects of multicloud environments, acknowledging that organizations increasingly leverage multiple cloud providers like Azure, AWS, GCP, and OCI. While network connectivity is critical, the presenter emphasizes the equal importance of other aspects such as governance, security, identity, application architecture, data placement, operations, and DevOps, advocating for consistency in monitoring and management across these domains.

1. Azure Network Connectivity Fundamentals

The foundational building block in Azure is the Virtual Network (VNet).

  • Scope: A VNet is confined to a single Azure subscription and a single Azure region; it cannot span across either.
  • Addressing: It is defined by one or more IPv4 address ranges, with optional IPv6 support. Resources like virtual machines and containers are deployed directly into VNets.
  • Service Integration: To enable private interaction with Azure services that are not native to a VNet (e.g., databases), two primary methods are used:
    • Delegated Subnet: The Azure service essentially deploys its components into a specific subnet within the VNet, allowing VNet resources to communicate with it via its assigned IP addresses.
    • Private Endpoint: A special network interface is created within a VNet subnet, taking an IP address from that subnet. When VNet resources communicate with this private endpoint, they are directly accessing a specific instance of the Azure service privately.
  • DNS Resolution: Correct DNS resolution is crucial for encrypted TLS connections. Azure Private DNS zones are used within VNets, and conditional forwarding can be configured to resolve names across different VNets or networks.

2. Hybrid Cloud Connectivity (Azure to On-premises)

Organizations often have existing on-premises data centers, necessitating hybrid cloud connectivity.

  • Microsoft Global Network: Microsoft operates a vast global network, connecting over 60 Azure regions with more than 165,000 miles of fiber optic and undersea cables. This network has over 185 Points of Presence (PoPs) globally, which are carrier-neutral facilities where Microsoft's network connects to other networks, including the internet.
  • Connectivity Options to Azure:
    • Public Connectivity (Site-to-Site VPN): This method uses an encrypted tunnel over the public internet. An on-premises gateway device connects to an Azure VPN Gateway in a VNet. While encrypted, it's subject to internet latency, jitter, and typically maxes out at around 1 Gigabit per second (Gbps). Larger organizations often use it only for backup.
    • Private Connectivity (ExpressRoute): This provides a dedicated, private connection to the Microsoft Global Network, bypassing the internet.
      • Mechanism: A carrier provides connectivity from the on-premises data center to an Azure PoP, where a cross-connect is established to Microsoft's network. An ExpressRoute Gateway is deployed in the Azure VNet to terminate this connection.
      • Resiliency: An ExpressRoute circuit consists of two connections for redundancy (different routers, same building). For higher resiliency, ExpressRoute Metro uses two different buildings in the same city, or multiple circuits can be used across different PoPs hundreds of miles apart to protect against geographic failures.
      • ExpressRoute Direct: For customers comfortable managing their own routers and BGP, this option allows direct connections to Microsoft's enterprise edge routers, supporting speeds up to 100 Gbps.
      • Cloud Exchange Providers: Services like Equinix or Megaport simplify ExpressRoute deployment by managing the physical connectivity and cross-connects.

3. Connecting Multiple Azure Virtual Networks (Hub-Spoke)

As organizations grow, they often have many VNets across multiple subscriptions and regions.

  • Hub-Spoke Architecture: To avoid each VNet needing its own ExpressRoute or VPN gateways, a hub VNet is established. This hub contains core resources and connectivity options (e.g., ExpressRoute gateways) to on-premises or other networks. Other VNets, called spokes, peer with this hub.
  • VNet Peering: Connects VNets, allowing resources to communicate directly using private IPs. Crucially, the IP address spaces of peered VNets cannot overlap (though subnet-level peering or Private Link Services with NAT can address some overlap scenarios, adding complexity).
  • Managed Services:
    • Azure Virtual WAN: Provides a managed hub network and services, simplifying global connectivity.
    • Azure Virtual Network Manager: Offers centralized management for large-scale VNet deployments. It can enable direct spoke-to-spoke communication via "connected groups" without hair-pinning through the hub, improving latency and simplifying routing.
  • Regional Hubs: For multi-region deployments, it's common to have a hub VNet in each Azure region, each with its own ExpressRoute circuits for resiliency.

4. Multicloud Connectivity (Azure to Other Clouds)

Connecting Azure to other cloud providers (e.g., AWS VPC, GCP VPC, OCI VCN) uses the same fundamental connectivity options as hybrid cloud.

  • Connectivity Options:
    • Site-to-Site VPN: An encrypted tunnel over the internet can connect an Azure VNet to another cloud's network. This is simple but inherits the latency, jitter, and speed limitations of the internet.
    • Private Connectivity: Each major cloud provider offers its own private connectivity service:
      • AWS Direct Connect
      • GCP Cloud Interconnect
      • OCI FastConnect These are conceptually identical to Azure ExpressRoute, providing dedicated, private connections.
  • Optimizing Latency: To minimize latency between clouds, it's critical to:
    • Select regions that are geographically very close (e.g., Azure London to AWS London).
    • Utilize a shared Point of Presence (PoP) in that same geographical area where both cloud providers have interconnects. Traffic will always flow via this PoP, so proximity is key.
  • Connection Methods for Private Connectivity:
    • Direct/Dedicated: Similar to ExpressRoute Direct, customers can manage their own routers and BGP peering for high-bandwidth (up to 100 Gbps) connections.
    • Cloud Exchange Providers: Services like Equinix or Megaport simplify the process by managing the cross-connects between cloud providers at the PoP.
  • Azure to OCI Interconnect: A specific offering that optimizes connectivity between Azure and OCI by selecting super close regions and PoPs, effectively combining ExpressRoute and FastConnect for ultra-low latency.
  • Optimizations:
    • ExpressRoute Fast Path: Should be enabled to bypass the ExpressRoute Gateway for lower latency to VNet resources and peered VNets.
    • DNS Consistency: Implement DNS conditional forwarding to ensure consistent name resolution for services across different clouds, enabling TLS connections.
  • Resiliency: Just like hybrid connectivity, multicloud connections require robust resiliency. This means having multiple private connections to different PoPs, potentially in different geographic locations, and configuring active-active or active-passive routing to avoid single points of failure. If a facility hosting a PoP goes down, having a backup connection through another facility or a Site-to-Site VPN is crucial.

5. Broader Multicloud Considerations

Beyond network connectivity, the presenter reiterates the importance of other architectural aspects in a multicloud strategy:

  • Security: Centralizing security signals for comprehensive visibility.
  • Governance: Applying consistent policies and controls across all cloud environments. Azure Arc can extend Azure's governance and visibility capabilities to resources in other clouds.
  • Identity, Operations, DevOps, Data Placement, App Architecture: These all require careful planning and consistent approaches across multiple clouds.

Conclusion

Multicloud connectivity fundamentally leverages the same principles and technologies as hybrid cloud connectivity. Organizations can choose between internet-based Site-to-Site VPNs (offering flexibility but with latency/speed limitations) or dedicated private connections (ExpressRoute, Direct Connect, Cloud Interconnect, FastConnect) for high-performance, low-latency links. Key considerations for successful multicloud networking include careful planning of IP address spaces, optimizing for regional proximity and shared PoPs, ensuring robust DNS resolution, and building in comprehensive resiliency. Crucially, network connectivity is just one piece of the puzzle; broader architectural concerns like security, governance, and identity must also be addressed consistently across all cloud environments, potentially using tools like Azure Arc for unified management.

Chat with this Video

AI-Powered

Hi! I can answer questions about this video "Connect Clouds in Azure, AWS, GCP and More Together with Hybrid Cloud Networking". What would you like to know?

Chat is based on the transcript of this video and may not be 100% accurate.

Related Videos

Ready to summarize another video?

Summarize YouTube Video