How to Connect SAS Viya in Azure to On-Prem with ExpressRoute – Part 1
Ever dreamt of driving to work on your own private express lane, instead of using a jammed, potentially dangerous highway? Your dream is real, in the cloud.
Azure ExpressRoute allows to physically connect on-premises networks into Azure, over private connections. ExpressRoute connections completely bypass the public Internet. ExpressRoute connections are more reliable, faster, with consistent lower latencies, and have higher security than typical connections over the Internet.
Read this post to learn how you can connect a SAS Viya on Azure deployment to an on-premises network by using ExpressRoute. When the connection is in place, you can access from SAS Viya data from a database in your on-premises data centre, from the same or different geopolitical region.
Stephen Foerster mentioned in Connecting Viya in Azure to On-Prem with Azure VPN, ExpressRoute (Intro): “Microsoft recommends two different mechanisms for connecting SAS Viya in Azure to on-premises resources […] Both methods require Azure Virtual Network (VNET) gateways to facilitate communication. ExpressRoute offers added security and performance by sending traffic over a dedicated private line.”
Context and Objectives
We want to realize two scenarios, with SAS Viya deployed in the Azure East US region. We want to access through Azure ExpressRoute:
- Data from a database in a data centre deployed in West US.
- Data from a database in a data centre deployed in Australia Southeast.
The first scenario requires connectivity across the same Azure geopolitical region (West US and East US are in North America).
Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.
The second scenario requires connectivity across different geopolitical region (Australia Southeast is in Oceania).
If you haven’t yet explored the Microsoft Datacenters Globe, do it, it’s pretty cool!
Simulated Data Centre
In this post we are going to simulate the on-premises data centres as Azure networks. Why we chose to simulate the data centre? There are many types of on-premises VPN devices, connectivity providers and it is not possible to describe their configuration in a simple post series.
What you need to remember is the logic and the configuration steps.
Architecture Diagram
By the end of the post series, we want to realize the following architecture diagram:
Where:
Azure side - $PREFIX-vnet, the SAS Viya virtual network deployed in the East US region:
- $PREFIX-aks-subnet is the sub-network of the SAS Viya Azure Kubernetes Service (AKS) cluster and its resources.
- $PREFIX-misc-subnet is the sub-network of the several virtual machines, including $PREFIX-jump-VM.
- A separate gateway subnet is needed for the Azure Virtual Network Gateway (VNG).
- A VNG with type ExpressRoute.
The On-premises side is composed of:
HQ-Network is the on-premises network in a West US data centre.
- It has an Applications subnet. This subnet hosts a database server and a private endpoint. We created a private endpoint, to force the database traffic, network-to-network. We want to avoid SAS Viya connections directly to the database over the Public Internet.
- A separate gateway subnet is required for the on-premises VNG.
- The VNG type is ExpressRoute.
AP-AUS-Network is another on-premises network, in a data centre in Melbourne, in Australia Southeast:
- It has a Databases subnet. This subnet hosts a database server and a private endpoint .
- A separate gateway subnet required for the on-premises VNG.
- The VNG type is also ExpressRoute.
First, $PREFIX-vnet, where SAS Viya sits, will connect to the ExpressRoute Direct Circuit via the VNG. Then, HQ-Network and finally, AP-AUS-Network.
ExpressRoute Connectivity Models
According to Microsoft, ExpressRoute allows you to create a connection between your on-premises network and the Microsoft cloud in four different ways, CloudExchange Co-location, Point-to-point Ethernet Connection, Any-to-any (IPVPN) Connection, and ExpressRoute Direct. Connectivity providers may offer more than one connectivity models. You can work with your connectivity provider to pick the model that works best for you.
ExpressRoute Direct Model
Because I am simulating the on-premises data centres and because I am not hosting my data centre with a connectivity provider, I chose the ExpressRoute Direct model.
There are particularly good reasons and potential cost savings to work with a connectivity provider. I encourage you to do your own research.
According to About ExpressRoute Direct: “You can connect directly into the Microsoft global network at a peering location strategically distributed across the world. ExpressRoute Direct provides dual 100-Gbps or 10-Gbps connectivity that supports Active/Active connectivity at scale.”
Compared to VPN Gateways, where the tunnel throughput is typically 100 Mbps, ExpressRoute Direct throughput is just… massive.
100-Gbps or 10-Gbps is just mind-blowing fast. Faster than many wired connections in your local office.
What scenarios should customers consider with ExpressRoute Direct?
According to ExpressRoute FAQs: “ExpressRoute Direct provides customers with direct 100 Gbps or 10-Gbps port pairs into the Microsoft global backbone. The scenarios that provide customers with the greatest benefits include: Massive data ingestion, physical isolation for regulated markets [or government], and dedicated capacity for burst scenario, like rendering.”
Azure Side Resources
SAS Viya Virtual Network
To connect the SAS Viya virtual network (VNET), $PREFIX-VNET, using ExpressRoute, you need to create a Virtual Network Gateway (VNG) in $PREFIX-VNET. The VNG must be of type ExpressRoute. For more information, read VNGs – ExpressRoute type.
Add a Gateway Subnet
The VNG requires a dedicated GatewaySubnet. Therefore, in $PREFIX-vnet create a GatewaySubnet to host the VNG. As $PREFIX-vnet has an address space of 192.168.0.0/16 the gateway subnet has an address space: 192.168.3.0/27.
Create the Virtual Network Gateway
- VNG Type: ExpressRoute
- Name: VNG-$PREFIX
- Select the gateway subnet created.
Simulated On-premises Resources
For the sake of simplicity, we are going to assume the on-premises resources, have already been created. You can find a deployment example in How to Connect SAS Viya in Azure to On-Prem with VPN Gateways – Part 3.
You will also need an ExpressRoute VNG in each of the networks.
Conclusions
In this post we introduced Azure ExpressRoute, the connectivity models, including ExpressRoute Direct and scenarios customers might consider for ExpressRoute Direct.
We proposed a topology and two scenarios to connect from SAS Viya deployed in Azure in East US to data from databases in "on-premises" data centres in the same or in a different geopolitical region.
In Part 2
Read the next post How to Connect SAS Viya in Azure to On-Prem with ExpressRoute - Part 2, where you will learn how to:
- Create the ExpressRoute Direct Resource.
- Discuss briefly peering locations and ExpressRoute peering.
- Create the ExpressRoute Circuit.
- Configure Azure Private Peering in an ExpressRoute Circuit.
Useful Resources
- Connecting Viya in Azure to On-Prem with Azure VPN, ExpressRoute (Intro)
- Azure geopolitical regions.
- Microsoft Datacenters Globe.
- Azure ExpressRoute Connectivity Models.
- About ExpressRoute Direct.
- ExpressRoute FAQs.
Related Post Series
- How to Connect SAS Viya in Azure to On-Prem with VPN Gateways – Part 1
- How to Connect SAS Viya in Azure to On-Prem with VPN Gateways – Part 2
- How to Connect SAS Viya in Azure to On-Prem with VPN Gateways – Part 3
Thank you for your time reading this post. If you liked the post, give it a thumbs up! Please comment and tell us what you think about access to on-premises datacentres using VPN gateways. If you wish to get more information, please write me an email.
Find more articles from SAS Global Enablement and Learning here.
