Ever dreamt of driving to work on your private express lane, instead of using a jammed, potentially dangerous highway? Your dream is real, in the cloud.

Azure ExpressRoute allows you to physically connect on-premises networks into Azure, over private connections, completely bypassing the public Internet. ExpressRoute connections are more reliable, faster, with consistent lower latencies, and have higher security than typical connections over the Internet.

Read this post to learn how you can connect a SAS Viya on Azure deployment to an "on-premises" network, from a different geopolitical region.

Previously

In Part 1, we introduced Azure ExpressRoute, the connectivity models, including ExpressRoute Direct and a few scenarios customers might consider for ExpressRoute Direct.

In Part 2, we created an Azure ExpressRoute Direct, an ExpressRoute Circuit, configured Azure Private Peering, added to the circuit two networks from the same geopolitical region (US) and tested the connection from SAS Viya.

In Part 3, we will connect the data centre from Australia to the same ExpressRoute Direct Circuit.

In a graphical way, the question we want to answer is:

How do we access, privately, over Azure and a connectivity provider's backbone, from SAS Viya...

Select any image to see a larger version.
Mobile users: If you do not see this image, scroll to the bottom of the page and select the "Full" version of this post.

data stored in a data centre down-there?

Topology

As a reminder, we proposed a topology and two scenarios to access from SAS Viya data from simulated "on-premises" databases. SAS Viya is deployed in Azure in the East US region. The databases sit in two different "on-premises" data centres, one in US, the other in Australia.

Connect the Australian Network to the ExpressRoute Circuit

At this point, the simulated “on-premises” West US data centre is connected to the ExpressRoute circuit.

If you would try to connect the AP-AUS-Network based in Australia, in the exact same way, you would get an error message:

The error message would say: "The creation of the virtual network gateway connection failed because your circuit in Equinix-Ashburn-DC6 cannot be connected to Australia Southeast on a standard circuit. Virtual network gateway connections on a standard ExpressRoute circuit are only allowed within the same geopolitical region. Please upgrade to a premium SKU."

At this point, first, delete the failed connection.

Second, weigh your options. According to ExpressRoute FAQs, you can update your ExpressRoute circuit to Premium. A diagram in the FAQ shows how the SKUs are designed to allow connectivity across regions.

Avoid Bill Shock

Now it is a good moment to tell you what the cost of this setup is. According to the Azure Pricing Calculator :

• ExpressRoute Direct with a minimum port pair speed of 10 Gbps +
• Premium ExpressRoute circuit of 1 Gbps +
• 10 TB of data transfer

= USD 6956 / month

You see, your private 10 Gbps lane does not come cheap.

You must know the volumes and the speeds you need before "paying the toll on the ExpressRoute". And the use case must justify the cost.

Alternatives:

• Unless you absolutely need a 10 Gbps port pair speed, to fill with 10 circuits of 1 Gbps or one circuit of 10 Gbps, you don't really need ExpressRoute Direct.
• The classic ExpressRoute (not the ExpressRoute Direct) from 50MBps will cost you from USD 130 / month. The connectivity provider costs as well as the data transfer will add to this bill.
• There are options, it is up to you to decide how fast you want to transfer data.

Private Does Not Mean Encrypted

Another item I wanted to highlight: by default traffic over an ExpressRoute connection is not encrypted. Therefore, private does not mean encrypted. See ExpressRoute encryption for more details. There are other options: use a Azure Virtual WAN or Configure a Site-to-Site VPN connection over ExpressRoute private peering.

Upgrade the Existing ExpressCircuit to Premium

Coming back to our scenario. You decided to upgrade from SKU Standard to Premium.

While this is a quick win, this might be very costly. Some connectivity providers, such as NextDC or MegaPort claim they can save you costs by allowing you to connect two Local or Standard circuits, through their infrastructure, at a fraction of a cost for Premium.

The connectivity bill optimization is out of the scope of this post series. But know there are alternatives you can research.

Connect the Australian Network to the ExpressRoute Circuit

Connect the simulated “on-premises” Australia Southeast data centre’s vnet, to the same ExpressRoute circuit.

We chose the connection to sit in Australia Southeast. I don’t think it matters where the connection sits. The connection is using the SASViyaHQNetworkERCircuit, provisioned through Equinix-Ashburn-DC6. Therefore, the connection is initiated from the US to Australia, through the Azure and provider's private network.

In Settings, you will have to choose the VNG of type ExpressRoute you created in the Australian network:

Connection Success Looks Like This

In the ExpressRoute circuit’s connections, you will see three connections, just like in the topology diagram, at the beginning of the post.

The AP-AUS-Network Virtual Network Gateway (VNG), VNG-AP-AUS, will also show a connected status.

As you can see, the same VNG can be connected to multiple ExpressRoute circuits, in the same or in different geopolitical regions.

Test SAS Viya Connection to the PostgreSQL Server

To test the connection from SAS Viya, deployed in East US to the "on-premises" PostgreSQL server in Australia Southeast, retrieve the server's private IP, for example 11.0.1.4.

Using the example provided in How to Connect SAS Viya in Azure to On-Prem with VPN Gateways – Part 3, in SAS Studio, write the following SAS code. The PostgreSQL Server is represented by the private IP address of the server in AP-AUS-Network (private endpoint). Connect to the default postgres database:

libname GELDBHQ clear;
libname GELDBHQ postgres server='11.0.1.4' port=5432
   user='viyadep@ausnetworksrv' password='fill_in_here'
   database=postgres SSLMODE='prefer';

Connection is successful, and you can access the database inside the PostgreSQL Server, deployed "on-premises", in Australia South East:

Conclusions

SAS Viya deployed in Azure East US can now connect to a database, hosted "on-premises" in Australia Southeast, through the ExpressRoute Direct Circuit.

In this post we:

• Upgraded an existing ExpressRoute Circuit SKU to Premium to allow us to connect across geopolitical regions.
• Added a new network to the circuit from the simulated "on-premises" data centre.
• Tested the connection from SAS Viya to a database to the overseas data centre.

Useful Resources

• How to Connect SAS Viya in Azure to On-Prem with ExpressRoute - Part 1.
• How to Connect SAS Viya in Azure to On-Prem with ExpressRoute - Part 2.
• Connecting Viya in Azure to On-Prem with Azure VPN, ExpressRoute (Intro).
• Azure geopolitical regions.
• Microsoft Datacenters Globe.
• Azure ExpressRoute Connectivity Models.
• About ExpressRoute Direct.
• ExpressRoute FAQs.
• Tutorial: Create ExpressRoute Direct using the Azure portal.
• Tutorial: Create and modify peering for an ExpressRoute circuit using the Azure portal.
• Tutorial: Configure a virtual network gateway for ExpressRoute using the Azure portal.

Related Post Series

• How to Connect SAS Viya in Azure to On-Prem with VPN Gateways – Part 1
• How to Connect SAS Viya in Azure to On-Prem with VPN Gateways – Part 2
• How to Connect SAS Viya in Azure to On-Prem with VPN Gateways – Part 3

Thank you for your time reading this post. If you liked the post, give it a thumbs up! Please comment and tell us what you think about access to on-premises datacentres using VPN gateways.  If you wish to get more information, please write me an email.

Find more articles from SAS Global Enablement and Learning here.