That’s a fair question. After all, unlike connecting via the Internet, Azure ExpressRoute is a dedicated high-speed circuit between your Azure subscription and your on-premises data center or colocation facility, (refer to Figure 1). However, now that you’ve effectively extended the datacenter up to the Azure cloud you may have a desire, (or requirement) to further isolate specific data traffic. For example, with regards to the graphic below, you may need to isolate and encrypt data as is flows between an on-premises database farm and an Azure-hosted application tier. What can you do? Unfortunately, there is no native way to isolate traffic with inside an Azure ExpressRoute connection. While it is possible for an ExpressRoute and an Azure site-to-site VPN to coexist side-by-side within a subscription, (mainly for failover), it is not possible to place an Azure VPN gateway within an ExpressRoute circuit. But hey, that’s okay. We have a solution.
Site-to-Site VPN Inside ExpressRoute
In previous articles we have talked about the ability for the F5 BIG-IP to be used a site-to-to site VPN endpoint for connecting on-premises environments to Azure. Great news! The same basic principle and processes apply in this case. The only difference is rather than establishing the tunnel between an on-premises BIG-IP and the Azure Gateway, we will create the tunnel between an on-premises BIG-IP and a BIG-IP deployed in the Azure subscription, (refer to Figure 2).
As the below example illustrates, we have inserted BIG-IP device in our datacenter and made use our our existing Azure-hosted BIG-IP, (currently used to publish the application) to establish a route-based IPsec tunnel. With the tunnel established, we configure Azure User-defined routing to direct all traffic sourced from the application subnet destined for the database farm, (and vice-versa) to travel through the IPsec tunnel. Pretty cool huh?
Deploying the BIG-IP IPsec Azure Endpoint
Okay, so now you may be asking, “While that sounds all well and good, how do I implement this; sounds complicated?”
Once again, fair question. But don’t worry dear reader; I have you covered. Here is a link to a community-supported iApp template that can be used to deploy either a policy or route-based IPsec endpoint. Additionally, the iApp can be used for both the on-premises BIG-IP as well as the Azure-hosted BIG-IP endpoint. For a detailed walkthrough of the configuration process refer to my previous article on configuring a dynamic IPsec tunnel to Azure.
* The template provided is community-supported and offered “as is”. In other words, it works, is free, and you get what you pay for .
A Note on User-defined Routing
To successfully pass traffic through the tunnel Azure User-defined routing must be configured. An entry specifying the on-premises/co-location destination network, next hop set to ‘Virtual Appliance’ and the BIG-IP’s private IP address, (see example below).