Choosing between Azure VNet Peering and VNet Gateways

As customers adopt Azure and the cloud, they need fast, private, and secure connectivity across regions and Azure Virtual Networks (VNets). Based on the type of workload, customer needs vary. For example, if you want to ensure data replication across geographies you need a high bandwidth, low latency connection. Azure offers connectivity options for VNet that cater to varying customer needs, and you can connect VNets via VNet peering or VPN gateways.

It is not surprising that VNet is the fundamental building block for any customer network. VNet lets you create your own private space in Azure, or as I call it your own network bubble. VNets are crucial to your cloud network as they offer isolation, segmentation, and other key benefits. Read more about VNet’s key benefits in our documentation “What is Azure Virtual Network?”

VNet peering

VNet peering enables you to seamlessly connect Azure virtual networks. Once peered, the VNets appear as one, for connectivity purposes. The traffic between virtual machines in the peered virtual networks is routed through the Microsoft backbone infrastructure, much like traffic is routed between virtual machines in the same VNet, through private IP addresses only. No public internet is involved. You can peer VNets across Azure regions, too – all with a single click in the Azure Portal.

VNet peering – connecting VNets within the same Azure region
Global VNet peering – connecting VNets across Azure regions

To learn more, look at our documentation overview "Virtual network peering" and "Create, change, or delete a virtual network peering."

VPN gateways

A VPN gateway is a specific type of VNet gateway that is used to send traffic between an Azure virtual network and an on-premises location over the public internet. You can also use a VPN gateway to send traffic between VNets. Each VNet can have only one VPN gateway.

To learn more, look at our documentation overview "What is VPN Gateway?" and "Configure a VNet-to-VNet VPN gateway connection by using the Azure portal."

Which is best for you?

While we offer two ways to connect VNets, based on your specific scenario and needs, you might want to pick one over the other.

VNet Peering provides a low latency, high bandwidth connection useful in scenarios such as cross-region data replication and database failover scenarios. Since traffic is completely private and remains on the Microsoft backbone, customers with strict data policies prefer to use VNet Peering as public internet is not involved. Since there is no gateway in the path, there are no extra hops, ensuring low latency connections.

VPN Gateways provide a limited bandwidth connection and is useful in scenarios where encryption is needed, but bandwidth restrictions are tolerable. In these scenarios, customers are also not as latency-sensitive.

VNet Peering and VPN Gateways can also co-exist via gateway transit

Gateway transit enables you to use a peered VNet’s gateway for connecting to on-premises instead of creating a new gateway for connectivity. As you increase your workloads in Azure, you need to scale your networks across regions and VNets to keep up with the growth. Gateway transit allows you to share an ExpressRoute or VPN gateway with all peered VNets and lets you manage the connectivity in one place. Sharing enables cost-savings and reduction in management overhead.

With gateway transit enabled on VNet peering, you can create a transit VNet that contains your VPN gateway, Network Virtual Appliance, and other shared services. As your organization grows with new applications or business units and as you spin up new VNets, you can connect to your transit VNet with VNet peering. This prevents adding complexity to your network and reduces management overhead of managing multiple gateways and other appliances.

To learn more about the powerful and unique functionality of gateway transit, refer to our blog post "Create a transit VNet using VNet peering."

Differences between VNet Peering and VPN Gateways

 

 

VNet Peering

VPN Gateways

Cross-region support?

Yes – via Global VNet Peering

 

Yes

Cross-Azure Active Directory tenant support?

Yes, learn how to set it up in our documentation "Create a virtual network peering."

Yes, see our documentation on VNet-to-VNet connections. 

Cross-subscription support?

Yes, see our documentation "Resource Manager, different subscriptions."

Yes, see our documentation "Configure a VNet-to-VNet VPN gateway connection by using the Azure portal."

Cross-deployment model support?

Yes, see our documentation "different deployment models, same subscription."

 

Yes, see our documentation "Connect virtual networks from different deployment models using the portal."

Limits

You can keep up to 500 VNets with one VNet as seen in the documentation on Networking Limits.

Each VNet can only have one VPN Gateway. VPN Gateways depending on the SKU have type different number of tunnel supported.

Pricing

Ingress/Egress charged.

Gateway + Egress charged.

 

Encrypted?

Software level encryption is recommended

Yes, custom IPsec/IKE policy can be created and applied to new or existing connections.

Bandwidth limitations?

No bandwidth limitations.

Varies based on type of Gateway from 100 Mbps to 1.25Gps.

 

Private?

Yes, no Public IP endpoints. Routed through Microsoft backbone and is completely private. No public internet involved.

Public IP involved.

Transitive relationship

If VNet A is peered to VNet B, and VNet B is peered to VNet C, VNet A and VNet C cannot currently communicate. Spoke to spoke communication can be achieved via NVAs or Gateways in the hub VNet. See an example in our documentation.

If VNet A, VNet B, and VNet C are connected via VPN Gateways and BGP is enabled in the VNet connections, transitivity works.

Typical customer scenarios

Data replication, database failover, and other scenarios needing frequent backups of large data.

Encryption specific scenarios that are not latency sensitive and do not need high throughout.

Initial setup time

It took me 24.38 seconds, but you should give it a shot!

30 mins to set it up

FAQ link

VNet peering FAQ

VPN gateway FAQ

Conclusion

Azure offers VNet peering and VNet gateways to connect VNets. Based on your unique scenario, you might want to pick one over the other. We recommend VNet peering within region/cross-region scenarios.

We always love to hear from you, so please feel free to provide any feedback via our forums.
Quelle: Azure

A sound investment: How Monex is building a fintech ecosystem with APIs

Editor’s note:Today’s post comes from Daisuke Houki of Monex, Inc.., a Japanese online securities firm specializing in individual investors. Monex uses Apigee to improve security and speed when sharing its APIs with fintech partners.At Monex, our aim is to provide our investors with the best financial services and liberal access to capital markets. That means continually providing reliable and up-to-date services for our customers. But recently we’ve experienced issues updating our back-end system when installing new services or modifying existing ones. This led us to look into using an API, to save time and simplify the processes related to the development of new products and services. Using an API allows us to develop new investment services and smartphone apps more rapidly, reducing the time to market. These new opportunities encouraged us to publish our API for everyone in the fintech business that’s developing new apps—with the aim to create even more opportunities for the industry.Security and performance upgradesBefore we made our API available, our partner fintech firms relied on a method called “scraping” in order to display their customers’ portfolio balances in apps. Unfortunately, this method couldn’t provide the standard of performance and quality sought by fintech businesses. In essence, when we developed and published our API, we made a resource available that improves security and performance for our business partners, and also simplifies the creation of new services by FinTech businesses. By placing Monex at the center of this fintech ecosystem and increasing the use of our API, we hope to enable users to access a variety of third-party services directly from their Monex accounts.While we initially had a small development team of four members passionately working on the API program, continuing to develop and manage an on-premises API gateway was not the best way forward. That’s because even though  Monex API is compatible with OAuth 2.0, developing this compatibility from scratch would be time-consuming and expensive. Plus, operating an API gateway on premises would require significant manpower. To address this, we settled on the Apigee API management platform for development, publication, and management, to maximize functionality and reduce costs. This platform makes it simple to issue access tokens and its authentication mechanisms can use our existing back-end without the need for changes.Becoming a hub for FinTech appsWe also discovered that the Apigee monitoring and analysis functions are extremely effective for diagnosing errors in our back-end. For us, the greatest benefit of the Apigee platform is that we have achieved major reductions in development times by leaving the API service management to Apigee. With so many functions embedded into Apigee, our API and app development have accelerated. We have currently published about 15 APIs for internal and external developers to support a more effective display of share and investment portfolio balance data for the end user. We are also progressing with the internal development of products that use our API, while supporting partner app development within our company’s ecosystem. Going forward, we will continue our efforts to become an integrated hub for financial services that meet our customers’ needs, and to expand our ecosystem with participation from FinTech developers.To learn more about API management on Google Cloud, visit the Apigee page.
Quelle: Google Cloud Platform

Brick by brick: Learn GCP by setting up a kid-controllable Minecraft server

Learning a new cloud can be intimidating. In the past six years as a solution architect, I’ve had to learn AWS, Azure, and most recently Google Cloud Platform (GCP), and the incredible array of technologies, products, and vendors can make it seem like an impossible mountain to climb. Even moving between major cloud providers can be difficult due to subtle, but meaningful, differences in products, acronyms, and company cultures. Each time I learn a new cloud platform, I do it the same way: by hyper-over-engineering a Minecraft server for my kids. As a parent of two kids who are crazy about the block building game, I do my fair share of playing along with them, building castles, gathering resources, and defending my home from zombies. Behind the scenes, I also help my kids run servers, install mods, and generally tweak the game to their liking. And sometimes, a real-life creeper explodes, something happens to their laptop or to the game files, and we have to start all over. If you’ve ever experienced the pain of losing a Minecraft world with diamond armor, a house in the clouds, and a functional roller coaster…well then, you know true sadness!In this post, I’m going to show you how I used GCP to build a kid-controllable, cloud-ready Minecraft server—one that’s easy to set up and begin playing with friends, and automatically backs itself up. Best of all, it’s 100% controllable by elementary-school-aged children—so they don’t have to wake you on a Saturday morning to reboot the system. Spoiler Alert: the final product is awesome, and it was surprisingly easy to build! Needless to say, I’ve played a lot more Minecraft with my kids since building this solution.The final architecture looked something like this:Don’t be intimidated by all of those lines—in fact, here’s a simplified one you can show your kids:The plan to survive your first night, and hitting your requirementsCreating a basic Minecraft server on GCP is actually pretty straightforward: You create a virtual machineInstall the Minecraft server softwareConfigure some Minecraft software start-up scripts. The GCP Solutions Architects have published an awesome guide, Setting Up a Minecraft Server on Google Compute Engine, and built a Qwiklab that will walk you through the basic setup.  Please make sure you have read and completed this solution before you continue, as this post will expand upon it further.  **If you want to level-up your Minecraft server to be kid-controllable, there are three additional requirements that your server needs to meet:It should be easy for kids to turn the entire server on and off.It should be easy for kids to invite their friends to play.It should automatically back up game files to prevent disaster.Let’s look at these one by one.Requirement #1: Easy on and offAs a parent, you have enough distractions. If your kids must find you to turn on the server, that’s a problem. They don’t have to do that for smartphone apps, and they don’t have to do that for console games. You want them to be able to simply push the power button. You also don’t want to give them access to the Google Cloud Console, as getting them to understand IAM roles or on-demand billing would be a lot of work. Ideally, you want an event-driven action that executes code in a secure way. This sounds like a job for Google Cloud Functions!With Cloud Functions you can create two serverless functions: start-minecraft-server and stop-minecraft-server. Both of these functions can use HTTP triggers, so you can run them simply by opening a URL! Just bookmark the URLs on your kids’ browser, and they can run the function instantly—without being able to change the code. For example, the following node.js code, run via an HTTP trigger in Cloud Function, will start a server named “my-minecraft-server” in the us-west2-a zone. Under the hood, these functions have code blocks written in Node.js, although you could also rewrite them to use Python or Go.NOTE: To build the stop function, simply swap the startInstance() function with the stopInstance() function, and change the status.send response text. This code is intentionally very basic and designed to keep this example simple. Feel free to experiment and add features; that’s the entire point of this series!To break down the functionality:start-minecraft-server begins by starting the Minecraft server’s VM. Next, it records the requestor’s IPv4 address, and automatically creates a VPC Firewall rule to allow external access to the Minecraft server from there. This means that the person who starts the server automatically has access to connect to it. Then, it displays a few messages back to the browser window. Specifically, it gives a message that the server started successfully and that you’re spending real money to run it. It also returns the exact IP address and port of the Minecraft server. This lets your kids know what to type into their Minecraft client to join and play on the server.stop-minecraft-server is more straightforward. It simply tells the virtual machine to stop. Since the VM’s shutdown-script logic backs up the game files on shutdown, this is all you need to cleanly stop the server. You can also have it send a message back to the browser,  letting the kids know that the server is now shutting down. Requirement #2: Easily invite new friendsPlaying Minecraft is just more fun with friends. Ideally, it should be easy to let other players join the game, without granting access to the public. Whether it’s hackers, griefers, denial of service (DoS) attacks, or malicious code in general, there’s just too much risk involved in running a publicly accessible server. Firewalls exist for a reason, and we want to take advantage of them on GCP. You also need a way to automatically remove access permissions after a certain amount of time. If a friendship ends or a kid gets grounded, you don’t want to be in the business of regularly pruning firewall rules. The basic “add a friend” functionality is easy to build and use. First, you need to build a cloud function called add-a-friend, which is triggered by clicking on a URL. When this happens, it captures the user’s IPv4 address and creates a firewall rule in the VPC to allow access to the Minecraft server from that user’s IP. It then displays the IP address and port of the server back to the browser that friends can use to connect. Now, when your kids want to play with friends, they can simply start the server, share the add-a-friend URL with their friends, and start playing! The following gcloud commands will create the cloud function to add friends to the firewall.Requirement #3: Regular backupsFollowing the above tutorial not only gets the server up and running, but also sets up regular backups of the game-world files so you can recover from a crashed server. This works by configuring the server’s VM permissions to allow it to write to Cloud Storage, writing a simple bash script that executes the backup, and setting up crontab to run it regularly. As the parent, though, you are the CTO and CFO of your household, so you’ll want to lower costs and improve this backup solution with a few enhancements.To start, know that these backups are relatively small—just a few dozen megabytes for a medium-sized world—so it won’t be expensive to store them on Cloud Storage. However, you still want to be smart with your spending. Since you’ll only need these files in the event of a crash or emergency, they require very infrequent access. This is a perfect condition for two Cloud Storage features: Coldline storage and object lifecycle management. With coldline storage, you pay less to store data, but more to retrieve it, making it a perfect fit for our use case, disaster recovery. When setting up your Minecraft server, make the default storage class on your bucket “coldline” to lower your cost-per-GB. Cloud Storage lifecycle rules also allow you to set a limit on how long to keep data in a storage bucket. Since you’ll perform regular backups, and older backups have limited use, you don’t need a long retention period. In Cloud Storage, build a lifecycle rule to delete any files older than 90 days. 90 days adds another safety net: in the event you have to have a long-term “product outage” (i.e., your kid gets grounded or goes away to summer camp), you can still restore from a disaster. The following gcloud commands will create a new minecraft storage bucket named “my-project-minecraft-backup” using coldline storage and establishing a lifecycle policy to delete any files older than 90 days.What’s all this going to cost? GCP offers a wonderful suite of Always-Free products, and since you are the CTO and CFO of your household, you’ve taken advantage of many Always-Free products already, including GCS, Cloud Functions, and Pub/Sub to control your spending. At the scale you’ve set up with this guide, your costs should end up like the following: Compute EngineThe n1-standard-1 costs just under $0.05 /hour to run. Having a static IP address costs just over $7 /month.Cloud StorageYour Google Cloud Storage is covered by the GCP Free Tier. Cloud FunctionsYour Google Cloud Functions are covered by the GCP Free Tier. Thus, if your kids play Minecraft for an average of two hours per day, hosting your own Minecraft server will cost about $10/month. Whether you pay or they do depends on how generous you are feeling. What to build next At this point you’ve got all of the requirements met—awesome work! The server runs and automatically backs up the game data, can be turned on and off by a URL, and makes it easy to add friends to the game. But this barely scratches the surface of what you can do with GCP! Here is a not-so-short list of things you could do to increase the capability and lower the cost of your Minecraft server. Make it easier to connectRegister a domain with Google Cloud DNS and convert all IP connection information to DNS. Have the server register itself with the CNAME record as part of the startup script so you have a consistent URL for connecting to the game. See if you can expand this idea to the URLs for controlling the server and adding friends.Get smarter with your spendingSwitch your server to a Preemptible VM, create a custom machine image, and expand the startup script to grab the latest backup when the server turns on. Now you’ve cut your hourly server costs by about 80%.   Change the startup scripts to use an ephemeral IP address on the server, thus eliminating any cost for using a static IP address.Automatically clean up friends’ firewall entriesUse Google Cloud Pub/Sub and modify your serverless function to put all add-a-friend firewall entries into a Pub/Sub topic, and create another function that cleans them up every night. Make sure your kids don’t stay up playing! Set up a “curfew” script that automatically shuts off the server at a certain time, and prevents it from being started during those “you should be asleep” hours. Learn about monitoring, alerting, and logging upgradesUse Stackdriver logging to export the Minecraft server logs so you can troubleshoot any in-game problems in real-time.Use Stackdriver monitoring and alerting to:Send a parent a text message when your kids turn the server turns on or off.Monitor system CPU or server connections to tell when the server is idle, and automatically power it down. Your kids WILL forget to shut this server off. Bonus: have the server text your kids first, and only involve you after a certain amount of time. Explore some data science upgradesAnalyze the server logs to identify how often each of your kids or their friends play, and develop a chargeback report mapped to household chores! Export your logging data to BigQuery and generate reports on how much time the server runs, how many users are online and other basic metrics.Want more data? Install a server mod that exports detailed game data to a local log file, then export that to BigQuery and see if you can query how many blocks have been mined in the server by day. Go even farther and create a dashboard with Google Cloud DataLab that takes that information in real time and creates intelligence around the players. Play with containersMove the Minecraft Server to a Docker container running onGoogle Kubernetes Engine (GKE). Use persistent storage, or autoloading scripts to manage and launch the game. Discover what changes are needed to make all of the previous functionality work in the same way when using containers.   Wrapping upYou are now on your way to becoming the coolest parent ever—not to mention a GCP rockstar! Have fun with this project and see how many other tools and products you can link to your architecture to make your users, er, kids, happy. Plus, gain insight into your data, and maximize uptime while lowering costs.Now it’s time to go build!
Quelle: Google Cloud Platform