On-Premise Network Connection
🚧 This building block reference page is a draft.
If you want to be notified when the building block reference page is finished, click here.
A common approach to address on-prem connectivity is applying the Hub & Spoke design. You define a central hub in your cloud platform that actually connects to the On-Premise network. All managed tenants then connect via a Spoke network to this Hub to get access to On-Prem. Setting up the spoke must be done in a scalable way as the number of spokes grows with the number of tenants who need this access. This can be achieved by e.g. integrating the On-Prem connectivity via a Virtual Network Service.
TODO: describe IPAM integration
A key challenge with On-Premise network connections is to make them scale
shared vm and vm based NAT system; load balancer inside VPC
- cloud foundation maintains NAT
multiple shared VPC with VPC peering;
- cloud foundation maintains subnets and VPC for customer projects
completely isolated VPCs and projects
- private service connect/virtual private connect; consume them even if you do not
don't do onprem; use internet with API gateway
How to Implement an on-Premise Network Connection
There are 3 options for connecting an on-premise network to an Azure Virtual Network
A VPN Gateway sends encrypted traffic in a Hybrid network over the public internet. This option would cause some latency in performance and is best suited for applications with minimal traffic between the Azure Virtual Network and the on-premise servers. You can find more information on how to establish a VPN Gateway here and here is a guide on how to Implement a secure Hybrid network
An Azure ExpressRoute sends traffic between on-premise and cloud resources using a dedicated, private connection. This option is suitable for large-scale, mission-critical workloads that require scalability. This option can be more complex to set up and requires working with a third party to establish the connection between the on-premise and Azure resources but is faster than a VPN Gateway connection and supports dynamic scaling of bandwidth. You can find an example of a Hybrid network utilising an ExpressRoute connection here.
ExpressRoute with VPN Failover combines the previous two options. Using this design, you get the high bandwidth and availability of an ExpressRoute connection with a backup VPN Gateway connection if there are any issues with the ExpressRoute connection. This option is the most complex and requires a VPN Gateway and ExpressRoute connection but is the most reliable and ensures the most availability. You can find more information about how to design and connect ExpressRoute with VPN Failover here.
There are 2 options for connecting your on-premise resources to your resources in the AWS cloud: AWS Site-to-Site VPN or AWS Direct Connect.
AWS Site-to-Site VPN is a fully-managed service that creates a secure connection between your data centre or branch office and your AWS resources using IP Security (IPSec) tunnels. Site-to-Site VPN is a private, secure, and highly-available connection between your resources and allows for increased performance and monitoring of your applications. This connection is very useful for migrating your service to AWS and creating secure connections between remote locations. A Site-to-Site VPN can be created using the AWS Management Console, AWS Command Line Interface, AWS SDKs, or the Query API. You can find more detailed information about AWS Site-to-Site VPN and how to create a connection here.
AWS Direct Connect allows you to securely connect your on-premise data centre to your AWS VPC via an AWS Direct Connect Router. To setup this connection you have to take the following steps
Request an AWS Direct Connect dedicated connection
create a Virtual Interface
Download the router configuration
Verify the Virtual Interface
Configure redundant connections (optional)
You can find more detailed information about creating different types of Direct Connection here.
GCP utilises Cloud VPN to create secure connections between your on-premise network and your GCP-hosted resources through and IPsec VPN connection. GCP provides 2 options for connecting your resources: High-Availability (HA) VPN or Classic VPN.
HA VPN is the preferred connection type for connecting your on-premise and VPC networks. It supports site-to-site connections and utilizes an IPsec VPN connection in a single region with an SLA of 99.99% service availability.
One option for using HA VPN is to deploy HA VPN over Cloud Interconnect. Cloud Interconnect connects your on-premise data centre to you Google Cloud resources with low latency and high availability. Dedicated Interconnect creates a physical direct connection between your on-premise network and Google’s network while Partner Interconnectprovides connectivity through a supported service provider You can find more information about HA VPN here.
Classic VPN allows your on-premise hosts to communicate through one or more IPsec VPN tunnels to Compute Engine virtual machine (VM). Classic VPN supports both policy-based and route-based VPN configurations, providing flexibility in designing the network topology. While Classic VPN offers secure connectivity, it does not provide the same level of high availability and automatic failover capabilities as HA VPN. Therefore, it is recommended to consider HA VPN for scenarios that require continuous and resilient connectivity. You can find more information about Classic VPN here
- GCP Fabric FAST
On-prem VPN is offered with all 3 setups of the networking stages.Learn More
- GCP CFT - Example Foundation
On-Prem connectivity is provided in 3 different ways for all network setups mentioned above.Learn More
- Azure LZ accelerator - ES
You can choose to deploy the on-premises connectivity using the Virtual WAN or Azure Hub and Spoke. Here we can define a subscription specific to this connectivity appliance.Learn More
- Azure LZ Terraform module - ES
You can connect to your on-premise networks by choosing the matching option and configurations. You have the option of using Virtual WAN and then you are able to make the connection between your on-premises via VPN or Express route. If you deploy the terraform module using Collie's KitBundle functionality, on-premise network functionality will not be deployed automatically.Learn More
- Azure CAF Terraform Modules
You can connect to your on-premise networks by choosing the matching option and configurations. You have the option of using Virtual WAN and then you are able to make the connection between your on-premises via VPN or Express routeLearn More
- AWS Landing Zone Accelerator
It provides a TransitGateway in the network config to connect easily to a hub that makes the on-prem connect. As also directConnectGateways can be defined in the network config, everything that is needed to establish an on-prem connection is available.Learn More