3 Ways to Connect Your Data Center or Office to Azure

With the growth of popular public cloud options like Microsoft Azure and the off-site movement of services that are typically hosted on premise like Active Directory, establishing a reliable, secure connection to off-premise services has become increasingly important.

There are three primary ways to establish secure connections to Azure. Below, I’ll outline the differences, strengths and weaknesses of each.

Point-to-Site VPN

Point-to-Site is the simplest option for connecting to Azure, and it typically is used to connect a single client to your Azure Virtual Network.

Creating a Point-to Site VPN is pretty easy; you just need to create a virtual site and pick a name and address space. Each virtual network allows you to customize the connection types and integrations. From there, you will need to add a gateway to your virtual network in order to connect to your VPN sessions and generate a self-signed SSL key to encrypt your traffic.
The biggest strength of Point-to-Site VPN is that it is very quick and easy to set up, giving remote and on-the-go employees like sales reps the flexibility to connect to your Azure Web Apps or infrastructure from anywhere.

The drawback, however, is that there is no permanent connection and no two-way communication.

Site-to-Site VPN

The Site-to-Site VPN allows you to connect entire networks to each other. For example, you could use it to connect your on-premise network to your Azure Virtual Networks. With a Site-to-Site VPN, you do not need VPN client software on local desktops or servers. Rather, the connections are made at the gateway, usually by way of a router.

The process for creating the Site-to-Site VPN on Azure is very similar to the Point-to-Site: You will need to create a virtual network and address space and assign a gateway. The difference will come in configuring the local end of the connection. Site-to-Site VPN uses standard IPSec protocol, but each gateway/router manufacturer will have their own configuration process.

The strength of this configuration is the persistent back-end connection with no need to configure the individual hosts to connect to the VPN.

The only real drawback here is that there can be some degree of latency experienced due to the overhead encrypting the entire secure socket layer. Site-to-Site does, of course, relay over the same public Internet connection your company most likely uses for everything else, and is therefore exposed to a slight security risk despite its encryption. But this risk isn’t applicable to our final option.


ExpressRoute from Microsoft Azure lets you create private connections between the Microsoft Azure data center and your on-premise infrastructure; these connections do not traverse the public Internet. This setup naturally provides the highest-possible degree of security, as well as lower and more consistent latency then you will experience on a Site-to-Site VPN.

Configuring ExpressRoute requires you to work with a Microsoft partner (such as Level 3) for the private connection to the data center and a vendor to provide the “last mile” of the connection.
Cost is potentially the only real drawback to ExpressRoute. Depending on your needs and budget, you may prefer to use ExpressRoute’s premium tier. This is especially useful if you have services in multiple regions, and due to the expense, is a route you would only need to go with when a Site-to-Site VPN just won’t do for your organization.
As you can see, there are a variety of options for connecting your on-premise infrastructure to Microsoft Azure. In many scenarios, a mixture of the above configurations is likely best. For example, you could use a Site-to-Site VPN for the office, but also provide Point-to-Site VPNs for your remote and on-the-go sales staff.

Leave a Reply

Your email address will not be published. Required fields are marked *