A decision to make when developing a hybrid cloud, or just providing access to Azure (or might as well be AWS or GCP) is if a VPN connection will suffice, or you will need an dedicated circuit like Express Route (AWS – Direct Connect, GCP- Dedicated Internetconnect).
Looking on the Microsoft documentation on ExpressRoute, they promise a 99.9 % SLA uptime on the connection. A VPN connection is no SLA on. This is due to Microsoft provisioning redudant circuits to the provider edge in the ExpressRoute scenario and thus can give an SLA.
Be aware to make sure the provider match the SLA to your customer edge. This may differ.
There is a lot to be said about what and what not you can achieve with ExpressRoute or VPN (or combining). To start somewhere, a simple test were conducted. Two similiar Azure environments were setup, one with ExpressRoute and one with VPN – to the same on-premise datacentre.
The test is one ping message, sent every 5 seconds to each Azure environments over 24 hours. The tests were done at the same time. What we want out of the tests are two things, what is the delay and do we have any packet drops?
This were the results
- 17280 of 17280 requests succeded – 100 %
- 22.2 MS in average response time
- 21 MS minimum response time
- 187 MS maximum response time
- 17271 of 17280 requests succeded – 99.9479 %
- 27.7 MS in average response time
- 25 MS minimum response time
- 404 MS maximum response time
So what is the differences?
- 0.0521 % package loss on VPN vs. 0 % on ExpressRoute
- Average response time is 19.8 % faster in ExpressRoute then VPN
- Minimum response time is 16 % faster in ExpressRoute then VPN
- Maximum response time is 53.7 % faster in ExpressRoute
Summary
The biggest advantage of ExpressRoute seems to mitigate the worst case scenarios and more predictable response time, as advertised by Microsoft. Average Latency wise there is also an advantage of ExpressRoute, however, seen in pure ms, not too much of a difference, depending on your application needs.