ISV network connectivity pattern for data exchange over public IP address between Azure and onPrem

ISV network connectivity pattern for data exchange over public IP address between Azure and onPrem

This blog discusses  ISV connectivity patterns for a customer who wants to exchange data with an Azure SaaS provider.


Contoso Corporation (Customer)

Contoso Corporation  wants to access a SaaS application hosted on Azure from his on-premises data centres. The customer  wants to be able to securely send and receive data.


Fabrikam Technologies(SaaS Solution Provider on Azure)

The SaaS solution provider has a fixed architecture where the incoming connections can only come in via a public IP which would be shared with all their customers. This public IP belongs to the NVA hosted in it's hub subscription. The SaaS provider would in turn whitelist customers public IP address on their NVA  to allow exchange of data.  It will not accept any incoming connections via VNET peering as it wants to follow a uniform method  of connectivity for all it's customers.


Possible Solutions

Provided below are some connectivity patterns that can be used for data exchange in this scenario. 


1> Connection over Express route Private Peering

In this connectivity pattern Contoso will need to have a hub and spoke architecture with key components such Express Route Gateway, Azure Route Server and NVA deployed in the hub network. Customer will need to have a Express Route circuit provisioned.  Express route gateway will be used to send and receive traffic from on-premises over the express route circuit. Azure route server will be used to exchange traffic using  BGP between ER Gateway and NVA as NVA and ER gateway are not capable of exchanging traffic directly between themselves. A secure VPN tunnel between Fabrikam and Contoso NVAs will be used to securely exchange traffic over public IP addresses.  In order to further secure this architecture both Fabrikam and Contoso can deploy Azure DDoS per IP protection to secure public IP addresses from DDoS attacks. 






2> IP Sec overlay on MS Peering connection

Microsoft Peering is the interconnection between Microsoft’s global network (AS8075) and customer/ISP network for the purpose of exchanging internet traffic from/to Microsoft online services and Microsoft Azure Services  or connections to/from public IP address range on Azure. Carriers or Service Providers can request to connect with Microsoft at any of the available Edge locations. 


Contoso can request a Microsoft Peering circuit. The connectivity provider will then provision a MS peering connection between the providers location and Microsoft Edge routers. Both Fabrikam and Contoso will be required to announce their public IP addresses over this connection. Fabrikam and Contoso can setup a VPN tunnel over the MS Peering connection  to provide a secure encrypted channel for data exchange. Azure DDoS per IP protection to be leveraged for protecting the public IP from DDoS attacks. Contoso does not need to have a subscription on Azure for this end to end connectivity. 




Published on:

Learn more
Azure Infrastructure Blog articles
Azure Infrastructure Blog articles

Azure Infrastructure Blog articles

Share post:

Related posts

Generative AI with Azure Cosmos DB

Leverage Azure Cosmos DB for generative AI workloads for automatic scalability, low latency, and global distribution to handle massive data vo...

4 hours ago

Enhancing Document Extraction with Azure AI Document Intelligence and LangChain for RAG Workflows.

Overview. The broadening of conventional data engineering pipelines and applications to include document extraction and preprocessing for ...

5 hours ago

Azure Capacity Reservations with Automatic Consumption

Solving the ask – Automatic Capacity Reservations Historically, the setting to use a Capacity Reservations Groups must be defined while the vi...

16 hours ago

Announcing Preview of New Azure Dlsv6, Dsv6, Esv6 VMs with new CPU, Azure Boost, and NVMe Support

Co-authored by Andy Jia, Principal Product Manager, and Misha Bansal, Technical Program Manager, Azure Compute   We are thrilled to annou...

1 day ago

Comparing feature sets for AKS enabled by Azure Arc deployment options

This article shows a comparison of features available for the different deployment options under AKS enabled by Azure Arc.    ...

2 days ago

Azure Fluid Relay: Leveraging Azure Blob Storage to scale Git

Learn how to leverage Git as a storage mechanism behind the globally available Azure Fluid Relay (AFR) service. The post Azure Fluid Relay: Le...

2 days ago

Verify the integrity of Azure Confidential Ledger transactions with receipts and application claims

In today's digital landscape, the integrity and confidentiality of transactional data are paramount. Microsoft’s Azure Confidential Ledger off...

2 days ago

HTTP Trigger Azure Function Authorization Types simplified

Here' how you can quickly understand what are the different Authorization Levels to be set while working with HTTP Azure Functions.

3 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy