Cisco ASA to Azure VPN Risks

Clthompson03 · ‎02-21-2017

Hello,

I just want to say that I'm more on the Microsoft side. Working with a client, we setup a Site to Site VPN from Azure to their on-prem, and it's working.

The Cisco networking individual provided some concerns/risks for running production loads over the S2S VPN instead of a dedicated ExpressRoute.

I'm going to paste them below...

Risks of VPNs over the internet vs. dedicated ExpressRoute connection

S2S VPNs rely on the internet, there are no SLAs for those connections end to end – if they drop, so does your traffic (e.g. production and non-production) – whereas ExpressRoute does have SLA's for the connection (similar to an MPLS leg) – so if there is a service interruption you can hold the carrier responsible for the outage and potential service credits.

Risks of force tunneling Azure services to use same internet connection

Potential load on ASA cluster (realizing we cannot “guess” consumption, as there is nothing built yet)
Potential bandwidth load
Potential impact on existing services connecting through that ASA cluster (listed below), which we rely on both internally and with clients (potential SLA impacts)

My immediate thought is that there does not appear to be a valid concern unless there was an issue with overloading the CPU/memory utilization of the appliance? I'm not sure what the risk of a VPN tunnel really is, but I imagine lots of people are using them for production.

Marius Gunnerud · ‎02-21-2017

If you look hard enough you will find risks in any setup you implement. But some solutions have less risk than others.

Depending on the ASA model and how many VPNs, and how much traffic actually passes through the ASA, CPU/memory utilization may or may not be a valid risk.

Depending on what you are using Azure for (if it is mission critical or not) will really determine if the risk of setting it up over a VPN tunnel. A client of mine uses Azure for a lot of things over a s2s VPN, included 2 factor authentication for guest wireless and AnyConnect for external consultants. So if this tunnel drops then guests and consultants will no longer be able to access the network. This combined with them implementing more that Azure has to offer have been a deciding factor in that they will be moving to Express Route / secure cloud connect (SCC).

But in the end, only you and/or your company can determine if the risk of the link going down is worth the cost of going over to Express route.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Clthompson03 · ‎02-22-2017

Hey Marius,

Thanks for the response. What's probability of the connection going down? Also, what is usually the root cause of it going down?

We are planning to implement high-SLA production services in Azure that must communicate with on-prem API's.

Thanks,

Chris

Marius Gunnerud · ‎02-23-2017

This can depend on a lot of factors, but mainly I would narrow it down to being link stability between you and the ISP, possible hardware failure and if you have this setup in HA, and finally misconfiguration.

In addition to this you need to also take into consideration the VPN throughput which your VPN device supports. How much traffic is passing over the VPN now and how much is expected in the near future.

Now, if you have it in your budget to for an MPLS VPN provided by your ISP, then this is a better solution for high-SLA services as you will have a better visibility into the traffic flow if you need to troubleshoot, and it is a more secure way of transporting your data (you should also encrypt over the MPLS VPN). But that being said the risk with both is the same, it is just that with the MPLS VPN solution you can contact your ISP to help troubleshoot the complete path to the remote site, while with site to site VPN you will only have access to the local and remote site with no visibility in what is happening between the two (i.e. traffic drop)

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts