Optimized connections to a cloud provider offer advantages in availability, latency and bandwidth compared to traditional connections over the Internet. To what extent security can benefit depends on the exact type of cloud connection.
Companies on the topic
Even though Azure and Office 365 are generally available from the new German Microsoft cloud regions with local data storage, special cloud connections can make sense, especially from the point of view of cloud security. But what cloud connections are there, and what do they mean for security? We provide an overview using the example of Azure Peering Service, Azure ExpressRoute and a cloud security solution.
What peering services can and cannot do
Azure Peering Service is a network service that improves customer connectivity to Microsoft cloud services such as Office 365, Dynamics 365, SaaS (Software-as-a-Service) services, Azure or Microsoft services that can be accessed over the public Internet, according to Microsoft. Microsoft has partnered with Internet Service Providers (ISPs), Internet Exchange Partners (IXPs) and Software Defined Cloud Interconnect (SDCI) providers worldwide to provide public connectivity with routing from the customer to the Microsoft network. The peering service allows customers to select a partner service provider in a specific region.
- Customers can also choose peering service telemetry, such as user latency on the Microsoft network, border gateway protocol (BGP) route monitoring, and leak and hijack alerts.
- Routing is done via a preferred path, which is defined when the customer registers with the peering service.
- Microsoft emphasizes that traffic is always routed over preferred paths, even when malicious activity is detected.
This means that peering services, as in this case, can also provide security services, for example by warning of attacks. But Microsoft also makes it clear that a peering service is an IP service that uses the public Internet, in conjunction with a collaboration platform with service providers, and a value-added service that offers customers routing via service provider partners to the Microsoft Cloud over the public network.
However, a peering service is explicitly not a private connectivity product like Azure ExpressRoute or a VPN product.
Private Connectivity to the Cloud Service
With Azure ExpressRoute, local networks can be connected to the Microsoft cloud via a private connection provided by a connectivity provider. ExpressRoute can therefore be used to connect to Microsoft cloud services such as Microsoft Azure and Office 365. Connectivity can be provided over any IP network (IP VPN), a point-to-point Ethernet network, or a virtual connection through a connectivity provider in a co-location facility.
ExpressRoute connections are not made over the public Internet. As a result, ExpressRoute connections offer greater reliability, faster speeds, consistent latency, and higher security than typical connections over the Internet, Microsoft explains. There is also ExpressRoute Direct: This allows physical isolation for industries that are regulated and may require dedicated and isolated connectivity, such as banks.
What cloud security providers do
Microsoft recommends direct Internet connections instead of ExpressRoute, as the security provider Zscaler runs. However, in most companies, traffic is centrally routed through hub-and-spoke networks and ExpressRoute. Zscaler simplifies connectivity to Office 365 while securing all traffic through its cloud first security architecture, according to Microsoft.
Zscaler Internet Access, for example, is an Internet and Web gateway delivered from the cloud. Using Zscaler Internet Access, companies can route Office 365 traffic from branch offices to Microsoft servers while securing their direct Internet connections to the branch offices. Security services such as cloud firewall/IPS (intrusion prevention service), sandboxing, URL filtering, DLP (data loss prevention), CASB (cloud access security broker), browser isolation and CSPM (cloud security posture management) can be used.
Another solution is Zscaler Private Access (ZPA) for Microsoft Azure. Zscaler’s ZPA platform runs in the Azure cloud to provide direct access to Azure applications. With Zscaler Private Access for Azure, Zscaler Enforcement Nodes (ZEN), which link a remote user and an internal application, run in the Azure cloud. This allows administrators to leverage the Azure network and its many data centers.
Users have direct cloud access without having to log on to the remote access VPN every time, access is policy-based, the service uses dynamic, application-specific TLS (end-to-end) encryption.