I often see Azure ExpressRoute is assumed to provide VPN level security. However, my understanding is that it uses MPLS and thus only provide faster routing - there is no additional security (like encryption) there - it's just like a toll lane. The fiber channels (physical network) are shared with multiple companies and sometimes the fiber channel can also be used by the Internet. Can someone please provide some insight how security is addressed in ExpressRoute?
Thanks!
As you said, the Azure ExpressRoute is no encryption. If you need encryption, you could do it as you usually do in a number of ways referring to this:
- Application level encryption
- OS level encryption using technologies such as IPSec
- Third-party appliance that performs encryption
However, for the security, comparing with VPN connection over the public Internet, this exposes these connections to potential security issues involved with moving data over a public network. ExpressRoute traffic is going over a fast, reliable, and private connection between Azure datacenters and infrastructure on your premises or in a colocation environment. With ExpressRoute, Azure provides you the ability to use a dedicated WAN link that you can use to connect your on-premises network to an Azure virtual network, which is more security than directly moving data over a public network.
Because this is a telco connection, your data doesn’t travel over the internet and therefore is not exposed to the potential risks of internet communications.
Read the details about best practices to avoid exposure to the Internet with dedicated WAN links.