With the release of Microsoft Private Access earlier this month, I wanted to test it a bit further to verify what kind of performance/bandwith it can handle. Therefore I decided to set up a test enviroment in Microsoft Azure consists of multiple virtual networks within the same region close to the PoP (Point of Presence) in Sweden Central.
Global Secure Access points of presence and IP addresses – Global Secure Access | Microsoft Learn
Then I set up the following enviroment to verify performance on the following scenarioes
- VNET Peering between VNET1 where the Windows client resides and VNET 2 where the Windows Server with had the Private Access Connector and file share.
- VPN P2S from the Windows Client to VNET 2 where the Server resides
- Entra ID Private Access from the Windows Client to the Private Access Connector.
A simple overview of what I set up would look like this.
What I wanted to simulate was a simple file transfer using the SMB client copying a VHD file from one server to another. First test involved testing Private Access, and notice the egress IP that is used from the Wireshark dump. Note that the screenshots below is one screenshot from one of the tests, however I ran the test 10 times to ensure that the performance numbers were good indications of the traffic.
After running this over 10x this was the average bandwidth I got (between 4 – 8 MB/s) using Private Access.
Repeating the same with VNET Peering It often spiked with over 300 MB/s before the QoS kicked in, but averaged in 70 – 90 MB/s. Since this is within the same region, this is expected bandwidth.
Repeating it with Point-to-site VPN I got an average between 55 – 80 MB/s. This VPN Gateway was placed in the same region as the virtual machines where and connected to the VNET where the Windows Server was placed.
When we look at the raw numbers, Private Access has between 5 – 8 MB/s and Point-to-site is 55-80 MB/s meaning that P2S VPN is close to 10x faster. However it should be noted that with Private Access the traffic is going trough an R-TCP tunnel where it is using RPC underneath to tunnel traffic. Secondly the service is not directly exposed to the Internet and provides MFA across the traffic.
However you should performance into consideration when it comes to designing services to use this service.
However I hope that in the future that Microsoft starts to look at other protocols like MASQUE to try and optimize the traffic. I would never expect the service to reach the same level of performance like that of a VPN where the client has a direct connection to the virtual network, but some improvements would be great.
Very Interested in knowing where is your Entra Tenant Located and Which region is the Azure Subscription in.
Entra Private Access uses the closest PoP. The services (infrastructure) was set up in Sweden Central.