I'm looking for Suggestions on doing Multi-site networking and internet connections.

We have 5 Locations and are looking to add more locations soon.  Sites are a mix of Intra and extra-state, and can be 1000 miles apart.
We have a Mix of resources - On-Premise Servers at HQ Site and some Azure Services (Office 365, SharePoint, Intranet Web)

We Currently have a Mix of Point to Point Ethernet to HQ and for the Smaller Offices Site to Site VPN.
The Point to Point Ethernet remote sites connect to HQ site to get to Internet and also to Azure Services.

Having the larger Locations all go through HQ for internet is nice as it is one Firewall to Manage. Though if HQ Internet goes down, all of the larger remote sites can't get to Azure Services. We could do redundant Internet connections to HQ, but if the fiber to the building has issues, All of it goes down.

We thought about having each site have their own Internet connection and Site to Site VPN into HQ so they only need HQ for Local HQ resources. Though that seems like a lot of firewalls and surface area for attack?

How do other people connect up multiple sites?
Scott TownsendIT DirectorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

if reaching out to azure resource directly from all locations is your intention, you need firewall / VPN device which supports dynamic routing gateway
Else you can have Microsoft RRAS server one each at every location and it can directly connect to Azure resources (normally IT security teams are against using windows server as VPN device)
Currently connectivity to Azure via single location could be single point of failure
Scott TownsendIT DirectorAuthor Commented:
We have Office 365, Sharepoint and Web that are all currently Publicly facing and can be access with a regular internet Connection.
At some point we will have servers in a Private Azure Network, though Those would only be accessible from HQ and I have a Azure Site to Site VPN Connection to my HQ ASA.

If remote sites needed access to those resources and they had their own internet connections/firewalls I could do the same thing and create and Azure Site to Site VPN Connection to the sites's Firewall.

Managing the attack footprint on the one ASA we have now and the few remote ASA 5506 units is a bugger already. Seems like adding more would make for a larger attack footprint or more to manage? Or am I being too paranoid?
its more to manage rather than attack
there is nothing to got paranoid, it depends on company security policy, if company policy states that all traffic to azure should pass through single opening, then you would not be able to create multiple tunnels
however if azure server load as increases all other network need to land at central place 1st and then go to azure which can be point of issue in future
atlas_shudderedSr. Network EngineerCommented:
Scott - there are couple of things that I would suggest from the circuit side.

The first is you make mention of a concern over fiber issues into your HQ facility.  Have you considered requesting diverse carriers and diverse pathing into your facility?  If you divide your connections to separate footprints, it mitigates your concern of the inbound path being damaged.

Second, there are numerous ways that you can skin the remote site issue.  
1. Continue as is, managing point to points and VPNs
2. Move to an MPLS type solution, this will remove the need to manage the VPNS and cull some of the cost from the PtoP's
3. Go all Internet with VPN.  Doing this should reduce total circuit cost but will increase the number of firewalls you manage, the number of VPN's managed, maintenance costs etc.  

If it were me and being blind to all of the factors impacting the solution, I would go MPLS for WAN, with a dual Internet connection out of the HQ facilities with and ACT/SBY configuration (two routers, HSRP)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
atlas_shudderedSr. Network EngineerCommented:
Need further input from asker or request question be closed and points distributed.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.