Who was the customer and why was public internet access insufficient?
The customer — an operator of an e-commerce platform for B2B customers in the construction materials and industrial components segment — operates a hybrid cloud architecture: part of the infrastructure (database servers, warehouse system, internal ERP) runs in its own colocation data center in Prague, while the application layer, CDN origin, and analytics environment are in Microsoft Azure West Europe. Both environments exchange tens of GB of data daily — warehouse stock synchronization, customer data, transaction logs, and media content for product catalogs. The existing architecture — accessing Azure via a standard B2B internet connection — worked without major issues until the platform grew to approximately 120,000 active B2B customers and the volume of transferred data exceeded 180 TB per month. At that point, three problems appeared simultaneously. Cost problem: Standard Azure egress rates for the West Europe region (outbound data from Azure to the internet) generated monthly costs in the range of €6,000–8,000 — the single largest line item on the cloud bill, with data volume growing every quarter. Performance problem: Data transfer between the Prague data center and Azure over the public internet showed noticeable degradation during afternoon hours and campaign periods (seasonal sales) — latency rose to 40–80 ms and throughput dropped below levels that caused delays in warehouse data synchronization. Platform customers saw outdated stock levels. Security problem: Transferring customer data — including business terms, pricing, and purchasing history of B2B customers — over the public internet without a dedicated transport path was increasingly difficult to justify to corporate customers requiring documentation of security architecture as part of their own ISO/IEC 27001 audits.How did New Telekom design the solution?
CloudConnect as a dedicated private cloud link to Azure
New Telekom proposed replacing access to Azure over the public internet with a dedicated private CloudConnect link — a direct MPLS VPN circuit from the customer's Prague data center to the Microsoft Azure ExpressRoute peering location in Prague, from where it continues over Microsoft's private backbone to the Azure West Europe region. The key principle: data between the customer's Prague data center and Azure stops traversing the public internet entirely. The entire path — from the server in the Prague colocation data center to the application environment in Azure West Europe — is a dedicated physical route operated by the New Telekom network and Microsoft's backbone infrastructure. No third-party transit nodes, no capacity sharing with other public internet users.Capacity and redundancy
For the customer's data volume (180 TB monthly, peaks during campaigns up to 3× average), a primary capacity of 2 Gbit/s symmetrical was designed — with the option for immediate scaling to 5 Gbit/s via the CloudConnect SDN platform without physical intervention in the infrastructure. For seasonal campaigns like Black Friday or spring sales, capacity can be temporarily increased and then reduced after the event ends. Redundancy of the last mile between the customer's Prague data center and the New Telekom distribution node is provided by two physically separate fiber routes running along different streets — a dig or failure on one route does not affect the other. Switching to the backup route occurs automatically within 8 seconds.What was physically implemented?
Fiber connection to the Prague data center
The customer operates colocation in a data center in the Prague — Vinohrady area. New Telekom delivered a dedicated OS2 Single-Mode fiber pair from the New Telekom distribution node in Prague 2 to the customer's rack space — a route of 680 meters through existing building cable infrastructure, terminated with LC/APC connectors on the patch panel in the customer's rack space. Measured route attenuation: 2.1 dB.Active equipment
- Juniper MX204 — customer's backbone router with dedicated VRF instance for the CloudConnect circuit, BGP session to the New Telekom network, hardware support for MPLS, IPv4/IPv6 dual-stack, and QoS DiffServ with three traffic classes: priority (stock synchronization), standard (transactional data), and best-effort (media content, logs)
- Juniper EX4300 — access switch for connecting the customer's server infrastructure to the router, 10GbE uplinks, LACP bonding for capacity aggregation
- Fortinet FortiGate 400F — NGFW firewall at the boundary between the private CloudConnect link and the customer's internal server network; on the CloudConnect layer without SSL inspection (unnecessary latency on a private link), with IPS and anomaly detection active
- APC Smart-UPS 2200VA — backup power for active equipment for 50 minutes
Azure ExpressRoute configuration
On the Microsoft Azure side, an ExpressRoute Circuit was configured within the project at the Prague (CE Colo Prague) peering location with 2 Gbit/s throughput and both Microsoft Peering activated for access to Azure PaaS services (Azure Blob Storage, Azure SQL, Azure CDN Origin) and Private Peering for access to the customer's virtual networks in Azure West Europe. The BGP configuration on the Azure side ensures that customer traffic always prefers the ExpressRoute path over the backup internet path.What parameters does the connection achieve in operation?
| Parameter | After implementation (CloudConnect) | Previous state (internet) |
|---|---|---|
| Latency Prague DC ↔ Azure West Europe | < 9 ms consistent | 18–80 ms, highly variable |
| Throughput at peak | 2 Gbit/s guaranteed | Actually 300–800 Mbit/s (shared capacity) |
| Packet loss | < 0.01% | 0.1–2% at peaks |
| SLA availability | 99.9% contractual | No guarantee |
| Last mile redundancy | Dual fiber, auto-failover < 8 s | Single route |
| Azure egress costs | Reduction of 47% | Full standard rates |
| Data over public internet | Zero for cloud traffic | 100% |
| Capacity scaling | Instant via SDN, no physical intervention | Limited by ISP, weeks |
How does a dedicated private cloud link change the economics of Azure egress?
This is the aspect that surprises customers most during initial analysis. Azure egress traffic — data leaving Azure to the internet — is billed at Microsoft's standard rates (currently in the West Europe region approximately €0.05–0.08/GB depending on volume). For a customer transferring 180 TB monthly, this represented a monthly egress bill in the range of €6,000–8,000. Via CloudConnect and Azure ExpressRoute, egress rates are significantly lower — Microsoft applies preferential rates for traffic over ExpressRoute compared to standard internet egress. The resulting saving for the customer: 47% of total monthly egress costs — with increasing data volume, the absolute savings grow every month. An important detail: ingress traffic (data coming into Azure) is always free — CloudConnect and ExpressRoute do not change this fact, but they are part of the overall economic calculation. A detailed calculation of savings for a specific data volume and Azure region can be found at cloudconnect.cz (Czech language).What does a dedicated private cloud link mean for GDPR and security audits?
For an e-commerce platform processing B2B customer data — business terms, price levels, purchasing history — the data transport path is part of the security architecture that must be demonstrable during GDPR audits or during security checks by corporate customers. The CloudConnect private link allows a clear statement: customer data between our Prague data center and Azure does not traverse the public internet. This fact can be technically documented — with a network topology diagram, a BGP routing table printout, and New Telekom's confirmation of the link architecture. For records of personal data processing according to Art. 30 GDPR (EU Regulation 2016/679), this is a specific technical measure for transport security, not an abstract claim. For customers subject to NIS2 (Act No. 264/2025 Coll.) or DORA (EU Regulation 2022/2554), a private transport path for critical cloud operations is directly part of the required technical measures. Comprehensive IT security solutions — including NIS2 compliance consulting and technical implementation — are offered by New Telekom as an additional service.Frequently asked questions about dedicated private cloud links
What is the difference between CloudConnect and standard internet access to Azure?
Over standard internet, data travels through dozens of third-party operator transit nodes — capacity is shared, latency is variable, and the transport path is uncontrollable. CloudConnect is a dedicated private link: data travels exclusively over the New Telekom network and Microsoft's backbone infrastructure without traversing the public internet. The result is guaranteed throughput, consistent latency, and an auditable transport architecture. In addition, lower Azure egress rates compared to standard internet egress.Is CloudConnect available for AWS and Google Cloud as well, or only for Azure?
CloudConnect from New Telekom connects corporate networks to Microsoft Azure (ExpressRoute), Amazon Web Services (AWS Direct Connect), and Google Cloud Platform (Cloud Interconnect) — all under one contract and from a single port. The customer does not need to arrange separate private circuits for each cloud provider. More information at cloudconnect.cz (Czech language).How quickly can a private CloudConnect link be deployed?
For customers in locations with available New Telekom backbone routes (Prague and surrounding areas, major Czech cities), the standard time from contract signing to activation is 3–5 weeks for the CloudConnect circuit alone. The project described in this case study was completed in 6 weeks — including the fiber connection to the data center, configuration of Azure ExpressRoute on the Microsoft side, and testing of BGP failover scenarios.Can the capacity of a CloudConnect link be changed without a technician dispatch?
Yes. CloudConnect is built on New Telekom's own SDN platform — capacity changes (increase or decrease) are performed software-wise in real time without physical intervention in the infrastructure. For customers with seasonal peaks (sales, campaigns), this means the ability to temporarily increase capacity for the duration of an event and return to the standard level after it ends — without a monthly commitment to higher capacity.Is CloudConnect suitable for companies outside Prague?
Yes. New Telekom delivers CloudConnect private cloud links for corporate customers across the Czech Republic — via its own backbone network and a partner network of 120+ operators for coverage outside the capital. Availability for a specific location and conditions depend on the distance from the nearest New Telekom distribution node. Contact us to verify availability at your address.Conclusion
The dedicated private cloud link via CloudConnect brought the e-commerce platform operator three measurable results: consistent latency below 9 ms eliminating performance fluctuations in synchronization, 47% savings on Azure egress costs, and an auditable security architecture for data transport that can be demonstrated to customers and regulators. For companies transferring tens or hundreds of TB of data monthly between their own infrastructure and the cloud, the question is not whether a dedicated private link makes sense — the question is when the right time is to implement it. For the customer described in this case study, the right moment was exceeding 100 TB of monthly volume, when egress costs became the dominant item on the cloud bill. If your company is looking for a dedicated private cloud link, is interested in New Telekom data services, or wants to compare the costs of existing internet access to Azure or AWS with a CloudConnect solution, contact our team via the contact page or directly at cloudconnect.cz (Czech language).This case study was prepared by the expert team of New Telekom s.r.o. Technical parameters correspond to the state on the project handover date. The customer's industry is disclosed with customer consent; the exact business name and address are not disclosed for commercial reasons. Information corresponds to the technological state as of May 2026.
Technologies and standards used
- CloudConnect / cloudconnect.cz — private MPLS VPN circuit to Microsoft Azure ExpressRoute
- Microsoft Azure ExpressRoute — private circuit to Azure West Europe, Microsoft Peering + Private Peering
- Juniper MX204 — backbone router, BGP, MPLS, VRF, QoS DiffServ
- Juniper EX4300 — access switch, 10GbE, LACP
- Fortinet FortiGate 400F — NGFW firewall with IPS and anomaly detection
- OS2 Single-Mode LC/APC — fiber connection to Prague data center
- New Telekom SDN platform — instant scaling of CloudConnect circuit capacity
- BGP, MPLS, IPv4/IPv6 dual-stack — network protocols
- NIX.CZ — Neutral Internet eXchange Prague, New Telekom direct peering
- EU Regulation 2016/679 (GDPR) — personal data protection during transfer, Art. 30
- Act No. 264/2025 Coll. (NIS2) — technical measures for transport security
- EU Regulation 2022/2554 (DORA) — digital operational resilience