This chapter covers two critical hybrid connectivity solutions in Azure: VPN Gateway and ExpressRoute. You'll learn how to design, implement, and troubleshoot site-to-site VPNs, point-to-site VPNs, and ExpressRoute circuits. Understanding these options is essential for the AZ-104 exam, as hybrid networking is a core competency for Azure Administrators.
Jump to a section
Imagine you need to connect two office buildings securely. One option is to dig a tunnel through the public ground—it's encrypted, secure, but shared with other tunnels and subject to traffic jams. That's a VPN Gateway: a secure, encrypted connection over the public internet. Now imagine you build a private, dedicated highway that only your two buildings can use—no traffic, guaranteed speed, but expensive and requires long-term planning. That's ExpressRoute: a private, dedicated connection from your on-premises network to Azure, bypassing the internet entirely. In the AZ-104 exam, you'll need to decide which 'road' to build based on requirements like latency, bandwidth, security, and cost. VPN is quick to set up and cheap but can be slow and unreliable. ExpressRoute is fast and reliable but takes weeks to provision and costs more. Knowing when to pick each is crucial—just like choosing between a tunnel and a highway for your daily commute.
What are VPN Gateway and ExpressRoute?
VPN Gateway is a specific type of virtual network gateway that sends encrypted traffic across the public internet to connect Azure virtual networks to on-premises locations or other Azure VNets. ExpressRoute, on the other hand, is a dedicated private connection to Azure that does not traverse the internet, offering higher reliability, faster speeds, and lower latency. Both are used to extend on-premises networks into Azure, but they serve different use cases based on performance, security, and cost requirements.
Key Components of VPN Gateway
Virtual Network Gateway: The Azure-side endpoint for VPN connections. It is deployed in a dedicated subnet called GatewaySubnet.
Local Network Gateway: Represents your on-premises VPN device and its public IP address.
Connection: Links the virtual network gateway and local network gateway, with shared key authentication.
VPN Types: Policy-based (static routing) or route-based (dynamic routing). AZ-104 focuses on route-based VPNs, which support IKEv2, point-to-site, and VNet-to-VNet.
SKUs: Basic, VpnGw1, VpnGw2, VpnGw3, etc. Higher SKUs support more tunnels, higher throughput, and features like BGP.
How VPN Gateway Works
Create a GatewaySubnet (minimum /27) in your VNet.
Deploy a virtual network gateway with the desired SKU and VPN type.
Create a local network gateway with your on-premises VPN device's public IP and address spaces.
Create a connection using a pre-shared key.
Configure your on-premises VPN device with the Azure gateway's public IP and matching key.
Traffic is encrypted via IPsec/IKE and sent over the internet.
Key Components of ExpressRoute
ExpressRoute Circuit: A logical connection between on-premises and Azure via a connectivity provider (e.g., Equinix, Level 3).
Redundancy: Each circuit has two redundant connections from two Microsoft Enterprise Edge (MSEE) routers.
Peering: Private peering (for VNets) and Microsoft peering (for Azure public services like Office 365).
Gateway: An ExpressRoute gateway in the VNet (different SKU than VPN gateway) connects the circuit to the VNet.
BGP: Used to exchange routes between on-premises and Azure.
How ExpressRoute Works
Order an ExpressRoute circuit from a connectivity provider (or directly from Microsoft via ExpressRoute Direct).
The provider provisions two cross-connections to Microsoft.
Configure BGP peering: private peering for VNet connectivity, Microsoft peering for Azure PaaS services.
Create an ExpressRoute gateway in your VNet and link it to the circuit.
Traffic flows through the private connection, bypassing the internet.
AZ-104 Specific Details
GatewaySubnet: Must be named 'GatewaySubnet' exactly. Cannot be associated with a network security group (NSG) or route table.
Active-Active VPN: For high availability, deploy two active VPN instances. Supported on route-based VPN gateways (VpnGw1 and above).
ExpressRoute Global Reach: Connects on-premises sites across different ExpressRoute circuits.
ExpressRoute Direct: Provides 10/100 Gbps connections directly from your on-premises to Microsoft.
Forced Tunneling: Route all internet-bound traffic from Azure VMs through the VPN/ExpressRoute to on-premises for inspection. Requires a default route (0.0.0.0/0) on the gateway subnet.
BGP: On VPN gateways, BGP is used for dynamic routing. On ExpressRoute, BGP is mandatory.
Pricing: VPN Gateway charges per hour + data transfer out. ExpressRoute charges per circuit (monthly) + data transfer (metered or unlimited).
Exam Tip: Know the differences in SLA: VPN Gateway offers 99.95% (zone-redundant) or 99.9% (non-zone), ExpressRoute offers 99.95%.
In enterprise environments, VPN Gateway is often used for small branch offices or temporary connections, while ExpressRoute is preferred for mission-critical workloads requiring consistent performance. For example, a company might use ExpressRoute for their primary data center connection to Azure, but set up a site-to-site VPN as a backup. Another common scenario is using point-to-site VPN for remote employees accessing Azure resources. Azure Administrators must also manage routing, monitor connection health, and troubleshoot issues like misconfigured BGP or mismatched shared keys. Understanding the trade-offs between cost, performance, and deployment time is key to making the right recommendation.
The AZ-104 exam tests your ability to choose between VPN Gateway and ExpressRoute based on requirements. Common traps include: thinking VPN Gateway is always cheaper (it's not for high bandwidth), forgetting that ExpressRoute requires a provider, or assuming ExpressRoute is faster in all cases (it is, but only if properly provisioned). Memorize: GatewaySubnet naming, SKU capabilities (Basic does not support BGP, point-to-site, or active-active), and that ExpressRoute uses BGP exclusively. Also know that you can combine both (ExpressRoute + VPN as backup) and that forced tunneling is configured on the gateway subnet. Key terms: GatewaySubnet, Local Network Gateway, Virtual Network Gateway, ExpressRoute circuit, private peering, Microsoft peering, BGP, SKU, active-active.
VPN Gateway provides encrypted connectivity over the internet; ExpressRoute provides private connectivity via a provider.
GatewaySubnet must be named exactly 'GatewaySubnet' and cannot have NSGs or route tables.
Route-based VPNs are preferred and support IKEv2, point-to-site, and VNet-to-VNet.
ExpressRoute requires BGP for routing and offers two types of peering: private and Microsoft.
Know the SKU differences: Basic VPN does not support BGP, point-to-site, or active-active; higher SKUs do.
Mistake
VPN Gateway is always more secure than ExpressRoute because it encrypts traffic.
Correct
ExpressRoute is private and does not traverse the internet, so it is inherently more secure. VPN adds encryption but is still over the public internet.
Mistake
ExpressRoute provides a dedicated physical connection from on-premises to Azure.
Correct
ExpressRoute is a logical connection through a provider's network, not a direct physical cable from your data center to Microsoft.
Mistake
You can use a VPN gateway as an ExpressRoute gateway.
Correct
They are different gateway types with different SKUs. You need an ExpressRoute gateway to connect a VNet to an ExpressRoute circuit.
Yes, you can have both connections to the same VNet. This is common for redundancy (ExpressRoute primary, VPN backup). Just ensure proper routing.
/27. For some configurations, /26 may be recommended.
By default, no. But you can enable encryption over ExpressRoute using MACsec (for ExpressRoute Direct) or IPsec over ExpressRoute.
Yes, you can resize the SKU (e.g., from VpnGw1 to VpnGw2) without downtime, but not from Basic to standard or vice versa.
You've just covered VPN Gateway and ExpressRoute — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?