This chapter covers hybrid connectivity options between on-premises networks and Azure, specifically comparing VPN Gateway and ExpressRoute. For the AZ-305 exam, this topic appears in approximately 10-15% of questions under objective 4.2 'Design a hybrid networking solution'. Understanding the differences in performance, reliability, security, and cost is critical for designing solutions that meet business requirements. You will learn the underlying mechanisms, configuration steps, and exam traps to avoid.
Jump to a section
Imagine your on-premises office needs a reliable connection to a remote Azure data center. You have two options: a public internet VPN (like a secure tunnel through a busy highway) or a private dedicated line (like a private rail track). The VPN is like a company van that drives through public roads, encrypted with a lockbox. It's cheap, flexible, and easy to set up, but traffic can be delayed by congestion or weather. The ExpressRoute is like a dedicated railway line built just for your company. No traffic, no stops, guaranteed speed, but it costs more and takes weeks to construct. Inside the van, your data packets are wrapped in IPsec encryption; the lockbox is the VPN tunnel. On the railway, your data travels in private frames over fiber, never touching the internet. If the van breaks down, you can reroute via another road (active-passive VPN). If the railway has a fault, you need a second parallel track (ExpressRoute with redundant circuits). The exam tests when to choose each lane based on cost, speed, reliability, and compliance needs.
What is Hybrid Connectivity in Azure?
Hybrid connectivity refers to the ability to extend an on-premises network into Azure, allowing resources in both locations to communicate as if they were on the same LAN. Azure provides two primary services for this: VPN Gateway and ExpressRoute. VPN Gateway uses the public internet with encrypted tunnels (IPsec/IKE), while ExpressRoute uses private dedicated circuits provided by network partners.
VPN Gateway: Mechanism and Components
Azure VPN Gateway is a virtual network gateway that sends encrypted traffic between an Azure virtual network and an on-premises location over the public internet. It supports site-to-site (S2S), point-to-site (P2S), and VNet-to-VNet connections. The gateway is deployed in a dedicated subnet called GatewaySubnet with a minimum size of /27 (recommended /26 for larger deployments).
How it works: 1. An IPsec tunnel is established between the on-premises VPN device and the Azure VPN Gateway. 2. Traffic is encrypted using IKEv1 or IKEv2 with pre-shared key or certificate authentication. 3. The gateway routes traffic based on routes learned via BGP (if enabled) or static routes. 4. The gateway is deployed in active-active or active-standby mode. In active-standby, one instance handles traffic; if it fails, the standby takes over with a brief interruption.
Key components: - GatewaySubnet: Must be named exactly 'GatewaySubnet'. Size /27 at minimum. - Public IP address: Assigned to the gateway for internet-facing traffic. - Local network gateway: Represents the on-premises VPN device's public IP and address spaces. - Connection: Links the virtual network gateway and local network gateway with shared key. - SKU: Determines throughput and features. Options: Basic (100 Mbps, no BGP), VpnGw1-5 (up to 10 Gbps aggregated, BGP support).
Default values and timers: - IKE phase 1 lifetime: 28,800 seconds (8 hours) for main mode. - IKE phase 2 lifetime: 27,000 seconds (7.5 hours) for quick mode. - Dead Peer Detection (DPD): 5 seconds interval, 3 retries. - BGP keepalive: 60 seconds, hold time 180 seconds.
Configuration example (PowerShell):
New-AzVirtualNetworkGateway -Name 'VNet1GW' -ResourceGroupName 'RG1' `
-Location 'EastUS' -GatewayType 'Vpn' -VpnType 'RouteBased' `
-GatewaySku 'VpnGw1' -GatewaySubnetId $subnet.Id `
-PublicIpAddressId $publicIp.Id -EnableBgp $true -Asn 65515ExpressRoute: Mechanism and Components
ExpressRoute creates a private connection between on-premises and Azure datacenters, bypassing the public internet. It uses a Layer 3 (BGP) or Layer 2 (VLAN) connection provided by an Exchange Provider or Network Service Provider.
How it works: 1. A physical fiber connection is established from your on-premises router to the provider's edge (PE) router. 2. The provider extends connectivity to Azure's edge routers via MPLS or other technologies. 3. Two BGP sessions are established: one for private peering (Azure virtual networks) and optionally one for Microsoft peering (Office 365, Dynamics 365, Azure PaaS public endpoints). 4. Traffic is not encrypted by default, but you can use IPsec over ExpressRoute for additional security.
Key components: - ExpressRoute circuit: The physical or logical connection. Has a bandwidth (50 Mbps to 10 Gbps) and a provider. - Peering locations: Physical locations where you connect to Microsoft's network (e.g., Equinix, Level(3)). - Virtual network gateway: Must be of type 'ExpressRoute' and in a GatewaySubnet. - Connection: Links the virtual network gateway to the ExpressRoute circuit. - Authorization key: Used to link multiple subscriptions to a single circuit.
Default values and timers: - BGP keepalive: 60 seconds, hold time 180 seconds. - VLAN ID: 0-4095, must match between on-premises and Azure. - MD5 hash: Optional for BGP authentication.
Configuration example (PowerShell):
New-AzExpressRouteCircuit -Name 'ERCircuit1' -ResourceGroupName 'RG1' `
-Location 'EastUS' -SkuTier 'Standard' -SkuFamily 'MeteredData' `
-ServiceProviderName 'Equinix' -PeeringLocation 'Silicon Valley' `
-BandwidthInMbps 1000Performance and SLA Comparison
VPN Gateway:
Throughput: Up to 10 Gbps (aggregated across all tunnels) with VpnGw5.
SLA: 99.95% for active-active deployments, 99.9% for active-standby.
Latency: Variable due to internet routing.
ExpressRoute:
Throughput: Up to 10 Gbps per circuit, multiple circuits can be aggregated.
SLA: 99.95% availability for circuits with redundant connections.
Latency: Consistent, typically <10 ms within a region.
Security Considerations
VPN Gateway uses IPsec encryption (AES-256, SHA-256) by default. ExpressRoute traffic does not traverse the internet, but it is not encrypted by default. For compliance, you can add IPsec over ExpressRoute using a VPN gateway behind ExpressRoute.
Integration with Other Services
Both can be combined with Azure Firewall, Network Virtual Appliances (NVAs), and Azure Virtual WAN. Virtual WAN can manage both VPN and ExpressRoute connections centrally.
Exam Focus: Key Differences
Cost: VPN is pay-as-you-go (hourly + data egress). ExpressRoute has recurring circuit costs plus data transfer fees (metered or unlimited).
Reliability: ExpressRoute is not inherently more reliable than VPN if both use redundant connections. The SLA difference is small.
Latency: ExpressRoute is deterministic; VPN is not.
Bandwidth: ExpressRoute offers higher bandwidth options.
Encryption: VPN encrypts by default; ExpressRoute does not.
Setup time: VPN can be set up in hours; ExpressRoute takes weeks.
Common Configuration Mistakes
Using a GatewaySubnet smaller than /27.
Not enabling BGP on VPN Gateway when on-premises uses dynamic routing.
Using incorrect IKE parameters (e.g., mismatch of phase 2 lifetimes).
Not ordering redundant ExpressRoute circuits for high availability.
Verification Commands
# Check VPN connection status
Get-AzVirtualNetworkGatewayConnection -Name 'Connection1' -ResourceGroupName 'RG1' | fl
# Check ExpressRoute circuit status
Get-AzExpressRouteCircuit -Name 'ERCircuit1' -ResourceGroupName 'RG1'
# Check BGP status (on VPN gateway)
Get-AzVirtualNetworkGatewayLearnedRoute -VirtualNetworkGatewayName 'VNet1GW' -ResourceGroupName 'RG1'1. Plan the connectivity architecture
Assess business requirements: bandwidth, latency, SLA, security, and cost. For latency-sensitive or high-volume workloads, choose ExpressRoute. For cost-sensitive or temporary connections, choose VPN. Consider redundancy: active-passive VPN or dual ExpressRoute circuits. Document IP address spaces, BGP AS numbers, and authentication methods.
2. Create the virtual network and gateway subnet
In Azure, create a virtual network with a subnet named 'GatewaySubnet' (mandatory). Size it /26 or larger to accommodate future growth. The subnet must not have any NSGs or UDRs associated initially. For ExpressRoute, the gateway type is 'ExpressRoute'; for VPN, it's 'Vpn'. Allocate a dynamic or static public IP address for VPN.
3. Deploy the virtual network gateway
Use Azure portal, CLI, or PowerShell to create the gateway. For VPN, select the SKU (e.g., VpnGw1 for 650 Mbps). Enable BGP if required. For ExpressRoute, select the SKU (Standard or High Performance). The gateway deployment takes 30-45 minutes. During this time, the gateway is provisioned in two instances (active-standby by default).
4. Configure the on-premises device or provider
For VPN, configure your on-premises VPN device with the Azure gateway's public IP, pre-shared key, and IPsec parameters (IKEv1 or IKEv2, AES-256, SHA-256). For ExpressRoute, work with your provider to establish physical connectivity and configure BGP peering with Microsoft's edge routers. Provide your AS number, VLAN ID, and IP addresses for the BGP session.
5. Create and validate the connection
For VPN, create a 'Connection' resource linking the virtual network gateway and local network gateway. Use the same pre-shared key. For ExpressRoute, authorize the circuit and link it to the virtual network gateway. Validate by pinging an Azure VM from on-premises. Check BGP routes with `Get-AzVirtualNetworkGatewayLearnedRoute`. Monitor logs for errors like 'IKE authentication failed' or 'BGP neighbor down'.
Scenario 1: Enterprise Migration with Latency Sensitivity
A financial services company is migrating a trading application to Azure. The application requires sub-10ms latency between on-premises and Azure. They choose ExpressRoute with a 1 Gbps circuit from Equinix, using Microsoft peering for Office 365 and Azure PaaS services. The circuit is configured with BGP and a private ASN. They deploy two circuits from different providers for redundancy. During a failure test, one circuit fails; BGP converges in under 10 seconds. The cost is approximately $5,000/month per circuit plus data transfer. The setup took 4 weeks due to physical fiber provisioning.
Scenario 2: Branch Office Connectivity with VPN
A retail chain with 200 branch offices needs to connect each to Azure for centralized inventory management. Each branch has a DSL connection. They deploy Azure VPN Gateway with VpnGw1 SKU in active-standby mode. Each branch uses a low-cost router with IPsec. The total cost is $0.30/hour per gateway plus egress data. Setup takes a few hours per branch. However, during peak hours, some branches experience packet loss due to internet congestion. They mitigate by enabling BGP with multiple tunnels per branch.
Scenario 3: Hybrid Backup Solution
A healthcare provider uses Azure Backup for on-premises servers. They need secure, reliable, and encrypted connectivity. They use both ExpressRoute for bulk backup (low latency) and a VPN Gateway as a backup link. During normal operation, backup traffic flows over ExpressRoute. If ExpressRoute fails, the VPN takes over. They configure the VPN with IPsec and force tunnel all traffic through the VPN. The dual connectivity ensures 99.99% availability for backup operations.
Exam Objective 4.2: Design a Hybrid Networking Solution
The AZ-305 exam tests your ability to choose between VPN Gateway and ExpressRoute based on requirements. Key areas: - Performance: ExpressRoute provides consistent low latency; VPN latency is unpredictable. The exam may ask which to use for real-time data replication. - Cost: VPN is cheaper for low bandwidth; ExpressRoute is cost-effective for high bandwidth. Know the pricing models: VPN charges per hour + egress; ExpressRoute charges per circuit + data (metered or unlimited). - Security: VPN encrypts by default; ExpressRoute does not. If encryption is required over ExpressRoute, you must add IPsec. - Reliability: Both can achieve 99.95% SLA with redundancy. The exam often tests that ExpressRoute is not inherently more reliable than VPN. - Compliance: Some regulations require data not to traverse the public internet. ExpressRoute meets this; VPN does not.
Common Wrong Answers
"ExpressRoute is faster than VPN." Wrong. Latency depends on distance; ExpressRoute provides consistent latency, not necessarily lower.
"VPN Gateway cannot support BGP." Wrong. Route-based VPN gateways support BGP; policy-based do not.
"ExpressRoute requires encryption." Wrong. It is not encrypted by default; you can add IPsec.
"VPN Gateway is always active-passive." Wrong. You can deploy active-active VPN gateways for higher throughput and resilience.
Numbers to Memorize
Minimum GatewaySubnet size: /27
VPN Gateway SKU throughput: Basic 100 Mbps, VpnGw1 650 Mbps, VpnGw5 10 Gbps
ExpressRoute bandwidth: 50 Mbps to 10 Gbps
IKE phase 1 lifetime: 28,800 seconds
BGP keepalive: 60 seconds
ExpressRoute SLA: 99.95%
VPN Gateway SLA: 99.95% (active-active)
Edge Cases
Forced tunneling: Override default route to send internet traffic through VPN to on-premises for inspection.
Policy-based VPN: Supports only static routing, limited to 1 tunnel.
ExpressRoute with VPN failover: Use a VPN gateway as backup to ExpressRoute.
Virtual WAN: Centralized hub for managing multiple VPN and ExpressRoute connections.
Eliminating Wrong Answers
If a question mentions "consistent latency" or "bypass internet", choose ExpressRoute. If it mentions "low cost" or "quick setup", choose VPN. If it mentions "encryption", choose VPN or note that ExpressRoute needs additional IPsec. If it mentions "SLA", both can achieve similar SLAs with proper design.
VPN Gateway is suitable for cost-sensitive, temporary, or low-bandwidth connections; ExpressRoute for high-bandwidth, latency-sensitive, or compliance-driven scenarios.
GatewaySubnet must be exactly named 'GatewaySubnet' and be at least /27.
VPN Gateway supports BGP on route-based SKUs (VpnGw1 and above).
ExpressRoute is not encrypted by default; add IPsec for encryption.
Both services can achieve 99.95% SLA with redundant configurations.
Active-active VPN Gateway doubles throughput and improves failover.
ExpressRoute requires a provider and physical connection at a peering location.
Forced tunneling can be configured with VPN Gateway to route internet traffic on-premises.
Azure Virtual WAN simplifies management of multiple VPN and ExpressRoute connections.
The exam will test trade-offs between cost, latency, reliability, and security.
These come up on the exam all the time. Here's how to tell them apart.
VPN Gateway
Uses public internet with IPsec encryption.
Lower cost: hourly fee + data egress.
Quick setup: hours to days.
Variable latency due to internet routing.
Throughput up to 10 Gbps (aggregated).
ExpressRoute
Uses private dedicated circuits, bypassing internet.
Higher cost: circuit fee + data transfer (metered or unlimited).
Setup takes weeks (physical provisioning).
Consistent low latency (typically <10 ms within region).
Throughput up to 10 Gbps per circuit, multiple circuits possible.
Mistake
ExpressRoute is always faster than VPN Gateway.
Correct
ExpressRoute provides consistent, predictable latency but is not necessarily lower. VPN latency varies with internet conditions. Both can achieve similar throughput if bandwidth is sufficient.
Mistake
VPN Gateway does not support BGP.
Correct
Route-based VPN gateways support BGP. Policy-based VPNs do not. The exam expects you to know that BGP is available on VpnGw1 and higher SKUs.
Mistake
ExpressRoute traffic is encrypted by default.
Correct
ExpressRoute traffic is not encrypted. It is private but not encrypted. For encryption, you must implement IPsec over ExpressRoute or use application-level encryption.
Mistake
VPN Gateway is always active-passive.
Correct
You can configure VPN Gateway in active-active mode, where both instances handle traffic, increasing throughput and providing faster failover.
Mistake
ExpressRoute provides 100% uptime SLA.
Correct
ExpressRoute SLA is 99.95% for circuits with redundant connections. It does not guarantee 100% uptime. Proper redundancy design is required.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
VPN Gateway uses encrypted tunnels over the public internet, while ExpressRoute uses private dedicated circuits. VPN is cheaper and faster to set up, but has variable latency. ExpressRoute provides consistent low latency and higher bandwidth, but costs more and takes longer to provision.
Yes, you can use both for redundancy. For example, use ExpressRoute as primary and VPN as backup. You can also use VPN to encrypt traffic over ExpressRoute for added security.
The minimum size is /27 (32 IP addresses). However, /26 is recommended to accommodate future growth and multiple gateway instances.
No, ExpressRoute traffic is not encrypted by default. It is private but not encrypted. To encrypt, you must implement IPsec over ExpressRoute or use application-level encryption.
ExpressRoute offers a 99.95% SLA for circuits with redundant connections. This is the same as VPN Gateway when configured in active-active mode.
Yes, route-based VPN gateways support BGP. Policy-based VPNs do not. BGP is available on VpnGw1 and higher SKUs.
Choose VPN Gateway for low cost, quick setup, and when latency is not critical. Choose ExpressRoute for consistent low latency, high bandwidth, and compliance requirements that mandate data not traverse the internet.
You've just covered Hybrid Connectivity: VPN Gateway vs ExpressRoute — now see how well it sticks with free AZ-305 practice questions. Full explanations included, no account needed.
Done with this chapter?