This chapter covers Azure VPN Gateway and ExpressRoute, two core services for establishing secure, private connectivity between on-premises networks and Azure. These services fall under the 'Azure Architecture Services' objective area, which typically accounts for 20-25% of the AZ-900 exam. Understanding the differences between site-to-site VPN, point-to-site VPN, and ExpressRoute is crucial, as the exam frequently tests scenarios where you must choose the appropriate connectivity solution based on bandwidth, latency, security, and cost requirements.
Jump to a section
Imagine your company is a busy warehouse that needs to send daily shipments to a major retail distribution center (your Azure data center). The public internet is like a public highway—anyone can use it, traffic jams happen, and there's a risk of packages being tampered with. For routine, non-sensitive shipments, the public highway works fine. But for high-value, time-sensitive cargo—like payroll data or customer financial records—you need a dedicated, private express lane. Azure VPN Gateway is like a secure, encrypted tunnel that runs alongside the public highway. It's private and encrypted, but it still shares the same road infrastructure, so speeds can vary based on overall traffic. Azure ExpressRoute, on the other hand, is a completely separate, private highway that bypasses the public internet entirely. You lease a dedicated fiber connection from a carrier, so your data travels on a route that no other traffic uses. This means consistent low latency, higher reliability, and guaranteed bandwidth. The trade-off: setting up ExpressRoute requires more planning and cost, just like building a private road requires permits and construction. For most businesses, a VPN tunnel is sufficient for secure connectivity, but for mission-critical, high-volume data transfer, the private highway of ExpressRoute is worth the investment.
What Are Azure VPN Gateway and ExpressRoute?
Azure VPN Gateway and ExpressRoute are both services that enable secure, private connections between your on-premises network and Azure virtual networks (VNets). They solve the fundamental business problem of extending your corporate network into the cloud securely and reliably. Without these services, you would have to rely on the public internet, which introduces risks like data interception, variable latency, and unreliable connections.
How VPN Gateway Works
Azure VPN Gateway is a specific type of virtual network gateway that sends encrypted traffic across the public internet. It uses industry-standard protocols like IPsec and IKE to establish secure tunnels. There are two main deployment models:
Site-to-Site (S2S) VPN: Connects your entire on-premises network to an Azure VNet. Requires a VPN device on-premises with a public IP address. The connection is always-on and encrypted.
Point-to-Site (P2S) VPN: Connects individual client computers (like remote employees) to an Azure VNet. Uses SSTP, OpenVPN, or IKEv2. No VPN device needed—just client software.
Key Components of VPN Gateway
Virtual Network Gateway: The Azure resource that acts as the endpoint for VPN tunnels. It is deployed in a dedicated subnet called GatewaySubnet.
Local Network Gateway: Represents your on-premises VPN device and its public IP address. You define the address ranges of your on-premises network here.
Connection: The logical link between the virtual network gateway and the local network gateway.
Gateway SKUs: Basic, VpnGw1, VpnGw2, VpnGw3, etc. Higher SKUs support more tunnels, higher throughput, and more features like active-active mode.
How ExpressRoute Works
ExpressRoute creates a private, dedicated connection between your on-premises network and Azure, bypassing the public internet entirely. This connection is established through a connectivity provider (e.g., AT&T, Verizon, Equinix). The data travels over a private fiber link, providing lower latency, higher reliability, and up to 100 Gbps bandwidth.
ExpressRoute Models
CloudExchange Colocation: You co-locate your equipment in a provider facility and connect directly to Azure.
Point-to-Point Ethernet: A dedicated fiber link from your on-premises data center to Azure.
Any-to-Any (IPVPN): You integrate Azure with your existing MPLS-based WAN.
ExpressRoute Components
ExpressRoute Circuit: The physical connection ordered from a provider.
Peering: Two types—Azure Private Peering (connects to Azure VNets) and Microsoft Peering (connects to Microsoft 365, Dynamics 365, etc.).
Gateway: You still need a virtual network gateway (ExpressRoute-specific SKU) attached to your VNet.
Pricing and Billing
VPN Gateway: Charged per hour based on SKU. Data transfer out is additional.
ExpressRoute: Charged monthly based on bandwidth (50 Mbps to 10 Gbps) and model (metered or unlimited data). Metered data incurs per-GB charges for outbound data.
Comparison to On-Premises Equivalents
In a traditional on-premises environment, connecting two remote sites might involve leased lines or MPLS circuits. Azure VPN Gateway is analogous to an IPsec VPN appliance, while ExpressRoute is like a dedicated leased line. The key difference is that Azure manages the gateway infrastructure, so you don't need to maintain hardware.
Azure Portal and CLI Touchpoints
In the Azure portal, you create VPN Gateways under "Virtual network gateways." For ExpressRoute, you create circuits under "ExpressRoute circuits." Common CLI commands:
# Create a VPN Gateway
az network vnet-gateway create --name VNet1GW --resource-group RG1 --location eastus --vnet VNet1 --gateway-type Vpn --vpn-type RouteBased --sku VpnGw1 --public-ip-address PIP1
# Create an ExpressRoute circuit
az network express-route create --name ERCircuit --resource-group RG1 --bandwidth 100 --provider "Equinix" --peering-location "Silicon Valley" --sku-family MeteredData --sku-tier StandardPlan your connectivity requirements
Assess your business needs: required bandwidth (e.g., 100 Mbps vs 10 Gbps), latency sensitivity (real-time apps vs batch transfers), security level (encrypted internet vs private fiber), and budget. For AZ-900, remember that ExpressRoute is recommended for high bandwidth, low latency, and regulatory compliance, while VPN is suitable for smaller, less critical connections. Also consider if you need site-to-site (whole network) or point-to-site (individual users). This step determines which service to use.
Create the Azure virtual network and gateway subnet
In the Azure portal, create a VNet with a dedicated subnet named 'GatewaySubnet' (mandatory). The gateway subnet must be at least /27 to accommodate the gateway. This subnet cannot be used for other resources. The VNet should have address space that doesn't overlap with your on-premises network. For ExpressRoute, the gateway subnet is the same, but you'll later attach an ExpressRoute gateway instead of a VPN gateway.
Create the virtual network gateway
For VPN Gateway, create a 'Virtual network gateway' resource. Choose 'VPN' as the gateway type and 'Route-based' (recommended for modern scenarios). Select a SKU based on your throughput and feature needs (e.g., VpnGw1 for 650 Mbps). For ExpressRoute, choose 'ExpressRoute' as the gateway type and select an ExpressRoute-compatible SKU (e.g., Standard for 1 Gbps). The gateway will be deployed to the GatewaySubnet and assigned a public IP (for VPN) or a private IP (for ExpressRoute).
Configure the on-premises connection endpoint
For VPN Gateway, create a 'Local network gateway' resource that represents your on-premises VPN device. Enter its public IP address and the IP address ranges of your on-premises network (e.g., 10.0.0.0/16). For ExpressRoute, you don't create a local network gateway; instead, you work with a connectivity provider to provision the ExpressRoute circuit. The provider will provide a service key that you use to link the circuit to your Azure subscription.
Establish the connection and verify
For VPN, create a 'Connection' resource linking the virtual network gateway and local network gateway. Use shared key (pre-shared key) authentication. Once connected, verify by pinging an Azure VM from on-premises. For ExpressRoute, after the provider provisions the circuit, you create a connection from the circuit to your virtual network gateway. You can verify by checking the circuit status in the portal (should show 'Provisioned'). Test connectivity by accessing Azure resources using private IPs.
Scenario 1: Multi-Site Enterprise with Hybrid Cloud
A global manufacturing company with offices in New York, London, and Tokyo needs to migrate its ERP system to Azure while keeping sensitive financial data on-premises. They require low-latency access to Azure VMs hosting the ERP. The IT team sets up an ExpressRoute circuit from each office to their nearest Azure region (East US, UK South, Japan East). They choose 1 Gbps bandwidth with unlimited data plan to avoid per-GB charges for high-volume transactions. The connection is configured with Azure Private Peering, so the ERP VMs in Azure are reachable via private IPs. The team uses Azure Route Server to propagate on-premises routes. Cost is approximately $5,000/month per circuit, but the consistent 5ms latency enables real-time inventory updates. Without ExpressRoute, the public internet would introduce 50-100ms latency, causing timeouts. When set up incorrectly (e.g., overlapping IP ranges), the connection fails to establish, requiring reconfiguration of address spaces.
Scenario 2: Remote Workforce with Point-to-Site VPN
A mid-sized consulting firm with 200 remote employees needs secure access to Azure-hosted applications. They deploy a Point-to-Site VPN using Azure VPN Gateway. Each employee installs the Azure VPN Client on their laptop and authenticates using Azure AD. The gateway uses OpenVPN protocol with certificate-based authentication. The firm chooses a VpnGw1 SKU supporting up to 250 concurrent connections. Monthly cost is ~$150 for the gateway plus data transfer. During a peak period, 300 employees try to connect simultaneously, exceeding the limit and causing connection failures. The team upgrades to VpnGw2 (supports 500 connections). This scenario highlights the importance of matching SKU to user count.
Scenario 3: Retail Chain with Site-to-Site VPN for POS
A retail chain with 500 stores uses Azure for centralized inventory management. Each store has a DSL line and a low-cost VPN router. They set up a Site-to-Site VPN from each store to a central Azure VNet using policy-based VPN (Basic SKU). The aggregate bandwidth is low (each store < 10 Mbps). The total monthly cost is ~$250 for the gateway plus minimal data transfer. However, during Black Friday, the central gateway becomes a bottleneck because all stores send data simultaneously. The team upgrades to a higher SKU (VpnGw3) for higher throughput. This demonstrates that VPN Gateway is cost-effective for many low-bandwidth branches, but scaling requires SKU upgrades.
What AZ-900 Tests on This Objective
Objective 2.3: 'Describe Azure networking services.' Specifically, the exam expects you to compare and contrast Azure VPN Gateway and ExpressRoute. You will not be asked to configure them, but you must know their characteristics, use cases, and how they differ.
Common Wrong Answers and Why Candidates Choose Them
'ExpressRoute is cheaper than VPN Gateway' – Candidates assume 'private' means 'cheaper' because it's direct. In reality, ExpressRoute is significantly more expensive due to carrier fees and monthly circuit costs. VPN Gateway uses the public internet, so it's cheaper.
'VPN Gateway provides dedicated bandwidth' – Some think encryption equals dedicated. Actually, VPN traffic shares internet bandwidth and is subject to congestion. Only ExpressRoute provides dedicated, guaranteed bandwidth.
'ExpressRoute requires a VPN device on-premises' – Candidates confuse the two. VPN Gateway needs a VPN device; ExpressRoute does not—it uses a provider-managed connection.
'Point-to-Site VPN is for connecting entire networks' – This is a classic mix-up. Point-to-Site is for individual devices; Site-to-Site is for networks.
Specific Terms and Values That Appear on the Exam
GatewaySubnet: The required subnet for any virtual network gateway.
SKUs: Basic, VpnGw1-3 for VPN; Standard, High Performance for ExpressRoute.
Protocols: IPsec/IKE for VPN; BGP for dynamic routing (supported by both).
ExpressRoute bandwidths: 50 Mbps, 100 Mbps, 200 Mbps, 500 Mbps, 1 Gbps, 2 Gbps, 5 Gbps, 10 Gbps.
SLA: VPN Gateway 99.9% uptime; ExpressRoute 99.95% uptime.
Edge Cases and Tricky Distinctions
Active-Active VPN: The exam may ask about active-active mode for higher availability. This requires two public IPs and two tunnels.
ExpressRoute with VPN failover: A common design is to use ExpressRoute as primary and VPN as backup. The exam may test this redundancy scenario.
BGP: Both services support BGP for dynamic routing. The exam might ask which one supports it (both do).
Microsoft Peering: ExpressRoute can connect to Microsoft 365 via Microsoft Peering (not just Azure VNets).
Memory Trick for Choosing Between VPN and ExpressRoute
Use the acronym CLIP: - Cost: VPN is cheaper. - Latency: ExpressRoute offers lower, consistent latency. - Internet: VPN uses the public internet; ExpressRoute does not. - Private: ExpressRoute is private; VPN is encrypted but over public internet.
When you see a scenario asking for 'dedicated, low-latency, high-bandwidth' connection, choose ExpressRoute. If 'cost-effective, encrypted, over the internet' is described, choose VPN Gateway.
Azure VPN Gateway connects on-premises networks to Azure via encrypted IPsec tunnels over the public internet.
ExpressRoute provides a private, dedicated connection to Azure that does not traverse the internet, offering lower latency and higher reliability.
VPN Gateway requires a VPN device on-premises with a public IP; ExpressRoute requires a connectivity provider.
VPN Gateway SKUs include Basic, VpnGw1-3; ExpressRoute SKUs include Standard and High Performance.
Point-to-Site VPN connects individual clients; Site-to-Site VPN connects entire networks.
ExpressRoute supports Azure Private Peering (VNet) and Microsoft Peering (Microsoft 365, Dynamics 365).
Both services support BGP for dynamic routing.
For AZ-900, remember that ExpressRoute is for high bandwidth, low latency, and regulatory compliance; VPN Gateway is for cost-effective, secure connectivity.
These come up on the exam all the time. Here's how to tell them apart.
Azure VPN Gateway
Uses public internet with IPsec encryption
Lower cost, pay per hour + data transfer
Bandwidth up to ~10 Gbps (multiple tunnels)
Supports Site-to-Site and Point-to-Site
SLA: 99.9% uptime
Azure ExpressRoute
Private, dedicated connection bypassing internet
Higher cost, monthly circuit fee + data (metered/unlimited)
Bandwidth up to 100 Gbps
Connects entire networks (no Point-to-Site)
SLA: 99.95% uptime
Mistake
VPN Gateway provides a dedicated private connection like ExpressRoute.
Correct
VPN Gateway encrypts traffic over the public internet. The connection is not dedicated; it shares internet bandwidth. ExpressRoute provides a dedicated private connection that bypasses the internet entirely.
Mistake
ExpressRoute is a type of VPN.
Correct
ExpressRoute is not a VPN. It is a private, dedicated connection using MPLS or Ethernet. It does not use IPsec encryption by default (though you can add it). VPN Gateway uses IPsec tunnels over the internet.
Mistake
You need a VPN device on-premises for both VPN Gateway and ExpressRoute.
Correct
Only VPN Gateway requires a VPN device on-premises. ExpressRoute uses a connectivity provider's infrastructure; you do not need a VPN device.
Mistake
Point-to-Site VPN connects your entire on-premises network.
Correct
Point-to-Site (P2S) connects individual client computers, not entire networks. Site-to-Site (S2S) connects networks.
Mistake
ExpressRoute automatically provides higher security than VPN Gateway.
Correct
ExpressRoute is private and not exposed to the internet, but it does not inherently encrypt data. VPN Gateway encrypts all traffic with IPsec. For compliance requiring encryption, you can add encryption over ExpressRoute.
Azure VPN Gateway sends encrypted traffic over the public internet, while ExpressRoute uses a private, dedicated connection that bypasses the internet. VPN Gateway is cheaper but has variable latency; ExpressRoute offers consistent low latency and higher bandwidth but at a higher cost. For AZ-900, remember that ExpressRoute is for dedicated, high-performance needs.
No, ExpressRoute does not require a VPN device on-premises. It uses a connectivity provider (e.g., AT&T, Equinix) to provision a dedicated circuit. You only need a router that supports BGP if you want dynamic routing. This is a common exam trick—candidates often assume both require a VPN device.
Yes, you can configure a Site-to-Site VPN as a failover for ExpressRoute. This is a common hybrid design for high availability. The VPN provides a backup if the ExpressRoute circuit goes down. The exam may test this redundancy scenario.
Azure VPN Gateway has an SLA of 99.9% uptime. ExpressRoute has an SLA of 99.95% uptime. These numbers appear on the exam—know them exactly.
Yes, via Microsoft Peering. ExpressRoute can connect to Microsoft 365, Dynamics 365, and Azure public services. However, Microsoft recommends using ExpressRoute only for specific scenarios due to cost and complexity. For AZ-900, know that Microsoft Peering enables this.
Site-to-Site (S2S) connects your entire on-premises network to an Azure VNet. Point-to-Site (P2S) connects individual client computers (like remote employees) to a VNet. S2S requires a VPN device; P2S only needs client software. The exam often asks which to use for remote workers (P2S).
A GatewaySubnet is a dedicated subnet that must be created in your Azure VNet to host a virtual network gateway. It must be named 'GatewaySubnet' and have a minimum size of /27. No other resources can be deployed in this subnet. This is a mandatory step for both VPN and ExpressRoute gateways.
You've just covered Azure VPN Gateway and ExpressRoute — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?