Azure ExpressRoute Vs Azure VPN Gateway

Introduction

To eliminate common confusion, let’s first distinguish between three related Azure networking components: Virtual Network Gateway, VPN Gateway, and ExpressRoute Gateway.

Virtual Network Gateway represents the category of gateways that reside inside a virtual network and are used to connect virtual networks or on-premises networks to virtual networks.
VPN Gateway is a specific type of Virtual Network Gateway. It is used to send encrypted traffic across the public Internet. Site-to-Site, Point-to-Site, and VNet-to-VNet connections all use a VPN gateway.
ExpressRoute Gateway is also a specific type of Virtual Network Gateway. It sends network traffic on a dedicated private connection when configuring Azure ExpressRoute.

When you create a Virtual Network Gateway, you need to specify several settings. One required setting -GatewayTypespecifies whether the gateway is used for ExpressRoute or VPN traffic. Each virtual network can have only one Virtual Network Gateway of each type. For example, you can have only one Virtual Network Gateway that uses -GatewayType VPN, and one that uses -GatewayType ExpressRoute.

Want to save money on IT costs?

Migrate to cloud without hassles
Save up to 60%

Get Started with Free AWS Credits

VPN Gateway

A virtual network gateway is composed of two or more Azure-managed VMs automatically configured and deployed to a specific subnet you create called the GatewaySubnet. When you create a VPN gateway, gateway VMs are deployed to the gateway subnet and configured with your specified settings. This process can take 45 minutes or more to complete, depending on your selected gateway SKU.

Connectivity designs

You can create multiple connection configurations using VPN Gateway, so you must determine which configuration best fits your needs. Point-to-Site (P2S), Site-to-Site (S2S), and VNet-to-VNet (V2V) connections all have different instructions and configuration requirements. See all details about the VPN Gateway designs here.

Point-to-Site (P2S)

Site-to-Site (S2S)

VNet-to-VNet (V2V)

ExpressRoute Gateway

Azure ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection with the help of a connectivity provider. With ExpressRoute, you can establish connections to Microsoft cloud services, such as Microsoft Azure and Microsoft 365.

You must first create a virtual network gateway to connect your Azure virtual network and your on-premises network using ExpressRoute. A virtual network gateway serves two purposes: exchanging IP routes between the networks and routing traffic.

Benefits of using Azure ExpressRoute

Layer 3 connectivity between your on-premises network and the Microsoft Cloud through a connectivity provider. Connectivity can be from an any-to-any (IPVPN) network, a point-to-point Ethernet connection, or through a virtual cross-connection via an Ethernet exchange.
Connectivity to Microsoft cloud services across all regions in the geopolitical region.
Global connectivity to Microsoft services across all regions with the ExpressRoute premium add-on.
Dynamic routing between your network and Microsoft via BGP.
Built-in redundancy in every peering location for higher reliability.
Connection uptime SLA.
QoS support for Skype for Business.

Image Ref: https://learn.microsoft.com/

Connectivity models

Connectivity can be from an any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual cross-connection through a connectivity provider at a colocation facility. ExpressRoute connections don’t go over the public Internet. This allows ExpressRoute connections to offer more reliability, faster speeds, consistent latencies, and higher security than typical connections over the Internet. For information on how to connect your network to Microsoft using ExpressRoute, see ExpressRoute connectivity models.

Image Ref: https://learn.microsoft.com/

Key differences

The following table shows the main differences between Point-to-Site, Site-to-Site, and ExpressRoute at the time of this writing.

	Point-to-Site	Site-to-Site	ExpressRoute
Azure Supported Services	Cloud Services and Virtual Machines	Cloud Services and Virtual Machines	Services list
Typical Bandwidths	Based on the gateway SKU	Typically < 10 Gbps aggregate	50 Mbps, 100 Mbps, 200 Mbps, 500 Mbps, 1 Gbps, 2 Gbps, 5 Gbps, 10 Gbps, 100 Gbps
Gateway SKU	Gateway SKUs by tunnel, connection, and throughput	Gateway SKUs by tunnel, connection, and throughput	Gateway SKUs
Protocols Supported	Secure Sockets Tunneling Protocol (SSTP), OpenVPN, and IPsec	IPsec/ IKE	Direct connection over VLANs, NSP’s VPN technologies (MPLS, VPLS,…)
Encryption	About Azure Point-to-Site VPN connections	Cryptographic requirements for VPN gateways	Azure ExpressRoute: About Encryption
Routing	RouteBased (dynamic) About P2S routing	We support PolicyBased (static routing) and RouteBased (dynamic routing VPN)	BGP
Connection resiliency	active-passive	active-passive or active-active	active-active
High Availability	–	Highly Available cross-premises and VNet-to-VNet connectivity Multiple on-premises VPN devices Active-active VPN gateways Dual-redundancy: active-active VPN gateways for both Azure and on-premises networks Highly Available VNet-to-VNet	Designing for high availability with ExpressRoute First-mile physical layer design considerations Active-active connections NAT for Microsoft peering Fine-tuning features for private peering Availability Zone aware ExpressRoute virtual network gateways Improving failure detection time
Typical use case	Secure access to Azure virtual networks for remote users Reference architectures: Remote work and Point-to-Site VPN gateways	Dev/test / lab scenarios and small to medium-scale production workloads for cloud services and virtual machines Reference architectures: Hub-spoke network topology in Azure	Access to all Azure services (validated list), Enterprise-class and mission-critical workloads, Backup, Big Data, Azure as a DR site Reference architectures: Extend an on-premises network using ExpressRoute Connect an on-premises network to Azure using ExpressRoute with VPN failover
SLA	SLA 99.9% availability for each Basic Gateway for VPN 99.95% availability for all Gateway for VPN SKUs, excluding Basic.	SLA 99.9% availability for each Basic Gateway for VPN 99.95% availability for all Gateway for VPN SKUs, excluding Basic.	SLA 99.9% availability for Basic Gateway for ExpressRoute. 99.95% availability for all Gateway for ExpressRoute SKUs, excluding Basic.
Pricing	Pricing A combination of VPN Gateway type and data transfer. Each type supports different bandwidth and number of tunnels.	Pricing A combination of VPN Gateway type and data transfer. Each type supports different bandwidth and number of tunnels.	Pricing A combination of the metered data plan for the outbound transfers and the gateway type.
Technical Documentation	VPN Gateway	VPN Gateway	ExpressRoute
FAQ	VPN Gateway FAQ	VPN Gateway FAQ	ExpressRoute FAQ

Train your workforce to leverage the cloud

Contemplating Migrating Workload to Cloud?
Here is a Hassle Free Solution

Get Started Now

About CloudThat

CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.