cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Azure VPN Gateway vs. ExpressRoute - Quick comparison
By
laghim
Published Jan 26 2023 08:20 AM 22.5K Views
laghim
Microsoft
‎Jan 26 2023 08:20 AM

Azure VPN Gateway vs. ExpressRoute - Quick comparison

‎Jan 26 2023 08:20 AM

Table Of Contents

 

 

Introduction

Let's start by clearing the confusion around the terms Virtual Network Gateway, VPN Gateway, and ExpressRoute Gateway.  

 

  • Virtual Network Gateway represents the category of gateways that reside inside a virtual network and are used to connect virtual networks or on-premises networks to virtual networks. 

  • VPN Gateway is a specific type of Virtual Network Gateway. It is used to send encrypted traffic across the public Internet. Site-to-Site, Point-to-Site, and VNet-to-VNet connections all use a VPN gateway.

  • ExpressRoute Gateway is also a specific type of Virtual Network Gateway. It sends network traffic on a dedicated private connection when configuring Azure ExpressRoute.

laghim_0-1674743412581.png

 

When you create a Virtual Network Gateway, you need to specify several settings. One required setting -GatewayTypespecifies whether the gateway is used for ExpressRoute or VPN traffic.  Each virtual network can have only one Virtual Network Gateway of each type. For example, you can have only one Virtual Network Gateway that uses -GatewayType VPN, and one that uses -GatewayType ExpressRoute.

 

VPN Gateway

A virtual network gateway is composed of two or more Azure-managed VMs automatically configured and deployed to a specific subnet you create called the GatewaySubnet. When you create a VPN gateway, gateway VMs are deployed to the gateway subnet and configured with your specified settings. This process can take 45 minutes or more to complete, depending on your selected gateway SKU.

 

Connectivity designs

You can create multiple connection configurations using VPN Gateway, so you must determine which configuration best fits your needs. Point-to-Site (P2S), Site-to-Site (S2S), and VNet-to-VNet (V2V) connections all have different instructions and configuration requirements. See all details about the VPN Gateway designs here.

 

Point-to-Site (P2S)

laghim_0-1674745907358.png

Site-to-Site (S2S)

laghim_1-1674745920972.png

VNet-to-VNet (V2V)

 

laghim_2-1674745932951.png

 

ExpressRoute Gateway

Azure ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection with the help of a connectivity provider. With ExpressRoute, you can establish connections to Microsoft cloud services, such as Microsoft Azure and Microsoft 365.

 

You must first create a virtual network gateway to connect your Azure virtual network and your on-premises network using ExpressRoute. A virtual network gateway serves two purposes: exchanging IP routes between the networks and routing traffic.

 

Benefits of using Azure ExpressRoute

  • Layer 3 connectivity between your on-premises network and the Microsoft Cloud through a connectivity provider. Connectivity can be from an any-to-any (IPVPN) network, a point-to-point Ethernet connection, or through a virtual cross-connection via an Ethernet exchange.
  • Connectivity to Microsoft cloud services across all regions in the geopolitical region.
  • Global connectivity to Microsoft services across all regions with the ExpressRoute premium add-on.
  • Dynamic routing between your network and Microsoft via BGP.
  • Built-in redundancy in every peering location for higher reliability.
  • Connection uptime SLA.
  • QoS support for Skype for Business.

laghim_3-1674746954687.png

 

Connectivity models

Connectivity can be from an any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual cross-connection through a connectivity provider at a colocation facility. ExpressRoute connections don't go over the public Internet. This allows ExpressRoute connections to offer more reliability, faster speeds, consistent latencies, and higher security than typical connections over the Internet. For information on how to connect your network to Microsoft using ExpressRoute, see ExpressRoute connectivity models.

 

laghim_4-1674747125771.png

 

Key differences

The following table shows the main differences between Point-to-Site, Site-to-Site, and ExpressRoute at the time of this writing.

 

 

 

Point-to-Site

Site-to-Site

ExpressRoute

Azure Supported Services

Cloud Services and Virtual Machines

Cloud Services and Virtual Machines

Services list

Typical Bandwidths

Based on the gateway SKU

Typically < 10 Gbps aggregate

50 Mbps, 100 Mbps, 200 Mbps, 500 Mbps, 1 Gbps, 2 Gbps, 5 Gbps, 10 Gbps, 100 Gbps

Gateway SKU

Gateway SKUs by tunnel, connection, and throughput

Gateway SKUs by tunnel, connection, and throughput 

Gateway SKUs

Protocols Supported

Secure Sockets Tunneling Protocol (SSTP), OpenVPN, and IPsec

IPsec/ IKE

Direct connection over VLANs, NSP's VPN technologies (MPLS, VPLS,...)

Encryption

About Azure Point-to-Site VPN connections

Cryptographic requirements for VPN gateways

Azure ExpressRoute: About Encryption

Routing

RouteBased (dynamic)

About P2S routing

We support PolicyBased (static routing) and RouteBased (dynamic routing VPN)

BGP

Connection resiliency

active-passive

active-passive or active-active

active-active

High Availability

-

Highly Available cross-premises and VNet-to-VNet connectivity

  • Multiple on-premises VPN devices 
  • Active-active VPN gateways
  • Dual-redundancy: active-active VPN gateways for both Azure and on-premises networks
  • Highly Available VNet-to-VNet

Designing for high availability with ExpressRoute

  • First-mile physical layer design considerations
  • Active-active connections
  • NAT for Microsoft peering
  • Fine-tuning features for private peering
  • Availability Zone aware ExpressRoute virtual network gateways
  • Improving failure detection time

Typical use case

Secure access to Azure virtual networks for remote users

 

 

Reference architectures:

Remote work and Point-to-Site VPN gateways

Dev/test / lab scenarios and small to medium-scale production workloads for cloud services and virtual machines

 

Reference architectures:

Hub-spoke network topology in Azure

 

Access to all Azure services (validated list), Enterprise-class and mission-critical workloads, Backup, Big Data, Azure as a DR site

 

Reference architectures:

Extend an on-premises network using ExpressRoute

Connect an on-premises network to Azure using ExpressRoute with VPN failover

SLA

SLA

99.9% availability for each Basic Gateway for VPN

99.95% availability for all Gateway for VPN SKUs, excluding Basic.

SLA

99.9% availability for each Basic Gateway for VPN

99.95% availability for all Gateway for VPN SKUs, excluding Basic.

SLA

99.9% availability for Basic Gateway for ExpressRoute.

99.95% availability for all Gateway for ExpressRoute SKUs, excluding Basic.

Pricing

Pricing

A combination of VPN Gateway type and data transfer. Each type supports different bandwidth and number of tunnels.

Pricing

A combination of VPN Gateway type and data transfer. Each type supports different bandwidth and number of tunnels.

Pricing

A combination of the metered data plan for the outbound transfers and the gateway type.

Technical Documentation

VPN Gateway

VPN Gateway

ExpressRoute

FAQ

VPN Gateway FAQ

VPN Gateway FAQ

ExpressRoute FAQ
Co-Authors
Version history
Last update:
‎Feb 06 2023 02:09 AM
Updated by:
Labels