Forum Discussion
VPN over ExpressRoute with backup VPN
Hi. I have a requirement to design an ExpressRoute connection to Azure (Azure private peering only). We also want to encrypt ExpressRoute traffic with a VPN. This is documented.
We also currently have a standard VPN (over the internet) connected to Azure and again there is documentation on how to set up ExpressRoute with an internet VPN as a backup.
However, has anyone configured a VPN over ExpressRoute with an internet VPN as a backup? My gut feel is that it is possible via some clever routing advertising but I can't find any documentation on such an architecture. Any pointers appreciated.
1 Reply
Yes, this is possible and supported by Microsoft, please consider the following as well:
- Routing Preference
- Azure prefers ExpressRoute over VPN when both advertise the same prefixes.
- You’ll need to use BGP route weight or AS path prepending to control failover behavior.
- Active-Passive Design
- Microsoft recommends active-passive for ExpressRoute + VPN backup.
- Your VPN over ExpressRoute would be “active” and encrypted.
- Internet VPN would be “passive” and only used if ExpressRoute fails.
- Encryption Layer
- IPsec VPN over ExpressRoute is supported but must be manually configured.
- You’ll terminate the VPN on your edge device (firewall/router) and route through ExpressRoute.
- Failover Logic
- Use Azure Route Server or custom BGP logic to detect ExpressRoute failure and switch to internet VPN.
- Consider Bidirectional Forwarding Detection (BFD) to speed up convergence.
