Forum Discussion

Duncan_Baillie's avatar
Duncan_Baillie
Copper Contributor
Feb 12, 2023

VPN over ExpressRoute with backup VPN

Hi. I have a requirement to design an ExpressRoute connection to Azure (Azure private peering only). We also want to encrypt ExpressRoute traffic with a VPN. This is documented. We also currently ha...
Kidd_Ip's avatar
Kidd_Ip
MVP
Oct 03, 2025

Yes, this is possible and supported by Microsoft, please consider the following as well:

 

  1. Routing Preference
  • Azure prefers ExpressRoute over VPN when both advertise the same prefixes.
  • You’ll need to use BGP route weight or AS path prepending to control failover behavior.
  1. Active-Passive Design
  • Microsoft recommends active-passive for ExpressRoute + VPN backup.
  • Your VPN over ExpressRoute would be “active” and encrypted.
  • Internet VPN would be “passive” and only used if ExpressRoute fails.
  1. Encryption Layer
  • IPsec VPN over ExpressRoute is supported but must be manually configured.
  • You’ll terminate the VPN on your edge device (firewall/router) and route through ExpressRoute.
  1. Failover Logic
  • Use Azure Route Server or custom BGP logic to detect ExpressRoute failure and switch to internet VPN.
  • Consider Bidirectional Forwarding Detection (BFD) to speed up convergence.

Resources