Express route IPSEC termination

New Contributor

Hello All ,


we will be building an Express route for our traffic from on -prem to Azure vnets .


We want all this traffic to be encrypted . We have a FW on-prem .


On Azure side ,  So we have to rely on Azure  VPN GW ? or we can use another vendor device like Palo Alto FW  inside Azure VNET ?


Also , if Azure VGW is the only option , how many tunnels can be terminated on it ? Any limit 

1 Reply

Microsoft describes this exact scenario in the documentation: "VPN tunnels over Microsoft peering can be terminated either using VPN gateway, or using an appropriate Network Virtual Appliance (NVA) available through Azure Marketplace" I have successfully used a Cisco NVA for terminating end-to-end VPN between on-premises and Azure VNETs, for a client. So the answer is, yes you can use third party NVA to establish end-to-end VPN over Express Route.