VPN & ExpressRoute: Hybrid Connectivity
Connect your on-premises data center to Azure securely β over the internet or a dedicated circuit
π‘ Intermediate
β± 20 Minutes
π AZ-104 Β· Module 04
Why This Matters
You have Azure VNets in the cloud, but your company still has an on-premises data center. You need to connect them securely. You have two choices: VPN (cheaper, over the internet) or ExpressRoute (dedicated, more expensive, better performance). This doc explains both, when to use each, and how they work.
The Simple Idea
What Is Hybrid Connectivity?
Hybrid = Connecting on-premises infrastructure to Azure cloud.
You need this when:
- Your company has servers in the data center (on-premises)
- You also have resources in Azure (VMs, databases, apps)
- They need to communicate securely
Two Solutions
| Solution | Connection | Bandwidth | Latency | Cost | Security |
|---|
| VPN | Over internet (encrypted) | Up to 1.25 Gbps | High (~100ms) | Low | Good (encryption) |
| ExpressRoute | Dedicated circuit from provider | Up to 100 Gbps | Low (~5ms) | High | Excellent (isolated) |
Option 1: VPN Gateway
What Is a VPN?
VPN (Virtual Private Network) = Secure tunnel over the public internet that encrypts all traffic.
Real-World Analogy: Armored Truck Through Public Roads
An armored truck carries secret documents through public roads. Attackers can see the truck, but can't access its contents. The Azure VNet receives and decrypts the documents, which are then safely used in cloud services.
On-Premises Office
β
βββ Secret documents
β
βββ Send via: Armored Truck (encrypted)
ββ Drives through public roads
ββ Attackers can see the truck, but can't access contents β
β (Internet)
Azure VNet
β
βββ Documents received and decrypted
β
βββ Safely used in cloud services β
How VPN Works
Step 1: On-premises router has VPN client
ββ Initiates secure tunnel to Azure VPN Gateway
Step 2: Encryption happens automatically
ββ All traffic encrypted before leaving on-premises
ββ Travels over internet
ββ Decrypted by Azure VPN Gateway
Step 3: Azure VPN Gateway decrypts and forwards
ββ Forwards to VNets connected to it
ββ Return traffic encrypted again
Result:
On-premises βββ(Encrypted Tunnel)βββ Azure
β (Over Internet) β
ββ Secure but slower (encryption overhead)
ββ Good for moderate bandwidth needs
VPN Configuration & Use Cases
VPN Configuration
On-Premises:
ββ VPN Gateway (on router)
ββ Pre-shared key or certificate
ββ Routes: "To reach 10.0.0.0/16 (Azure), use VPN tunnel"
Azure:
ββ VPN Gateway in VNet
ββ Connection resource linking on-prem gateway to Azure gateway
ββ Routes: "To reach 192.168.0.0/16 (on-prem), use VPN tunnel"
Handshake:
On-prem: "Can I reach 10.0.0.0/16?"
Azure VPN: "Yes, authenticate with pre-shared key"
Tunnel established β
Use VPN When
ββ Need to connect quickly (days, not weeks)
ββ Low-to-medium bandwidth (< 1 Gbps)
ββ Budget-conscious (cheaper than ExpressRoute)
ββ Can tolerate higher latency (100ms+)
ββ Example: Backup a database nightly to Azure
β (doesn't need constant, low-latency connection)
Don't Use VPN If
ββ Need very high bandwidth (> 1 Gbps)
ββ Need consistent low latency (< 10ms)
ββ Transmitting HD video or real-time data
ββ Example: Don't run production SQL server queries over VPN
Option 2: ExpressRoute
What Is ExpressRoute?
ExpressRoute = Dedicated, private network circuit from your on-premises to Azure (not over the internet).
Real-World Analogy: Private Highway Just For You
A private highway, dedicated and isolated, only you can use. No encryption needed because it's already isolated β much faster and more reliable. Documents are received immediately and safely used in cloud services.
On-Premises Office
β
βββ Secret documents
β
βββ Send via: Private highway (dedicated, isolated)
ββ Only you can use this highway
ββ No encryption needed (already isolated)
ββ Much faster and more reliable β
β (Dedicated Circuit - not internet)
Azure VNet
β
βββ Documents received immediately
β
βββ Safely used in cloud services β
How ExpressRoute Works
Step 1: Order dedicated circuit from provider
ββ Provider creates private circuit: On-prem β Azure DC
ββ Takes 2-4 weeks to provision
Step 2: Circuit arrives (dedicated link)
ββ Not encrypted (no needβit's isolated)
ββ High bandwidth available (1.25, 10, 100 Gbps options)
Step 3: BGP routing configured
ββ "Routes to 10.0.0.0/16 (Azure) go through this circuit"
ββ "Routes to 192.168.0.0/16 (on-prem) come from this circuit"
Result:
On-premises βββ(Dedicated Circuit)βββ Azure
β (Private, No Internet) β
ββ Secure (isolated by nature)
ββ Fast (low latency, high bandwidth)
ββ Predictable (dedicated resource)
ExpressRoute Peering Models & Pricing
ExpressRoute Peering Models
Azure supports multiple connections over one ExpressRoute circuit:
ExpressRoute Circuit
ββ Private Peering (Azure VNets)
β ββ Connect to your Azure VNets (10.0.0.0/16, etc.)
β ββ Private IP addresses used
β ββ Lowest latency
β
ββ Microsoft Peering (Microsoft Services)
β ββ Connect to Office 365, Dynamics, Azure Services
β ββ Public IP addresses used
β ββ Can reach Microsoft services without internet
β
ββ Azure Public Peering (Deprecated, avoid)
ββ Older model, being phased out
ExpressRoute Pricing Models
Unlimited Data (Most common):
ββ Monthly fee + Fixed amount of bandwidth
ββ Example: $100/month for 1 Gbps circuit
ββ All data transfers included β
Metered Data (Cheaper if low usage):
ββ Monthly fee + Per-GB charges for outbound
ββ Example: $50/month + $0.02/GB outbound
ββ Good if only occasional transfers
ββ Note: Inbound is always free β
Comparison: VPN vs. ExpressRoute
| Aspect | VPN | ExpressRoute |
|---|
| Cost | Low ($10-50/month) | High ($100-1000+/month) |
| Setup Time | Fast (days) | Slow (weeks) |
| Bandwidth | Up to 1.25 Gbps | Up to 100 Gbps |
| Latency | High (~100ms) | Low (~5ms) |
| Reliability | Medium (shared internet) | High (dedicated) |
| Encryption | Built-in | Not needed (isolated) |
| Security | Good (encryption) | Excellent (isolation) |
| Best For | Quick, temporary, low bandwidth | Production, high throughput |
Decision Tree
Need to connect on-premises to Azure?
β
ββ YES β Have dedicated budget?
β β
β ββ NO β Use VPN Gateway β
β β ββ Good for: backup, development, non-critical workloads
β β
β ββ YES β Need high bandwidth or low latency?
β β
β ββ NO β Use VPN Gateway β
β β ββ Cheaper, fast to set up
β β
β ββ YES β Use ExpressRoute β
β ββ Production, mission-critical, real-time data
β
ββ NO β Don't connect on-prem β
ββ Cloud-only architecture (simpler)
Worked Example: Real Scenario
The Scenario
TechCorp has:
- On-premises: Data center with SQL servers (192.168.0.0/16)
- Azure: Production VNet (10.0.0.0/16) and Dev VNet (10.1.0.0/16)
Requirement: Migrate workloads incrementally (dual-run for weeks).
Solution 1: VPN for Initial Migration
Phase 1 (Weeks 1-4): Use VPN for testing
ββ On-premises β VPN Gateway β Azure Prod VNet
ββ Test applications in Azure while old systems still running
ββ Cost: ~$30/month VPN + internet bandwidth
ββ Latency: ~100ms (acceptable for testing) β
Configuration:
ββ On-prem VPN Gateway: Configured for site-to-site VPN
ββ Azure VPN Gateway in Prod VNet
ββ Pre-shared key or certificates
ββ Routes:
β ββ On-prem: 192.168.0.0/16 local, 10.0.0.0/16 via VPN
β ββ Azure: 10.0.0.0/16 local, 192.168.0.0/16 via VPN
Testing:
ββ App server in Azure (10.0.1.5) queries on-prem SQL (192.168.1.50)
ββ Latency: ~100ms (acceptable for testing) β
ββ VPN encrypts all traffic β
Cost: Low (good for temporary connection)
Solution 2: Migrate to ExpressRoute (Phase 2)
Phase 2 (Weeks 5+): Switch to ExpressRoute for production
ββ Order dedicated circuit: Takes 3 weeks to provision
ββ While waiting, continue testing over VPN
Configuration:
ββ ExpressRoute Circuit provisioned
β ββ Provider: Equinix (or other partner)
β ββ Bandwidth: 10 Gbps
β ββ Location: Same city as data center
β ββ Monthly cost: ~$500
β
ββ Azure side: Create ExpressRoute gateway
β ββ Private Peering for VNets
β ββ Routes updated to use ExpressRoute for all on-prem traffic
β
ββ On-premises side: BGP configured for routing
Result:
ββ High bandwidth available (10 Gbps vs. VPN's 1.25 Gbps)
ββ Low latency (~5ms vs. VPN's 100ms)
ββ Production workloads move to Azure with good performance β
ββ Cost higher but worth it for mission-critical apps
Phase 3: Dual Connectivity (Redundancy)
For production reliability: Use BOTH VPN and ExpressRoute
VPN + ExpressRoute together:
ββ ExpressRoute: Primary (low latency, high bandwidth)
β ββ BGP priority: 100 (preferred)
β
ββ VPN: Failover (takes over if ExpressRoute fails)
ββ BGP priority: 200 (backup only)
Result:
ββ Normal: All traffic goes through ExpressRoute
ββ If ExpressRoute circuit fails: Automatically uses VPN β
ββ Keeps services running during maintenance/outages β
ββ High availability achieved (minimal downtime)
Configuration:
BGP Local Preference / Priority settings on-prem
ββ Advertise 10.0.0.0/16 via ExpressRoute with lower metric
ββ Advertise 10.0.0.0/16 via VPN with higher metric
ββ On-prem routers prefer lower metric (ExpressRoute)
ββ If ExpressRoute fails, use VPN (higher metric wins)
Common Mistakes (What NOT to Do)
β Mistake 1: Choosing VPN for Production High-Traffic
Wrong
Production database (500 GB/month traffic):
ββ Manager says: "VPN is cheaper, let's use that"
ββ VPN bandwidth: 1.25 Gbps
ββ Actual usage: 500 GB/month = 1.5 Gbps sustained
ββ Result: Bottleneck, slow queries, timeouts β
Fix
Use ExpressRoute for production:
ββ Bandwidth: 10+ Gbps available
ββ Latency: Consistent (~5ms)
ββ Throughput: Can handle 500 GB/month easily β
ββ Worth the extra cost for reliability β
Why it fails: VPN has bandwidth limits, not suitable for heavy production.
β Mistake 2: Not Planning Failover
Wrong
ExpressRoute circuit fails (provider maintenance):
ββ No VPN backup configured
ββ On-premises can't reach Azure β
ββ Production services down β
ββ SLA breach, customers affected β
Fix
Configure redundancy:
ββ Primary: ExpressRoute (low latency)
ββ Secondary: VPN (backup)
ββ BGP preference: ExpressRoute preferred
ββ On circuit failure: BGP switches to VPN automatically β
Why it fails: Single point of failure.
β Mistake 3: Poor Routing Configuration
Wrong
On-premises routes:
ββ Default route (0.0.0.0/0) β VPN to Azure
Result: ALL traffic to internet goes through Azure VPN β
ββ Accessing external websites slow
ββ Azure gateway becomes bottleneck
ββ Expensive bandwidth usage
Fix
Be specific:
ββ Route 10.0.0.0/16 β VPN (only Azure)
ββ Route 0.0.0.0/0 β Local internet (for web, email, etc.)
ββ Result: Only Azure traffic uses VPN, internet traffic local β
Why it fails: Routing all traffic through the hybrid link creates a bottleneck and wastes bandwidth.
Connectivity Checklist
β‘ Choose technology (VPN vs. ExpressRoute)
ββ VPN: Quick setup, lower cost
ββ ExpressRoute: Higher bandwidth, production-grade
β‘ For VPN:
ββ VPN Gateway created in Azure VNet
ββ VPN Gateway configured on on-premises router
ββ Pre-shared key configured on both sides
ββ Routes configured (what traffic goes through VPN)
ββ Connection tested (ping on-prem from Azure) β
β‘ For ExpressRoute:
ββ Order circuit from provider
ββ Wait for provisioning (2-4 weeks)
ββ Provider key received
ββ ExpressRoute gateway created in Azure
ββ BGP peers configured on both sides
ββ Routes converged (on-prem routes visible in Azure) β
β‘ For both:
ββ Routing configured on both sides
ββ NSG rules allow traffic (security groups still apply)
ββ Firewall rules allow traffic (if firewalls present)
ββ Performance tested (latency, bandwidth acceptable) β
β‘ For redundancy:
ββ Both VPN and ExpressRoute configured
ββ BGP priorities set (prefer one, failover to other)
ββ Failover tested (disconnect primary, verify backup works)
ββ Alerts configured (notify when primary fails) β
How This Connects to Other Topics
Related to Module 01 (Identity & Governance)
- RBAC: Only network admins can configure VPN/ExpressRoute gateways
Related to Module 02 (Storage)
- Storage Access: On-prem servers reach Azure Storage via VPN/ExpressRoute
Related to Module 04 (Networking)
- VNet Peering: Hub VNet with gateway can serve multiple spokes
Related to Module 05 (Monitor)
- Monitor Hybrid Connectivity: Monitor VPN/ExpressRoute metrics
Key Takeaways
π‘ Summary
- VPN = encrypted tunnel over internet (quick, cheaper, limited bandwidth)
- ExpressRoute = dedicated private circuit (better performance, higher cost)
- VPN best for: Non-critical, temporary, low-bandwidth connections
- ExpressRoute best for: Production, high-throughput, mission-critical
- Failover: Configure both VPN and ExpressRoute for redundancy
- BGP routing: Automatic failover when primary fails
- Routing specificity: Route only Azure traffic through VPN/ExpressRoute
- NSG/Firewall rules still apply on both sides of the connection