2.7 Azure VPN Gateway and ExpressRoute

Quick Answer: A VPN Gateway builds encrypted tunnels over the public internet between Azure and on-premises. ExpressRoute is a private, dedicated circuit that does not use the public internet — faster, more predictable, with an SLA, but typically more expensive and not encrypted by default.

Azure VPN Gateway

An Azure VPN Gateway is a specific gateway resource deployed into a dedicated subnet named GatewaySubnet within your VNet. It encrypts traffic with IPsec/IKE and rides the public internet, so the connection is secure but its performance depends on internet conditions.

There are three connection types you must distinguish on the exam:

The classic scenario: "a remote employee needs to connect their laptop to the corporate Azure VNet" → Point-to-Site, because it connects one device, not a whole site. "Connect the head-office network to Azure" → Site-to-Site.

VPN Gateways come in performance tiers (SKUs such as VpnGw1-VpnGw5) that trade off aggregate throughput and tunnel count; AZ-900 does not require memorizing the numbers, only that throughput scales with SKU and is bounded by the public internet.

Worked example: A retailer has a head-office data center and 30 branch stores. To link the head-office network to Azure you provision a Site-to-Site tunnel from the on-premises VPN device to the Azure VPN Gateway. For a field auditor who occasionally needs the corporate VNet from a hotel, you enable Point-to-Site, which installs a VPN client on that single laptop. The two are not interchangeable — choosing P2S for the whole head office would scale poorly, and choosing S2S for one laptop would require a router the auditor does not have.

Because a VPN rides the public internet, its real-world throughput and latency vary with congestion, and Microsoft's SLA covers only the gateway availability, not the internet path between you and Azure.

Azure ExpressRoute

Azure ExpressRoute establishes a private, dedicated connection between your on-premises infrastructure and Microsoft (Azure and Microsoft 365) through a connectivity provider — it does not go over the public internet. This is the headline distinction the exam tests repeatedly.

Because the path is private and provisioned, ExpressRoute delivers:

• Higher bandwidth — standard circuits scale up to 100 Gbps (ExpressRoute Direct ports reach 400 Gbps in select locations).
• Lower, more consistent latency than internet-based VPN.
• Greater reliability with a connectivity SLA (the internet underneath a VPN has no SLA).
• A connection to Microsoft's edge that supports private peering (to your VNets) and Microsoft peering (to Microsoft 365 and Azure PaaS public endpoints).

An important and frequently missed fact: ExpressRoute is not encrypted by default. Its privacy comes from the dedicated circuit, not from cryptography. If you need encryption over ExpressRoute you layer IPsec / MACsec on top.

ExpressRoute Global Reach

ExpressRoute Global Reach lets you link your on-premises sites to each other through the Microsoft backbone using your existing ExpressRoute circuits — useful when, for example, a London office and a Singapore office should exchange traffic over Microsoft's network rather than your own WAN.

VPN Gateway vs. ExpressRoute: Decision Framework

The single most common AZ-900 networking question is choosing between these two services. Map the keywords in the scenario to the right answer:

How to read the scenario:

• Keywords "dedicated", "private", "does not use the public internet", "highest/predictable bandwidth", "mission-critical", "lowest latency" → ExpressRoute.
• Keywords "encrypted tunnel", "over the internet", "low cost", "quick to set up", "connect a branch office" → VPN Gateway (Site-to-Site).
• Keywords "individual laptop / remote worker" → Point-to-Site VPN.

Many enterprises use both: ExpressRoute for the primary private link and a Site-to-Site VPN as an encrypted failover if the circuit goes down.

Common Traps to Memorize

• ExpressRoute does not traverse the public internet — a wrong answer often claims it is "a faster internet VPN."
• ExpressRoute is not encrypted by default; do not assume privacy means encryption.
• Point-to-Site = one device; Site-to-Site = a whole network — read whether the scenario mentions a laptop or a site.
• A VPN Gateway lives in a subnet that must be named GatewaySubnet.
• Standard ExpressRoute circuits scale to 100 Gbps; pick that value when asked for the maximum on a standard circuit.