Service 29

ExpressRoute

Hybrid

ExpressRoute is a private, dedicated connection between your on-premises network and Azure that bypasses the public internet entirely, established through a connectivity provider. It delivers predictable bandwidth, consistent latency, and a private path — the connectivity option for workloads that cannot tolerate the variability of internet-based VPN.

It is the heavier, costlier sibling of VPN Gateway. Where a VPN tunnel rides the public internet and is provisioned in minutes, an ExpressRoute circuit is physical connectivity through a provider, billed accordingly, justified by bandwidth, latency, and compliance requirements rather than convenience.

Circuits and Peering

An ExpressRoute circuit is the logical connection through a provider, with a chosen bandwidth. Private peering carries traffic to your VNets; Microsoft peering carries traffic to Microsoft 365 and Azure PaaS public endpoints over the private circuit. The circuit is the billing and connectivity unit, and peerings define what it can reach.

Resiliency

An ExpressRoute circuit is provisioned as a redundant pair of connections by design, and Microsoft's SLA depends on keeping both active — dropping to a single connection forfeits the guarantee. For higher resilience, organizations terminate circuits in two peering locations, and ExpressRoute Direct provides dedicated ports into Microsoft's network for the largest bandwidth needs.

Gateways

Traffic enters a VNet through an ExpressRoute virtual network gateway, sized by a SKU that caps throughput. The gateway is a separate resource from a VPN gateway, lives in the dedicated gateway subnet, and its SKU must match the bandwidth you actually need — an undersized gateway throttles a circuit that is paying for more.

Use Cases

ExpressRoute fits steady, high-volume hybrid traffic: data-center extension, large-scale migration, latency-sensitive line-of-business applications, and regulated workloads that must avoid the public internet. Many designs pair it with a VPN Gateway as an encrypted failover path, so an ExpressRoute outage drops to VPN rather than to nothing.

ExpressRoute vs VPN Gateway

ExpressRoute — A private, dedicated circuit through a provider — predictable bandwidth and latency, no public internet. Choose it for steady high-volume or compliance-bound hybrid traffic.

VPN Gateway — Encrypted IPsec tunnels over the public internet, provisioned in minutes. Choose it for lower-volume connectivity, quick setup, or as ExpressRoute failover.

Common Mistakes

Running an ExpressRoute circuit on a single connection and expecting the SLA — the guarantee requires the redundant pair to stay active.
Undersizing the ExpressRoute gateway SKU so it throttles a circuit you are paying more bandwidth for.
Choosing ExpressRoute for low-volume connectivity where a VPN Gateway would do at a fraction of the cost and setup time.
Assuming ExpressRoute traffic is encrypted — it is private but not encrypted by default; encryption requires MACsec (Direct) or an IPsec overlay.
Deploying with no failover path, so a circuit outage severs hybrid connectivity entirely.
Confusing private peering and Microsoft peering, then finding PaaS public endpoints unreachable over the circuit.

Best Practices

Keep both connections of the redundant pair active to hold the SLA, and consider dual peering locations for higher resilience.
Size the ExpressRoute gateway SKU to the circuit bandwidth you actually use.
Use ExpressRoute for steady, high-volume, or compliance-bound hybrid traffic; use VPN Gateway for lighter needs.
Add an encryption layer (MACsec on ExpressRoute Direct, or an IPsec overlay) where data-in-transit must be encrypted.
Pair ExpressRoute with a VPN Gateway as an encrypted failover path.
Configure private and Microsoft peering deliberately for the destinations the circuit must reach.

Comparable servicesAWS Direct ConnectGCP Cloud Interconnect

Knowledge Check

What does ExpressRoute provide that a VPN Gateway does not?

A private, dedicated circuit that bypasses the public internet with predictable bandwidth and latency
Encryption of all traffic by default with no extra configuration
Provisioning in just minutes with no connectivity provider or physical circuit involved at all on either side
A lower monthly cost for occasional low-volume connectivity

An ExpressRoute circuit is running on one of its two connections. What is the consequence?

The SLA is forfeited — the guarantee depends on keeping the redundant pair active
Throughput automatically doubles on the one remaining active link
Traffic fails over to a standby VPN Gateway path automatically
Nothing changes at all, since a single connection is the fully supported configuration

Is ExpressRoute traffic encrypted by default?

No — it is private but not encrypted; encryption needs MACsec (Direct) or an IPsec overlay
Yes — every bit of ExpressRoute circuit traffic is IPsec-encrypted
Yes — TLS is terminated at the ExpressRoute gateway itself
Only the Microsoft peering traffic is encrypted by default, never the private peering path

You got correct