Azure ExpressRoute vs Azure VPN Gateway

Posted on by Summa Lai

Comparison — Azure ExpressRoute vs Azure VPN Gateway.

Reference: Microsoft

TL;DR:

ExpressRoute provides direct connectivity to Azure cloud services and connects Microsoft’s global network. All transferred data is not encrypted, and do not go over the public Internet.

VPN Gateway provides secured connectivity to Azure cloud services over the public Internet. All transferred data is encrypted in a private tunnel as it crosses the internet.

Azure ExpressRoute

Azure ExpressRoute

ExpressRoute connections use a private, dedicated connection through a third-party connectivity provider to provide a direct connection between on-premises network and Azure.

This architecture is suitable for hybrid applications running large-scale, mission-critical workloads that require a high degree of scalability and resiliency.

Key Points

  • ExpressRoute uses layer 3 connectivity and security standards.
  • ExpressRoute connects the edge router of the on-premise network and Azure infrastructure with redundancy capabilities.
  • ExpressRoute provides dynamic scalability to help meet organizational needs (from 50 Mbps to 10 Gbps).

Benefits

  • Much higher bandwidth available (up to 10 Gbps).
  • Supports dynamic scaling of bandwidth to help reduce costs during periods of lower demand.
  • 99.9% availability SLA across the entire connection.

Considerations

  • The setup and configuration for ExpressRoute are more complex and will require collaboration with the connectivity provider.
  • ExpressRoute requires the on-premises installation of high-bandwidth routers.
  • ExpressRoute circuit is handled and managed by the connectivity provider.
  • ExpressRoute doesn’t support the Hot Standby Router Protocol (HSRP). You’ll need to enable a Border Gateway Protocol (BGP) configuration.

Azure VPN Gateway

Azure VPN Gateway

VPN gateway allows you to connect on-premises network to Azure networks to send traffic over the public Internet and uses an encrypted tunnel.

This architecture is suitable for hybrid applications where the traffic between on-premises hardware and the cloud is likely to be light, or you are willing to trade slightly extended latency for the flexibility and processing power of the cloud.

Key Points

  • Gateway Routing of VPN gateways is based on Dynamic and static routing.
  • It supports Secure Socket Tunneling Protocol, IP Sec protocol.

Benefits

  • Easy to configure.
  • Much higher bandwidth available (up to 10 Gbps depending on the VPN Gateway SKU)

Considerations

  • Requires an on-premises VPN device.
  • Although Microsoft guarantees 99.9% availability for each VPN Gateway, this SLA only covers the VPN gateway and not your network connection to the gateway.

Key Differences

Azure services support
ExpressRoute: Microsoft Cloud Platform (Azure, Office 365, and Dynamics 365).
VPN Gateway: Azure Cloud Services and Azure Virtual Machines.

Bandwidth
ExpressRoute: Up to 10 Gbps (or 100 Gbps with ExpressRoute Direct).
VPN Gateway: Up to 10 Gbps.
ExpressRoute provides a connection bandwidth that’s almost 10 times faster than a VPN.

Protocol
ExpressRoute: Direct over VLAN or MPLS.
VPN Gateway: SSTP or IPsec.

Routing
ExpressRoute: Border Gateway Protocol (BGP).
VPN Gateway: Static or dynamic.

Configuration
ExpressRoute: More complex configuration.
VPN Gateway: Simple configuration.

Cost
ExpressRoute: More expensive than a regular VPN network.
VPN Gateway: Less expensive.

High availability
ExpressRoute: Active-active.
VPN Gateway: Active-passive or active-active.

SLA
ExpressRoute: 99.95%
VPN Gateway: 99.9–99.95%

Use cases

ExpressRoute:

  • Suitable for requirements for high speeds, low-latency connection, and high level of availability/resiliency.
  • Suitable for mission-critical workload.
  • Access to all Azure services.
  • Doesn’t suit smaller satellite offices that have a lower connectivity requirement.

VPN Gateway:

  • Suitable for prototyping, development, test, labs, and small production workloads.
  • Suitable for small organizations.
  • Connect on-premises data centers to Azure virtual networks through a site-to-site connection.
  • Connect individual devices to Azure virtual networks through a point-to-site connection.
  • Connect Azure virtual networks to other Azure virtual networks through a network-to-network connection.
  • Suitable when lower-speed bandwidth is within an acceptable tolerance for day-to-day usage.
  • VPN isn’t designed to handle high data volumes.

Summary

ExpressRoute is better suited to high-speed and critical business operations. VPN Gateway is cheaper than ExpressRoute and suitable for small organizations.

ExpressRoute can be combined with VPN failover to get the higher bandwidth of ExpressRoute and highly available network connectivity.

Ref: