ExpressRoute and VPN Gateway Coexisting
Scenario
An enterprise uses ExpressRoute as the primary, high-performance connection to Azure and a Site-to-Site (S2S) VPN as a backup or supplemental path.
Architecture Overview
How Coexistence Works
-
The Azure virtual network has:
-
One ExpressRoute gateway
-
One VPN gateway
-
-
Both gateways are deployed in the same VNet, but they serve different connection types.
-
Routing is controlled using BGP metrics and gateway preferences.
Traffic Behavior
Normal Operation
-
ExpressRoute is preferred
-
Lower latency
-
Higher bandwidth (50 Mbps – 100 Gbps)
-
Active/active connectivity
-
-
All production traffic flows over ExpressRoute.
Failover Scenario
-
If ExpressRoute becomes unavailable:
-
Traffic automatically fails over to the Site-to-Site VPN
-
VPN provides encrypted connectivity over the public Internet
-
-
When ExpressRoute is restored:
-
Traffic shifts back automatically.
-
Typical Use Cases
| Use Case | Benefit |
|---|---|
| ExpressRoute as primary, VPN as backup | High availability |
| Gradual migration to ExpressRoute | Cost and risk control |
| Dev/Test over VPN, Prod over ExpressRoute | Traffic separation |
| Branch offices via VPN, HQ via ExpressRoute | Flexible WAN design |
Key Deployment Notes
✔️ ExpressRoute + S2S VPN coexistence is supported
✔️ Deployment must be done via PowerShell (not Azure Portal)
✔️ Requires:
-
GatewaySubnet sized correctly
-
ExpressRoute Gateway SKU (e.g., UltraPerformance / ErGw)
-
VPN Gateway SKU that supports coexistence
Relationship to Virtual WAN
In a Virtual WAN (Standard) deployment:
-
ExpressRoute
-
Site-to-site VPN
-
Point-to-site VPN
are all integrated into a single Azure hub, simplifying:
-
Routing
-
Monitoring
-
Troubleshooting
-
Global transit connectivity
