Configure ExpressRoute with Azure VPN Gateway

Updated: October 26, 2023 | Category: Networking | Author: Azure Docs Team

This article guides you through the process of integrating Azure ExpressRoute with Azure VPN Gateway. This integration allows you to establish a hybrid network architecture that leverages the benefits of both dedicated private connections (ExpressRoute) and secure, on-demand VPN tunnels (VPN Gateway).

Note: This configuration is primarily for scenarios where you need to extend your on-premises network to Azure and connect to resources that are accessible via VPN Gateway, while still utilizing the high bandwidth and low latency of ExpressRoute for other traffic.

Prerequisites

Before you begin, ensure you have the following:

  • An active Azure subscription.
  • An existing Azure Virtual Network (VNet).
  • An existing Azure VPN Gateway deployed in your VNet.
  • A configured Azure ExpressRoute circuit.
  • An on-premises network configured to connect to your ExpressRoute circuit.
  • Appropriate network connectivity and peering established between your on-premises network and Azure via ExpressRoute.

Steps to Configure

Step 1: Create a Virtual Network Gateway Connection for ExpressRoute

You'll create a connection resource within your Azure Virtual Network Gateway that references your ExpressRoute circuit. This connection tells the VPN Gateway how to route traffic to your ExpressRoute circuit.

  1. Navigate to your Virtual Network Gateway in the Azure portal.
  2. In the left-hand menu, under "Settings," select "Connections."
  3. Click "+ Add" to create a new connection.
  4. In the "Add connection" pane:
    • Name: Give your connection a descriptive name (e.g., VNG-to-ER-Connection).
    • Connection type: Select ExpressRoute.
    • Virtual network gateway: This should be pre-selected.
    • ExpressRoute circuit: Select your existing ExpressRoute circuit from the dropdown. If it's not listed, ensure it's in the same subscription and region or configured for peering.
    • Use private address space: Typically enabled if you're routing private IP addresses over ExpressRoute.
    • Use public address space: Enabled if you're routing public IP addresses over ExpressRoute.
    • BGP: Enable if your ExpressRoute circuit uses BGP and you want to exchange routes dynamically.
  5. Click "OK" to create the connection.

Step 2: Configure Routing

Ensure your routing is set up correctly on both your on-premises network and within Azure to direct traffic appropriately. This usually involves:

  • On-Premises: Configure your network devices to route traffic destined for Azure VNets to your ExpressRoute circuit, and traffic destined for on-premises from Azure to your VPN Gateway.
  • Azure:
    • Route Tables: While not always necessary for this specific integration, custom route tables can be used to influence traffic flow if needed.
    • BGP: If BGP is enabled, ensure that routes are being advertised and received correctly between your on-premises network, ExpressRoute, and Azure VPN Gateway.
Diagram showing ExpressRoute and VPN Gateway Integration
Conceptual diagram of Azure ExpressRoute and VPN Gateway integration.

Step 3: Verify Connectivity

After creating the connection and ensuring routing is configured, it's crucial to verify that traffic is flowing as expected.

  • Ping/Traceroute: Test connectivity from an on-premises machine to an Azure VM and vice-versa.
  • Azure Network Watcher: Utilize Azure Network Watcher tools like Connection Troubleshoot and IP Flow Verify to diagnose any connectivity issues.
  • VPN Gateway Metrics: Monitor VPN Gateway metrics in Azure for tunnel status and data transfer.
  • ExpressRoute Circuit Status: Check the status of your ExpressRoute circuit in the Azure portal.
Important: The primary purpose of this integration is often to connect to specific Azure services or VNets that are accessible via VPN Gateway, while leveraging the performance of ExpressRoute. Direct routing of all traffic between on-premises and Azure should typically be handled by ExpressRoute alone, unless specific VPN Gateway features are required.

Use Cases

  • Connecting on-premises resources to Azure VMs that are only accessible via a Site-to-Site VPN tunnel, while using ExpressRoute for other high-bandwidth communication.
  • Providing a fallback or redundant path for critical on-premises to Azure connectivity.
  • Integrating Azure services that might not be directly accessible over ExpressRoute with your on-premises network.

Considerations

  • Cost: Be aware of the data transfer costs associated with both ExpressRoute and VPN Gateway.
  • Complexity: Managing two distinct connectivity methods can add complexity to your network architecture.
  • Route Advertisements: Carefully plan your BGP route advertisements to avoid routing conflicts and ensure predictable traffic flow.
  • IP Addressing: Ensure no IP address space conflicts between your on-premises network and Azure VNets.

By following these steps, you can successfully configure Azure ExpressRoute with Azure VPN Gateway to create a robust and flexible hybrid cloud connectivity solution.