Skip to main content
In this lesson we cover how to design an Azure virtual network (VNet) that concurrently uses both ExpressRoute and site-to-site (S2S) VPN connectivity. This hybrid pattern is common for organizations that require high throughput private connectivity to a primary datacenter while also supporting encrypted IPsec tunnels for remote offices, branch sites, or failover paths. At a high level:
  • The VNet contains two separate virtual network gateway resources in the GatewaySubnet: an ExpressRoute gateway for private peering and a VPN gateway for IPsec S2S (and optionally point-to-site) connections.
  • ExpressRoute provides private, high-throughput connectivity to the main on-premises datacenter.
  • The VPN gateway provides encrypted IPsec tunnels (and requires a public IP address for the gateway resource) for headquarters backup links and smaller branches that do not have ExpressRoute.
The image illustrates a dual gateway setup for a network, showcasing connections between a virtual network (VNET1) and on-premises locations using ExpressRoute and IPsec VPN tunnels. It details the setup of ExpressRoute and VPN gateways for connectivity between different sites.
Implementation summary
  • Deploy two distinct virtual network gateways in the same VNet (within the GatewaySubnet): one virtual network gateway configured for ExpressRoute and one for VPN. Each gateway supports only its corresponding connection type, so separation is required.
  • Configure BGP and route preference attributes so the desired path (ExpressRoute vs VPN) is selected under normal conditions and so failover behavior occurs as intended.
Each gateway must be created and configured for its respective purpose—ExpressRoute for private peering and the VPN gateway for IPsec-based site-to-site or point-to-site connections. They can coexist on the same VNet but are deployed as separate gateway resources.
Why use both (benefits)
  • Resiliency and business continuity: Use the VPN gateway as a failover for ExpressRoute when the private circuit is impacted (provider outage or maintenance). Proper routing/BGP configuration is required to ensure seamless failover.
  • Flexibility: Connect smaller branches and remote workers over S2S or P2S VPN while keeping critical datacenter traffic on high-throughput ExpressRoute links.
  • Geographical diversity: Use ExpressRoute for main datacenter capacity and VPN for geographically dispersed or temporary sites.
Gateway types at a glance Resiliency and failover considerations
  • Routing and BGP: Use BGP route attributes (AS path, local preference, MED) to prefer ExpressRoute routes under normal operation and to allow the VPN route to take over during ExpressRoute disruption.
  • Route advertisement: Ensure on-premises networks advertise the correct prefixes to both ExpressRoute and the VPN peer so Azure receives multiple paths and can switch when necessary.
  • Health detection: Combine Azure routing with monitoring and automation to detect ExpressRoute failures and validate VPN path readiness.
  • Bandwidth and cost: Remember the VPN path may have throughput and pricing differences compared to ExpressRoute; verify SKUs and throughput requirements.
The image illustrates a secure failover network architecture featuring an ExpressRoute Gateway and VPN connections between a virtual network in East US and on-premises sites. It includes IPsec/IKE S2S VPN tunnels for secure connectivity and specific IP addresses for network components.
Common deployment checklist
  • Create the GatewaySubnet in the VNet (correct size for gateways).
  • Provision an ExpressRoute gateway and associate with your ExpressRoute circuit and private peering configuration.
  • Provision a VPN gateway (choose an appropriate SKU for required throughput).
  • Configure VPN S2S connections and/or point-to-site configurations for remote users.
  • Enable BGP on both ExpressRoute and VPN gateways and configure route preferences for failover logic.
  • Test failover: simulate ExpressRoute outage and validate traffic fails over to VPN, and fails back when ExpressRoute is restored.
Use cases and design notes
  • Use ExpressRoute for primary datacenter connectivity (low latency, high throughput).
  • Use VPN S2S as backup/failover for ExpressRoute or to connect smaller branches.
  • Use point-to-site VPN for remote worker access if needed.
  • Consider security, compliance, and routing policies when routing traffic across dual gateways.
The image is a network design diagram showing connections between a virtual network (VNET1) in East US and on-premises locations, using ExpressRoute and IPsec VPN tunnels. The design highlights aspects of high availability and geographical diversity.
Configuration example snippets (Azure CLI)
  • Create a GatewaySubnet:
  • Create a VPN gateway (example):
  • Create an ExpressRoute gateway (example):
Be mindful of gateway SKUs, throughput limits, and costs. Some SKUs do not support parallel VPN and ExpressRoute features or may impose throughput constraints—validate SKU capabilities before deploying to production.
Further reading and references This article covered the architecture, benefits, and deployment considerations for running ExpressRoute and site-to-site VPN in the same Azure VNet, including high-level configuration, failover behavior, and practical deployment steps.

Watch Video