Coexisting Site to Site and ExpressRoute

High-level overview
Detailed architecture
Why use both in the same VNet?
Routing and failover considerations
Design recommendations
Quick comparison
References and further reading

In this lesson we cover how to design an Azure virtual network that uses both site-to-site VPN and ExpressRoute simultaneously. This dual-connectivity pattern is common when organizations require resilient hybrid networking—using ExpressRoute for private, high-bandwidth links to primary on-premises sites, and VPN tunnels for backup connectivity or smaller remote sites.

High-level overview

The Azure virtual network (VNet) can host both an ExpressRoute connection and a VPN gateway.
ExpressRoute delivers private, high-throughput connectivity to a primary datacenter through a connectivity provider.
A VPN gateway terminates IPsec/IKE site-to-site tunnels (and optionally point-to-site connections) and typically uses a public IP address that on-premises VPN devices connect to.
Both connection types can operate in parallel. Use ExpressRoute as the primary path and site-to-site VPN as a backup or for smaller remote sites that do not have direct ExpressRoute connectivity.

Detailed architecture

When you design this pattern you’ll commonly see a dual-gateway setup: one gateway for ExpressRoute and a distinct gateway for VPN. Each gateway is purpose-built and configured to suit its connection type.

VPN gateway
- Terminates IPsec/IKE tunnels from remote sites.
- Has a public IP address for external tunnel endpoints.
- Supports BGP for dynamic routing with on-premises devices (recommended for failover).
ExpressRoute circuit
- Connects privately via your service provider.
- Is linked to the VNet using an ExpressRoute circuit and virtual network connection.
- Uses private peering (or Microsoft peering when needed) and typically uses BGP for route exchange.

When implementing a dual-gateway design, ensure you plan routing and failover behavior carefully. Failover from ExpressRoute to VPN is possible, but it requires appropriate routing and monitoring configuration (for example, BGP and route priorities or automated failover mechanisms). Test your failover plan to ensure the VPN path is activated as expected during an ExpressRoute outage.

Why use both in the same VNet?

Reason	How it helps	Typical use case
Resiliency & business continuity	VPN provides an independent encrypted backup path if ExpressRoute fails	Provider outage or maintenance
Flexible hybrid connectivity	Smaller branches can use site-to-site VPN while core sites use ExpressRoute	Branch offices and remote sites
Regulatory and performance balance	Combine private links for performance with encrypted VPN links for security or compliance boundaries	DR, geo-redundancy, compliance

Key benefits:

Maintain separate control and configuration for each connectivity method while allowing them to operate concurrently.
Use BGP to prioritize ExpressRoute routes and allow VPN routes to take precedence only when ExpressRoute is unavailable.
Support a hybrid set of connection types (ExpressRoute for primary datacenters, VPN for branches and remote users).

Routing and failover considerations

Use BGP between Azure and on-premises devices to advertise prefixes and enable automatic failover.
Prefer ExpressRoute routes by setting appropriate route metrics or AS path prepending on VPN routes so they are only preferred when ExpressRoute is down.
Implement health probes and monitoring to trigger failover or route changes when connectivity degrades.
Test failover scenarios (provider outage, gateway failure, route withdrawal) to validate that VPN tunnels become active as intended.

Design recommendations

Deploy gateways in an Azure region with the VNet to minimize latency.
Use active-active gateway configurations where required for higher throughput and HA.
Ensure your on-premises devices support BGP and the required IPsec/IKE parameters for compatibility.
Document and test failover runbooks and automated monitoring (Azure Monitor, Network Watcher, and your own NMS).

Quick comparison

Feature	ExpressRoute	Site-to-site VPN
Connectivity type	Private, provider-backed	Encrypted over public Internet
Typical use	Primary datacenter/backbone links	Backup, branches, remote offices
Routing	BGP (recommended)	BGP or static routes
Resiliency role	Primary	Backup or supplementary

References and further reading

This dual approach gives you flexibility and a strong foundation for high availability in hybrid architectures. Deploy and test both connectivity methods to ensure your routing, failover, and monitoring work together as intended.

A network diagram showing an Azure VNET (East US) with an ExpressRoute gateway and a VPN gateway. The gateways connect via ExpressRoute private connectivity and IPsec/IKE site-to-site VPN tunnels to two on-premises sites (HQ and LocalSite2) with their subnet ranges and VPN VIP addresses.

Watch Video

Introduction

Configure Encryption over ExpressRoute

Introduction

Configure Internet Access with Azure Virtual NAT

Configure Peering for an Express Route Deployment

Configure Public IP Addresses

Connect Devices to Networks with Point to Site VPN Connections

Connect Networks with Site to Site VPN Connections

Connect Remote Resources by using Azure Virtual WA Ns

Create a Network Virtual Appliance NVA in a Virtual Hub

Deploy Azure D Do S Protection

Deploy and configure Network Security Groups

Design Azure Application Gateway

Design Azure Front Door

Design Name Resolution for Azure Virtual Network

Design an Express Route deployment

Design and Implement Azure Firewall

Design and Implement Azure Load Balancer

Design and Implement Azure VPN Gateway

Design and implement Azure Bastion

Enable Cross V Net Connectivity

Explain Virtual Network Service Endpoints

Explore Azure Express Route

Explore Azure Traffic Manager

Explore Azure Virtual Networks

Explore Load Balancing Options in the Azure

Express Route Advanced Features

Get Network Security Recommendations with Microsoft Defender for Cloud

Implement Virtual Network Traffic Routing

Implement a Web Application Firewall

Monitor your networks using Azure Monitor

Monitor your networks using Azure Network Watcher

Private Link Services and Private Endpoints

Troubleshooting Express Route Connections

Working with Azure Firewall Manager

​High-level overview

​Detailed architecture

​Why use both in the same VNet?

​Routing and failover considerations

​Design recommendations

​Quick comparison

​References and further reading

Watch Video

High-level overview

Detailed architecture

Why use both in the same VNet?

Routing and failover considerations

Design recommendations

Quick comparison

References and further reading