- The VNet contains two separate virtual network gateway resources in the GatewaySubnet: an ExpressRoute gateway for private peering and a VPN gateway for IPsec S2S (and optionally point-to-site) connections.
- ExpressRoute provides private, high-throughput connectivity to the main on-premises datacenter.
- The VPN gateway provides encrypted IPsec tunnels (and requires a public IP address for the gateway resource) for headquarters backup links and smaller branches that do not have ExpressRoute.

- Deploy two distinct virtual network gateways in the same VNet (within the GatewaySubnet): one virtual network gateway configured for ExpressRoute and one for VPN. Each gateway supports only its corresponding connection type, so separation is required.
- Configure BGP and route preference attributes so the desired path (ExpressRoute vs VPN) is selected under normal conditions and so failover behavior occurs as intended.
Each gateway must be created and configured for its respective purpose—ExpressRoute for private peering and the VPN gateway for IPsec-based site-to-site or point-to-site connections. They can coexist on the same VNet but are deployed as separate gateway resources.
- Resiliency and business continuity: Use the VPN gateway as a failover for ExpressRoute when the private circuit is impacted (provider outage or maintenance). Proper routing/BGP configuration is required to ensure seamless failover.
- Flexibility: Connect smaller branches and remote workers over S2S or P2S VPN while keeping critical datacenter traffic on high-throughput ExpressRoute links.
- Geographical diversity: Use ExpressRoute for main datacenter capacity and VPN for geographically dispersed or temporary sites.
Resiliency and failover considerations
- Routing and BGP: Use BGP route attributes (AS path, local preference, MED) to prefer ExpressRoute routes under normal operation and to allow the VPN route to take over during ExpressRoute disruption.
- Route advertisement: Ensure on-premises networks advertise the correct prefixes to both ExpressRoute and the VPN peer so Azure receives multiple paths and can switch when necessary.
- Health detection: Combine Azure routing with monitoring and automation to detect ExpressRoute failures and validate VPN path readiness.
- Bandwidth and cost: Remember the VPN path may have throughput and pricing differences compared to ExpressRoute; verify SKUs and throughput requirements.

- Create the GatewaySubnet in the VNet (correct size for gateways).
- Provision an ExpressRoute gateway and associate with your ExpressRoute circuit and private peering configuration.
- Provision a VPN gateway (choose an appropriate SKU for required throughput).
- Configure VPN S2S connections and/or point-to-site configurations for remote users.
- Enable BGP on both ExpressRoute and VPN gateways and configure route preferences for failover logic.
- Test failover: simulate ExpressRoute outage and validate traffic fails over to VPN, and fails back when ExpressRoute is restored.
- Use ExpressRoute for primary datacenter connectivity (low latency, high throughput).
- Use VPN S2S as backup/failover for ExpressRoute or to connect smaller branches.
- Use point-to-site VPN for remote worker access if needed.
- Consider security, compliance, and routing policies when routing traffic across dual gateways.

- Create a GatewaySubnet:
- Create a VPN gateway (example):
- Create an ExpressRoute gateway (example):
Be mindful of gateway SKUs, throughput limits, and costs. Some SKUs do not support parallel VPN and ExpressRoute features or may impose throughput constraints—validate SKU capabilities before deploying to production.