- Article
To connect your Azure virtual network and on-premises network using ExpressRoute, you must first create a virtual network gateway. A virtual network gateway has two purposes: exchanging IP routes between networks and forwarding network traffic. This article explains the different types of gateways, gateway SKUs, and estimated performance by SKU. This article also discusses ExpressRouteFastPath, a feature that allows network traffic from your local network to bypass a virtual network gateway to improve performance.
Gateway-Typer
When you create a virtual network gateway, you must specify several settings. One of the required settings-GatewayType, indicates whether the gateway is used for ExpressRoute or VPN traffic. There are two types of gateways:
VPN- To send encrypted traffic via the public Internet, use a "VPN" type gateway. This type of gateway is also known as a VPN gateway. Site-to-Site, Point-to-Site, and VNet-to-VNet connections all use a VPN gateway.
ExpressRoute- Use the ExpressRoute gateway type to send network traffic over a private connection. Also known as an ExpressRoute gateway, this type of gateway is used when configuring ExpressRoute.
Each virtual network can have only one virtual network gateway at a given time Gateway type. For example, you may have a virtual network gateway in use-GatewayTypeVPN and the one that uses-GatewayTypeExpressRoute.
Gateway-SKU-ovi
When you create a virtual network gateway, you must specify the SKU of the gateway you want to use. Selecting a higher gateway SKU allocates more CPU and network bandwidth to the gateway, allowing the gateway to support higher virtual network bandwidth.
ExpressRoute virtual network gateways can use the following SKUs:
- Standard
- high performance
- UltraPerformance
- ErGw1Az
- ErGw2Az
- ErGw3Az
If you want to upgrade your gateway to a higher capacity gateway SKU, you can use thatResize-AzVirtualNetworkGatewayPowerShell cmdlet or upgrade directly from the ExpressRoute virtual network gateway configuration page in the Azure portal. The following upgrades are supported:
- the standard for high performance
- Standard bis Ultra Performance
- From high performance to ultra performance
- ErGw1Az do ErGw2Az
- ErGw1Az bis ErGw3Az
- ErGw2Az bis ErGw3Az
- standard of standard
Additionally, you can roll back the virtual network gateway SKU to an earlier version. The following lower versions are supported:
- Customized high performance
- ErGw2Az do ErGw1Az
For all other downgrade scenarios, delete and recreate the gateway. Recreating the gateway will result in downtime.
Support for the Gateway SKU feature
The following table lists the features supported for each gateway type.
| Gateway-SKU | Coexistence of VPN gateways and ExpressRoute | FastPath | Maximum number of circuit connections |
|---|---|---|---|
| Standard-SKU/ERGw1Az | I | NO | 4 |
| High performance SKU/ERGw2Az | I | NO | 8 |
| Ultra-Performance-SKU/ErGw3Az | I | I | 16 |
Note
The maximum number of ExpressRoute circuits from the same peering site that can be connected to the same virtual network is 4 for all gateways.
Estimated performance by gateway SKU
The following table shows the gateway types and estimated performance scaling numbers. These numbers are derived from the following test conditions and represent maximum support limits. Actual performance may vary depending on how traffic replicates these test conditions.
test conditions
| Gateway-SKU | Traffic sent from the website | Number of routes advertised by the gateway | The number of routes the gateway has learned |
|---|---|---|---|
| Standard/ERGw1Az | 1 Gbit/s | 500 | 4000 |
| High performance/ERGw2Az | 2 Gbit/s | 500 | 9.500 |
| Ultra Performance/ErGw3Az | 10 Gbit/s | 500 | 9.500 |
performance results
This table applies to both Resource Manager and classic deployment models.
| Gateway-SKU | connection per second | megabits per second | packets per second | Supported number of VMs in the virtual network |
|---|---|---|---|---|
| Standard/ERGw1Az | 7.000 | 1.000 | 100.000 | 2.000 |
| High performance/ERGw2Az | 14.000 | 2.000 | 250.000 | 4.500 |
| Ultra Performance/ErGw3Az | 16.000 | 10.000 | 1.000.000 | 11.000 |
Important
- Application performance depends on several factors, such as end-to-end latency and the number of traffic streams the application opens. The numbers in the table represent the upper limit that the application can theoretically reach in an ideal environment. Additionally, Microsoft performs routine host and operating system maintenance on the ExpressRoute Virtual Network Gateway to maintain service reliability. During the maintenance period, the gateway's control plane and data path capacity are reduced.
- There may be intermittent problems connecting to private endpoint resources during the maintenance period.
access subnet
Before you create an ExpressRoute gateway, you must create a gateway subnet. The gateway subnet contains the IP addresses used by the virtual VM and network gateway services. When you create your virtual network gateway, the gateway VMs are placed in the gateway subnet and configured with the necessary ExpressRoute gateway settings. Never deploy anything else on the gateway subnet. The gateway subnet must be named "Gateway Subnet" to work correctly. Naming the gateway subnet "GatewaySubnet" tells Azure to deploy virtual VMs and gateway services on that subnet.
Note
Custom routes with destination 0.0.0.0/0 and NSGs on GatewaySubnetnot supported. Gateways with this configuration cannot be created. Gateways need access to management controllers to function properly.Propagation on a BGP routemust be set to "Enabled" in GatewaySubnet to ensure gateway availability. If BGP route propagation is disabled, the gateway will not work.
When you create a gateway subnet, specify the number of IP addresses the subnet contains. IP addresses in the gateway subnet are assigned to gateway VMs and gateway services. Some configurations require more IP addresses than others.
When planning your gateway subnet size, read the documentation for the configuration you want to create. For example, an ExpressRoute/VPN gateway configuration also requires a larger gateway subnet than most other configurations. Additionally, you may want to ensure that your gateway subnet contains enough IP addresses to accommodate possible future configurations. Although you can create a gateway subnet of size /29, we recommend creating a gateway subnet of /27 or larger (/27, /26, etc.). If you plan to connect 16 ExpressRoute circuits to your gateway, you willmoraCreate a gateway subnet of /26 or higher. If you are creating a dual-stack gateway subnet, we recommend that you also use IPv6 range /64 or higher. This setting is suitable for most configurations.
The following Resource Manager PowerShell example shows a gateway subnet named GatewaySubnet. You can see that the CIDR notation specifies /27, which allows enough IP addresses for most current configurations.
Add-AzVirtualNetworkSubnetConfig -Navn 'GatewaySubnet' -AddressPrefix 10.0.3.0/27Important
When working with gateway subnets, avoid joining a network security group (NSG) to a gateway subnet. Associating a network security group with this subnet may cause your virtual network gateway (VPN and ExpressRoute gateways) to stop working as expected. For more information about network security groups, seeWhat is a network security group?.
Zoneredundant Gateway-SKU-ovi
You can also deploy ExpressRoute gateways in Azure Availability Zones. This configuration separates them physically and logically into different Availability Zones, protecting your on-premises network connection to Azure from zone-level failures.
Zone redundant gateways use the specific new gateway SKUs for the ExpressRoute gateway.
- ErGw1AZ
- ErGw2AZ
- ErGw3AZ
The new Gateway SKUs also support other deployment options that best suit your needs. When you create a virtual network gateway using the new gateway SKUs, you can deploy the gateway in a specific zone. This type of gateway is called a zone gateway. When you deploy a zoned gateway, all instances of the gateway are deployed in the same Availability Zone.
FastPath
The ExpressRoute virtual network gateway is used to exchange network routes and forward network traffic. FastPath is designed to improve the performance of the data path between your local network and your virtual network. When enabled, FastPath sends network traffic directly to virtual machines in the virtual network, bypassing the gateway.
For more information about FastPath, including limitations and requirements, seeO FastPathu.
Connecting to private endpoints
An ExpressRoute virtual network gateway facilitates connectivity to private endpoints deployed in the same virtual network as the virtual network gateway and across peer-to-peer virtual networks.
Important
- Control plane throughput and capacity can be cut in half compared to connecting to non-private endpoint resources.
- There may be intermittent problems connecting to private endpoint resources during the maintenance period.
Route-server
When you create or delete an Azure Route server from a virtual network that contains a virtual network gateway (ExpressRoute or VPN), you might experience an outage until the operation is complete.
REST-API-ji i PowerShell-Cmdlets
For additional technical resources and special syntax requirements when using the REST API and PowerShell cmdlets for virtual network gateway configurations, see the following pages:
| classic | head of resources |
|---|---|
| Power Shell | Power Shell |
| REST-API | REST-API |
VNet-to-VNet connection
By default, virtual network connectivity is enabled when you connect multiple virtual networks to the same ExpressRoute circuit. However, Microsoft does not recommend using an ExpressRoute circuit for communication between virtual networks and usersVNet-Peering. For more information on why VNet-to-VNet connectivity over ExpressRoute is not recommended, seeConnecting between virtual networks via ExpressRoute.
Virtual network peering
A virtual network with an ExpressRoute gateway can have virtual network peering with up to 500 other virtual networks. Virtual network peering without an ExpressRoute gateway may have a higher peering limit.
Next step
For more information on available connection configurations, seeExpressRoute pregled.
For more information about creating an ExpressRoute gateway, seeCreate a virtual network gateway for ExpressRoute.
For more information about configuring redundant zone gateways, seeCreate a zone redundant network gateway.
For more information about FastPath, seeO FastPathu.
FAQs
What is ExpressRoute about virtual network gateways? ›
ExpressRoute virtual network gateway is designed to exchange network routes and route network traffic. FastPath is designed to improve the data path performance between your on-premises network and your virtual network.
How many Azure VPN gateways can be on each virtual network? ›A virtual network can have two virtual network gateways; one VPN gateway and one ExpressRoute gateway. The gateway type 'Vpn' specifies that the type of virtual network gateway created is a VPN gateway.
Which two statements regarding an Azure VPN gateway are true? ›Answer: The statement "the gateway connects an Azure VNet to an on-premises network" is true. Explanation: The statement "The gateway connects an Azure VNet to an on-premises network" is true regarding an Azure VPN Gateway.
What is the limit of express route gateway? ›Are there limits on the number of routes I can advertise? Yes. We accept up to 4000 route prefixes for private peering and 200 for Microsoft peering. You can increase this to 10,000 routes for private peering if you enable the ExpressRoute premium feature.
What is the difference between ExpressRoute and virtual network gateway? ›ExpressRoute establishes a dedicated, private link between on-premises infrastructure and Azure, whereas VPN Gateway enables distant users or branch offices to securely access Azure resources across the public internet.
How does Azure ExpressRoute work? ›Azure ExpressRoute
Extend your on-premises networks to the Microsoft cloud over a private connection with the help of a connectivity provider. ExpressRoute connections don't route through the public internet, providing users with more reliability, faster speeds, consistent latency, and higher security.
- Secure Socket Tunneling Protocol (SSTP). SSTP is a Microsoft proprietary SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.
- OpenVPN. ...
- IKEv2 VPN.
Each VNet can only have one VPN Gateway.
Can you have multiple VPN gateways per VNet? ›However, you can also use a VPN Gateway to send encrypted traffic between different Azure virtual networks over the Microsoft network if you wish. You can only define one VPN gateway per virtual network.
What are the 3 express route connectivity models? ›ExpressRoute allows you to create a connection between your on-premises network and the Microsoft cloud in four different ways, CloudExchange Co-location, Point-to-point Ethernet Connection, Any-to-any (IPVPN) Connection, and ExpressRoute Direct.
What is the purpose of Azure VPN gateway? ›
Azure VPN Gateway connects your on-premises networks to Azure through Site-to-Site VPNs in a similar way that you set up and connect to a remote branch office. The connectivity is secure and uses the industry-standard protocols Internet Protocol Security (IPsec) and Internet Key Exchange (IKE).
What is supported by ExpressRoute for connecting an on-premises network to Azure? ›Azure ExpressRoute
Extend your on-premises networks to the Microsoft cloud over a private connection with the help of a connectivity provider. ExpressRoute connections don't route through the public internet, providing users with more reliability, faster speeds, consistent latency, and higher security.
A valid and active Microsoft Azure account. This account is required to set up the ExpressRoute circuit. ExpressRoute circuits are resources within Azure subscriptions. An Azure subscription is a requirement even if connectivity is limited to non-Azure Microsoft cloud services, such as Microsoft 365.
Does ExpressRoute require VPN gateway? ›You must use a route-based VPN gateway. You also can use a route-based VPN gateway with a VPN connection configured for 'policy-based traffic selectors' as described in Connect to multiple policy-based VPN devices. ExpressRoute-VPN Gateway coexist configurations are not supported on the Basic SKU.
Does ExpressRoute go over the Internet? ›ExpressRoute connections don't go over the public Internet. This allows ExpressRoute connections to offer more reliability, faster speeds, consistent latencies, and higher security than typical connections over the Internet.
What is the speed of ExpressRoute? ›ExpressRoute connections are available via the CoreSite Open Cloud Exchange™ in connection speeds of 50 Mbps, 100 Mbps, 200 Mbps, 500 Mbps, 1 Gbps, 2 Gbps, 5 Gbps, 10 Gbps, and 100 Gbps.
What are the benefits of Microsoft ExpressRoute? ›ExpressRoute provides a fast and reliable connection to Azure with bandwidths up to 100 Gbps, which makes it an excellent and cost-effective option for scenarios like periodic data migration, replication for business continuity, disaster recovery, and other high-availability strategies.
What layer is ExpressRoute in Azure? ›ExpressRoute operates in layer 3. Threats in the application layer can be prevented by using a network security appliance that restricts traffic to legitimate resources.
How do I connect ExpressRoute to Azure? ›- Sign in to the Azure portal.
- Create a new ExpressRoute circuit.
- View the circuits and properties.
- Send the service key to your connectivity provider for provisioning.
- Periodically check the status and the state of the circuit key.
- Create your routing configuration.
- Personal VPN services.
- Mobile VPNs.
- Remote access VPNs.
- Site-to-site VPNs.
What is the difference between Azure virtual network gateway and firewall? ›
Azure WAF in Azure Application Gateway protects inbound traffic to the web workloads, and the Azure Firewall inspects inbound traffic for the other applications. The Azure Firewall will cover outbound flows from both workload types.
What is the difference between a VPN and a gateway? ›A VPN is a private network that uses a public network, such as the Internet, to connect remote sites or users together. A VPN gateway is a type of networking device that connects two or more devices or networks together in a VPN infrastructure.
How many VPN gateways per VPC? ›You can attach only one internet gateway to a VPC at a time.
How many subnets can be created in VNet? ›Another fun fact is that subnets, that make up the allocated address space for a VNet, can only have a maximum of 3,000 provisioned per given VNet (source).
Can a VNet have multiple private DNS zones? ›Resolution virtual network
These records include manually created and auto registered records from other virtual networks linked to the private DNS zone. One private DNS zone can have multiple resolution virtual networks and a virtual network can have multiple resolution zones associated to it.
Summing up in VNet Peering connection is private without Public IP endpoints. There is no public internet involved. Contrarily with VPN Gateways there is Public IP involved. Finally Azure provides peer to peer virtual network gateways and virtual networks to connect virtual networks.
Can you connect two gateways on the same network? ›Yes, using two (or even more than two) routers on the same home network is possible. The benefits of a two-router network include: Support for more wired devices: If the first router is wired Ethernet, it supports a limited number of connected devices (typically only four or five).
Can you have two gateways on the same server? ›Each service will log in with a separate domain account and connect to a different database. We have all policies for this to work accurately. The big problem is that we can not create more than one gateway service on the same server.
What is Azure ExpressRoute gateway? ›ExpressRoute Gateway
Azure ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection with the help of a connectivity provider. With ExpressRoute, you can establish connections to Microsoft cloud services, such as Microsoft Azure and Microsoft 365.
ExpressRoute can provide Layer 2 or managed Layer 3 connection between our on-premises data center and the cloud.
What are ExpressRoute zones? ›
ExpressRoute locations are the entry point to Microsoft's network – and are globally distributed, providing customers the opportunity to connect to Microsoft's network around the world. These locations are where ExpressRoute partners and ExpressRoute Direct customers issue cross connections to Microsoft's network.
What is the difference between virtual WAN and Azure VPN gateway? ›How is Virtual WAN different from an Azure virtual network gateway? A virtual network gateway VPN is limited to 30 tunnels. For connections, you should use Virtual WAN for large-scale VPN. You can connect up to 1,000 branch connections per virtual hub with aggregate of 20 Gbps per hub.
What is the minimum subnet size for Azure gateway? ›Application Gateway (Standard_v2 or WAF_v2 SKU) can support up to 125 instances (125 instance IP addresses + 1 private frontend IP configuration + 5 Azure reserved). A minimum subnet size of /24 is recommended.
Does Azure VPN gateway require public IP? ›You can also use a VPN gateway to send encrypted traffic between Azure virtual networks over the Microsoft network. Each virtual network can have only one VPN gateway. A VPN gateway requires a public IP address for its configuration. A public IP address is used as the external connection point of the VPN.
What is the purpose of virtual network gateway? ›The virtual network (VNet) data gateway helps you to connect from Microsoft Cloud services to your Azure data services within a VNet without the need of an on-premises data gateway. The VNet data gateway securely communicates with the data source, executes queries, and transmits results back to the service.
What is ExpressRoute and what are the benefits? ›Express route allows a private connection between the local network and the Microsoft cloud. Using express route organizations/users can connect to several Microsoft cloud services (cloud products e.g. Microsoft dynamics 365, Microsoft Azure and Office 365)
What is route based virtual network gateway vs policy based? ›A route based VPN creates a virtual IPsec interface, and whatever traffic hits that interface is encrypted and decrypted according to the phase 1 and phase 2 IPsec settings. In a policy based VPN, the tunnel is specified within the policy itself with an action of IPsec.
What is the use of gateway subnet in Azure? ›The gateway subnet is part of the virtual network IP address range that you specify when configuring your virtual network. It contains the IP addresses that the virtual network gateway resources and services use. When you create the gateway subnet, you specify the number of IP addresses that the subnet contains.
What type of connection does ExpressRoute use? ›ExpressRoute allows you to create a connection between your on-premises network and the Microsoft cloud in four different ways, CloudExchange Co-location, Point-to-point Ethernet Connection, Any-to-any (IPVPN) Connection, and ExpressRoute Direct. Connectivity providers may offer more than one connectivity models.