2.3 Azure ExpressRoute
📘Microsoft Azure Networking Solutions (AZ-700)
1. What Is an ExpressRoute Gateway?
An ExpressRoute gateway is a special type of virtual network gateway used to connect an Azure Virtual Network (VNet) to an ExpressRoute circuit.
An ExpressRoute circuit provides private, dedicated connectivity between your on-premises network (such as your corporate data center) and Microsoft Azure.
However, the circuit alone is not enough.
To connect your VNet to the ExpressRoute circuit, you must deploy an ExpressRoute gateway inside the VNet.
Simple Understanding
- ExpressRoute circuit → The private connection between your organization and Microsoft.
- ExpressRoute gateway → The gateway inside Azure that allows your VNet to use that connection.
Without the gateway, your VNet cannot communicate over ExpressRoute.
2. Where Is the ExpressRoute Gateway Deployed?
The ExpressRoute gateway is deployed:
- Inside a Virtual Network (VNet)
- In a special subnet called:
GatewaySubnet
Important Exam Points
- The subnet must be named exactly:
GatewaySubnet - It must be created before deploying the gateway.
- The recommended minimum size is /27 (especially for production environments).
- Smaller subnets may cause scaling issues.
3. Types of Virtual Network Gateways
In Azure, there are two main types of virtual network gateways:
- VPN Gateway
- ExpressRoute Gateway
For this exam section, you must understand:
| Feature | VPN Gateway | ExpressRoute Gateway |
|---|---|---|
| Uses Internet | Yes | No |
| Uses Private Connection | No | Yes |
| High Throughput | Medium | High |
| Used With ExpressRoute Circuit | No | Yes |
For ExpressRoute connectivity, you must select:
Gateway type: ExpressRoute
4. ExpressRoute Gateway SKUs
When creating an ExpressRoute gateway, you must select a SKU (performance level).
Available SKUs
- ErGw1AZ
- ErGw2AZ
- ErGw3AZ
(Older SKUs like Standard/HighPerformance are legacy and not recommended for new deployments.)
What Does SKU Affect?
- Throughput (bandwidth capacity)
- Number of VNet connections supported
- Performance
- High availability capability
Key Differences (Exam Focus)
| SKU | Performance Level | Typical Use |
|---|---|---|
| ErGw1AZ | Lower | Small workloads |
| ErGw2AZ | Medium | Medium workloads |
| ErGw3AZ | High | Large enterprise environments |
Important:
- “AZ” means Zone-redundant
- These gateways are deployed across Availability Zones
- Provides higher resiliency
For AZ-700, remember:
Use AZ SKUs for production environments.
5. High Availability and Availability Zones
ExpressRoute gateways support:
- Zone-redundant deployment
- Built-in high availability
If you select an AZ SKU, Azure automatically deploys the gateway across multiple Availability Zones within a region.
This protects against:
- Datacenter failure
- Hardware failure
- Zone-level outages
Exam Tip:
If the question mentions:
- High availability
- Fault tolerance
- Zone failure protection
Choose:
ErGw2AZ or ErGw3AZ
6. Steps to Create an ExpressRoute Gateway
Step 1: Create a Virtual Network (VNet)
You must already have a VNet.
Example:
- VNet Name: Corp-VNet
- Address Space: 10.1.0.0/16
Step 2: Create GatewaySubnet
Inside the VNet:
- Subnet Name: GatewaySubnet
- Recommended size: /27 or larger
Example:
- 10.1.255.0/27
Important:
Do not deploy any other resources in this subnet.
Step 3: Create the Virtual Network Gateway
In Azure Portal:
- Go to Create Resource
- Search: Virtual Network Gateway
- Configure:
| Setting | Value |
|---|---|
| Gateway Type | ExpressRoute |
| SKU | ErGw1AZ / ErGw2AZ / ErGw3AZ |
| VNet | Select your VNet |
| Public IP | Required (even though ExpressRoute is private) |
Why Public IP is Required?
Even though ExpressRoute is private, Azure still requires a public IP object for gateway management and routing purposes.
This does NOT mean traffic goes over the internet.
Step 4: Wait for Deployment
Deployment time:
- 30 to 45 minutes
This is normal.
7. Connecting the Gateway to an ExpressRoute Circuit
After the gateway is created:
- Go to the ExpressRoute circuit.
- Select Connections
- Create a new connection:
- Select the VNet
- Select the ExpressRoute gateway
This links the VNet to the circuit.
Now traffic can flow between:
- On-premises network
- Azure VNet
8. FastPath (Important for Exam)
FastPath is an ExpressRoute feature that:
- Bypasses the ExpressRoute gateway for data traffic
- Reduces latency
- Improves performance
When enabled:
- Traffic goes directly to VMs
- Gateway handles only control plane traffic
Important:
FastPath is supported only on:
- ErGw3AZ
If exam question mentions:
- Very high throughput
- Low latency requirement
- Large-scale workload
Choose:
- ErGw3AZ with FastPath
9. ExpressRoute Gateway Limits
Important limits to remember:
- One ExpressRoute gateway per VNet
- A VNet can connect to multiple ExpressRoute circuits (with proper configuration)
- Gateway throughput depends on SKU
- Cannot use VPN and ExpressRoute gateway at same time in same VNet (unless using coexistence configuration)
10. ExpressRoute and VPN Coexistence
You can configure:
- ExpressRoute Gateway
- VPN Gateway
In the same VNet using special coexistence setup.
Requirements:
- GatewaySubnet must be large enough (/27 or larger)
- Proper gateway configuration
This is used for:
- Backup connectivity
- Migration scenarios
Exam questions often test this scenario.
11. Monitoring and Troubleshooting
You can monitor ExpressRoute gateway using:
- Azure Monitor
- Metrics
- Connection status
- BGP status
Key things to check:
- Connection state
- Bytes in/out
- BGP routes learned
If routes are missing:
- Check BGP configuration
- Check circuit provisioning state
12. Cost Considerations
ExpressRoute gateway costs include:
- Hourly gateway cost (based on SKU)
- Data transfer charges (depending on billing model)
- Circuit cost (separate from gateway)
Higher SKUs cost more.
Exam Tip:
If question focuses on:
- Reducing cost
- Small workload
Choose:
- ErGw1AZ
If question focuses on:
- Performance
- High availability
- Enterprise workload
Choose:
- ErGw3AZ
13. Common Exam Scenarios
Scenario 1:
Company needs private connectivity with high availability across zones.
Answer:
- ExpressRoute Gateway
- ErGw2AZ or ErGw3AZ
Scenario 2:
Company needs ultra-low latency and high throughput.
Answer:
- ErGw3AZ
- Enable FastPath
Scenario 3:
Need ExpressRoute and VPN backup.
Answer:
- Configure gateway coexistence
- Ensure GatewaySubnet is large enough
14. Key Differences to Remember
| Feature | ExpressRoute Gateway |
|---|---|
| Uses Internet | No |
| Private Connectivity | Yes |
| Requires GatewaySubnet | Yes |
| Supports FastPath | Yes (ErGw3AZ) |
| Supports Availability Zones | Yes |
| Required for ExpressRoute Circuit | Yes |
15. Final Exam Checklist (Very Important)
Before exam, make sure you understand:
✓ What an ExpressRoute gateway does
✓ Difference between VPN gateway and ExpressRoute gateway
✓ GatewaySubnet requirements
✓ AZ SKUs (ErGw1AZ, ErGw2AZ, ErGw3AZ)
✓ FastPath requirements
✓ Coexistence with VPN
✓ High availability using Availability Zones
✓ How to connect VNet to ExpressRoute circuit
✓ Monitoring and troubleshooting basics
Final Summary (Simple Explanation)
An ExpressRoute gateway is the Azure component that allows your virtual network to use a private ExpressRoute connection to your on-premises network.
To configure it:
- Create a VNet
- Create a GatewaySubnet
- Deploy an ExpressRoute virtual network gateway
- Connect it to an ExpressRoute circuit
Choosing the correct SKU is very important for:
- Performance
- Scalability
- Availability
- Cost
Understanding this section clearly is essential for passing the AZ-700 exam.
