2.3 Azure ExpressRoute
📘Microsoft Azure Networking Solutions (AZ-700)
1. Why Encryption Is Needed Over ExpressRoute
Azure ExpressRoute provides a private, dedicated connection between your on-premises network and Microsoft cloud services.
It does not use the public internet, which makes it more secure than a normal internet VPN.
However:
- ExpressRoute does not encrypt traffic by default
- Traffic is private but not automatically encrypted
- Some organizations require encryption for:
- Compliance (financial, healthcare, government)
- Internal security policies
- Protection of sensitive data
For the AZ-700 exam, remember this key point:
ExpressRoute provides private connectivity, but encryption must be configured separately if required.
2. Encryption Options Over ExpressRoute
There are two main ways to configure encryption over ExpressRoute:
- IPsec VPN over ExpressRoute
- MACsec encryption (Layer 2 encryption)
You must understand when and how to use each.
3. Option 1 – IPsec VPN over ExpressRoute
This is the most common method.
What Is It?
You create a Site-to-Site VPN tunnel (IPsec/IKE) over the ExpressRoute private connection.
Even though ExpressRoute is private, the traffic is encrypted inside an IPsec tunnel.
Architecture
You use:
- ExpressRoute circuit
- ExpressRoute virtual network gateway
- VPN gateway (or VPN device on-premises)
Azure supports this configuration using:
- An ExpressRoute gateway
- A VPN gateway (or a combined gateway configuration)
How It Works
- ExpressRoute provides private connectivity.
- A VPN tunnel (IPsec) is established over that connection.
- All traffic inside that tunnel is encrypted.
This provides:
- Confidentiality
- Integrity
- Authentication
Why Use IPsec Over ExpressRoute?
Use it when:
- Compliance requires encryption in transit
- Organization security policy mandates encryption
- Sensitive data (financial, healthcare, government systems) is transmitted
- You want defense-in-depth security
Important Exam Concepts
1. ExpressRoute is not encrypted by default
Very important exam question area.
2. You can run VPN over ExpressRoute
This is supported and valid.
3. Coexistence configuration
You can deploy:
- ExpressRoute gateway
- VPN gateway
In the same VNet.
This allows:
- Primary traffic via ExpressRoute
- Encrypted tunnel over ExpressRoute
- Failover via VPN over Internet (if configured)
High Availability Considerations
For production environments:
- Use active-active VPN gateway
- Use redundant ExpressRoute circuits
- Use zone-redundant gateways
For AZ-700, remember:
High availability and redundancy are always tested topics.
4. Option 2 – MACsec Encryption
What Is MACsec?
MACsec (Media Access Control Security) is Layer 2 encryption.
It encrypts traffic at the Ethernet frame level.
In Azure, MACsec is available with:
- ExpressRoute Direct
What Is ExpressRoute Direct?
ExpressRoute Direct allows customers to connect directly to Microsoft routers at:
- 10 Gbps
- 100 Gbps
It provides more control and higher bandwidth.
MACsec with ExpressRoute Direct
With ExpressRoute Direct:
- You can enable MACsec between your edge router and Microsoft’s edge router.
- Encryption happens at Layer 2.
- It protects traffic between your device and Microsoft’s device.
Key Features of MACsec
- IEEE 802.1AE standard
- Hardware-based encryption
- Low latency
- Line-rate performance
When to Use MACsec?
Use it when:
- Organization requires encryption at Layer 2
- You need high bandwidth encrypted connectivity
- You use ExpressRoute Direct
Important Exam Note
MACsec is:
- Only available with ExpressRoute Direct
- Not available with standard ExpressRoute circuits via providers
This is a common exam trap.
5. Comparing IPsec and MACsec
| Feature | IPsec over ExpressRoute | MACsec |
|---|---|---|
| Layer | Layer 3 | Layer 2 |
| Encryption type | Tunnel-based | Frame-based |
| Requires ExpressRoute Direct? | No | Yes |
| Uses VPN Gateway? | Yes | No |
| Performance impact | Some overhead | Very low (hardware-based) |
| Complexity | Medium | High (requires supported hardware) |
6. End-to-End Encryption Considerations
Even if ExpressRoute is private:
- Some services (like HTTPS applications) already encrypt traffic at application layer.
- You can combine:
- Application encryption (TLS/HTTPS)
- IPsec
- MACsec
For exam purposes:
Encryption can exist at multiple layers.
7. Design Considerations for AZ-700
When designing encryption over ExpressRoute, consider:
1. Compliance Requirements
- Financial institutions often require encryption.
- Healthcare organizations may require encryption for regulatory compliance.
2. Performance
- IPsec may reduce throughput.
- MACsec provides high performance.
3. Cost
- ExpressRoute Direct is more expensive.
- VPN gateways add cost.
4. Redundancy
- Use dual circuits.
- Use redundant gateways.
- Use zone redundancy.
8. Monitoring and Troubleshooting
For encrypted ExpressRoute connections:
Monitor:
- Gateway CPU usage
- Tunnel status
- BGP status
- Packet drops
Use:
- Azure Monitor
- Network Watcher
- Connection troubleshoot tools
If IPsec tunnel fails:
- Verify shared keys
- Check IKE version
- Validate routing
- Confirm BGP configuration
9. Common Exam Questions You Must Be Ready For
Question Type 1
Is ExpressRoute encrypted by default?
Correct answer:
No.
Question Type 2
Company requires private and encrypted connectivity with 100 Gbps bandwidth.
Correct answer:
ExpressRoute Direct with MACsec.
Question Type 3
Company already has ExpressRoute but now needs encryption.
Correct answer:
Configure IPsec VPN over ExpressRoute.
Question Type 4
Which encryption method works without ExpressRoute Direct?
Correct answer:
IPsec.
10. Best Practice Summary for Exam
For AZ-700, remember these key points:
- ExpressRoute = private but NOT encrypted.
- Encryption is optional and must be configured.
- IPsec over ExpressRoute = common solution.
- MACsec = only with ExpressRoute Direct.
- Layer 3 vs Layer 2 encryption difference.
- Always design for redundancy and high availability.
Final Exam-Ready Summary
When configuring encryption over Azure ExpressRoute:
- Understand that ExpressRoute provides private connectivity, not encryption.
- Use IPsec VPN over ExpressRoute for encrypted tunnels.
- Use MACsec if using ExpressRoute Direct and Layer 2 encryption is required.
- Consider performance, compliance, and redundancy.
- Know the difference between standard ExpressRoute and ExpressRoute Direct.
- Understand coexistence of VPN and ExpressRoute gateways.
