Last updated: May 2026

Azure Networking Intermediate AZ-104 ⏱ 11 min read

Azure ExpressRoute

Azure ExpressRoute provides a private, dedicated connection from your on-premises network to Microsoft Azure — not over the public internet. Traffic travels through a connectivity provider's private network to Microsoft's edge. ExpressRoute offers predictable latency, high bandwidth, and is required for workloads with strict compliance requirements that prohibit public internet exposure.

What you'll learn What ExpressRoute is and how it works · Circuit SKUs and bandwidths · Peering types — Private and Microsoft · ExpressRoute Global Reach · FastPath · Coexistence with VPN Gateway · ExpressRoute vs VPN Gateway decision criteria

Table of Contents

How ExpressRoute Works
Circuit SKUs and Bandwidths
Peering Types
ExpressRoute Global Reach
FastPath
Coexistence with VPN Gateway
ExpressRoute vs VPN Gateway
Practice Questions

How ExpressRoute Works

ExpressRoute uses a connectivity provider (like Tata Communications, Airtel, Reliance Jio in India) to establish a physical dedicated circuit from your facility to Microsoft's edge routers. The connection bypasses the public internet entirely.

ℹ️

Not Encrypted by Default ExpressRoute traffic is NOT encrypted by default — the circuit is private, but not encrypted. For encryption over ExpressRoute, you must configure MACsec (Layer 2) or IPsec (Layer 3) on top. This is an important exam point.

Connection Models

Model	How
Co-location at cloud exchange	Your equipment is in same data centre as Microsoft edge — direct cross-connect
Point-to-point Ethernet	Direct dedicated Ethernet link from your site to Microsoft edge
Any-to-any (IPVPN)	Your MPLS/WAN provider integrates Azure into your existing WAN
ExpressRoute Direct	Direct physical connection to Microsoft global network — 10/100 Gbps

Circuit SKUs and Bandwidths

SKU	Available Bandwidths	Use Case
Local	50 Mbps – 10 Gbps	Single Azure region, unlimited egress
Standard	50 Mbps – 10 Gbps	Up to 9 Azure regions
Premium	50 Mbps – 10 Gbps	Global routing, 10+ regions, Office 365
ExpressRoute Direct	10 Gbps, 100 Gbps	Highest bandwidth, direct Microsoft edge

Peering Types

An ExpressRoute circuit has two independent BGP peering sessions:

Private Peering

Connects to Azure VNets (VMs, load balancers, internal services). Traffic stays on the private circuit and uses private IP addresses. Required for connecting to Azure IaaS and PaaS resources in VNets.

Microsoft Peering

Connects to Microsoft public services — Microsoft 365 (Exchange Online, SharePoint), Azure Storage, Azure SQL over private network. Uses public IP addresses but traffic goes through your private circuit instead of the internet.

💡

Azure Public Peering is Retired There used to be three peering types — Private, Public, and Microsoft. Azure Public Peering was retired and merged into Microsoft Peering. You may see it referenced in old documentation.

ExpressRoute Global Reach

Global Reach allows you to connect your on-premises sites to each other through Microsoft's network using their ExpressRoute circuits. Instead of building separate on-premises connectivity between sites, traffic flows: Site A → ExpressRoute → Microsoft backbone → ExpressRoute → Site B.

FastPath

By default, ExpressRoute routes traffic through the Virtual Network Gateway, adding some latency. FastPath bypasses the gateway and sends traffic directly to VMs in the VNet — reducing latency and improving throughput. Requires Ultra Performance or ErGw3AZ gateway SKU.

Coexistence with VPN Gateway

You can configure both ExpressRoute and VPN Gateway on the same VNet. Common use case:

ExpressRoute as the primary connection (fast, reliable)
VPN Gateway as a failover backup (if ExpressRoute circuit fails)

ExpressRoute vs VPN Gateway

Choose ExpressRoute when...	Choose VPN Gateway when...
Compliance requires no public internet exposure	Budget is limited
Need >10 Gbps bandwidth	Need quick setup (hours vs weeks)
Consistent, predictable latency required	Workload can tolerate variable latency
Connecting large data centres with heavy traffic	Connecting small offices or remote workers

💡

AZ-104 Exam Tip Remember: ExpressRoute is NOT encrypted by default. It provides private connectivity — but for encryption, you need MACsec or IPsec on top. Know Private Peering (VNets) vs Microsoft Peering (Microsoft 365, Azure public services).

📝 Practice Questions

Click an option to check your answer.

Q1. Is ExpressRoute traffic encrypted by default?

A — Yes — all ExpressRoute traffic is encrypted automatically

B — No — it is private but not encrypted; requires MACsec or IPsec for encryption

C — Only Microsoft Peering traffic is encrypted

D — Only if you select the encryption option when creating the circuit

Q2. Which ExpressRoute peering type connects to Azure VNets (VMs and internal services)?

A — Private Peering

B — Microsoft Peering

C — Azure Public Peering

D — Global Reach

Q3. A company needs to connect Microsoft 365 (Exchange Online) traffic through their ExpressRoute circuit instead of the internet. Which peering type should they configure?

A — Private Peering

B — Microsoft Peering

C — Global Reach

D — FastPath

Q4. What does ExpressRoute FastPath do?

A — Increases the circuit bandwidth automatically

B — Bypasses the VNet Gateway to route traffic directly to VMs, reducing latency

C — Routes traffic from VMs directly to on-premises without going through Azure

D — Enables automatic encryption on the ExpressRoute circuit

Q5. What is ExpressRoute Global Reach used for?

A — Connecting one ExpressRoute circuit to all Azure regions globally

B — Connecting two on-premises sites to each other through Microsoft\'s backbone via their ExpressRoute circuits

C — Connecting multiple Azure VNets globally without peering

D — Increasing the bandwidth of an existing ExpressRoute circuit

← PreviousAzure VPN Gateway Next →VNet Peering

Comments

Disclaimer: RedKite Cloud is an independent educational resource and is not affiliated with Microsoft Corporation.