Virtual Networks (vNets)
This includes communications between Azure services in the cloud as well as communicating with your on-prem resources with VPN.
VPNs are limited to 1.25 Gbps
The first 4 IPs in a subnet are allocated for Azure (default gateway, layer 3 devices).
To get around the 1.25 Gbps limit, use ExpressRoute gets you 10 Gbps DEDICATED fiber connections.
With ExpressRoute you connect your on-prem network to your service provider (AT&T, Verizon, etc) or if you are in a shared data center (Peak10, EDS, etc.). Then they connects to Microsoft Enterprise Edge router (MSEE). Microsoft refers to this connection as a circuit.
Circuits are private so, your service provider can’t sit in a man-in-the-middle position.
ExpressRoute seems like the way to go, but it has 1 major drawback. The connectivity must still go through the data center or service provider. If you don’t trust them being in a Man-In-The-Middle position, then you might want to use ExpressRoute Direct. With ExpressRoute Direct you remove them from that position.