April 20, 2021

Azure Networking

Virtual Networks (vNets)

This includes communications between Azure services in the cloud as well as communicating with your on-prem resources with VPN.

VPNs are limited to 1.25 Gbps

The first 4 IPs in a subnet are allocated for Azure (default gateway, layer 3 devices).


To get around the 1.25 Gbps limit, use ExpressRoute gets you 10 Gbps DEDICATED fiber connections.

With ExpressRoute you connect your on-prem network to your service provider (AT&T, Verizon, etc) or if you are in a shared data center (Peak10, EDS, etc.). Then they connects to Microsoft Enterprise Edge router (MSEE). Microsoft refers to this connection as a circuit.

Circuits are private so, your service provider can’t sit in a man-in-the-middle position.

ExpressRoute Direct

ExpressRoute seems like the way to go, but it has 1 major drawback. The connectivity must still go through the data center or service provider. If you don’t trust them being in a Man-In-The-Middle position, then you might want to use ExpressRoute Direct. With ExpressRoute Direct you remove them from that position.

Azure VPN into vNet, ExpressRoute, ExpressRoute Direct