Combines two or more Azure virtual networks into a single logical virtual network

Skip to main content

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

About ExpressRoute virtual network gateways

• Article
• 11/04/2022
• 7 minutes to read

In this article

To connect your Azure virtual network and your on-premises network using ExpressRoute, you must first create a virtual network gateway. A virtual network gateway serves two purposes: exchange IP routes between the networks and route network traffic. This article explains different gateway types, gateway SKUs, and estimated performance by SKU. This article also explains ExpressRoute FastPath, a feature that enables the network traffic from your on-premises network to bypass the virtual network gateway to improve performance.

Gateway types

When you create a virtual network gateway, you need to specify several settings. One of the required settings, -GatewayType, specifies whether the gateway is used for ExpressRoute, or VPN traffic. The two gateway types are:

• Vpn - To send encrypted traffic across the public Internet, you use the gateway type 'Vpn'. This type of gateway is also referred to as a VPN gateway. Site-to-Site, Point-to-Site, and VNet-to-VNet connections all use a VPN gateway.

• ExpressRoute - To send network traffic on a private connection, you use the gateway type 'ExpressRoute'. This type of gateway is also referred to as an ExpressRoute gateway and is used when configuring ExpressRoute.

Each virtual network can have only one virtual network gateway per gateway type. For example, you can have one virtual network gateway that uses -GatewayType Vpn, and one that uses -GatewayType ExpressRoute.

Gateway SKUs

When you create a virtual network gateway, you need to specify the gateway SKU that you want to use. When you select a higher gateway SKU, more CPUs and network bandwidth are allocated to the gateway, and as a result, the gateway can support higher network throughput to the virtual network.

ExpressRoute virtual network gateways can use the following SKUs:

• Standard
• HighPerformance
• UltraPerformance
• ErGw1Az
• ErGw2Az
• ErGw3Az

If you want to upgrade your gateway to a higher capacity gateway SKU, you can use the Resize-AzVirtualNetworkGateway PowerShell cmdlet or perform the upgrade directly in the ExpressRoute virtual network gateway configuration page in the Azure portal. The following upgrades are supported:

• Standard to High Performance
• Standard to Ultra Performance
• High Performance to Ultra Performance
• ErGw1Az to ErGw2Az
• ErGw1Az to ErGw3Az
• ErGw2Az to ErGw3Az
• Default to Standard

Additionally, you can downgrade the virtual network gateway SKU. The following downgrades are supported:

• High Performance to Standard
• ErGw2Az to ErGw1Az

For all other downgrade scenarios, you'll need to delete and recreate the gateway. Recreating a gateway incurs downtime.

Feature support by gateway SKU

The following table shows the features supported across each gateway type.

Gateway SKUVPN Gateway and ExpressRoute coexistenceFastPathMax Number of Circuit Connections

Standard SKU/ERGw1Az	Yes	No	4
High Perf SKU/ERGw2Az	Yes	No	8
Ultra Performance SKU/ErGw3Az	Yes	Yes	16

Note

The maximum number of ExpressRoute circuits from the same peering location that can connect to the same virtual network is 4 for all gateways.

Estimated performances by gateway SKU

The following table shows the gateway types and the estimated performance scale numbers. These numbers are derived from the following testing conditions and represent the max support limits. Actual performance may vary, depending on how closely traffic replicates these testing conditions.

Testing conditions

Gateway SKUTraffic sent from on-premisesNumber of routes advertised by gatewayNumber of routes learned by gateway

Standard/ERGw1Az	1 Gbps	500	4000
High Performance/ERGw2Az	2 Gbps	500	9,500
Ultra Performance/ErGw3Az	10 Gbps	500	9,500

Performance results

This table applies to both the Resource Manager and classic deployment models.

Gateway SKUConnections per secondMega-Bits per secondPackets per secondSupported number of VMs in the Virtual Network

Standard/ERGw1Az	7,000	1,000	100,000	2,000
High Performance/ERGw2Az	14,000	2,000	250,000	4,500
Ultra Performance/ErGw3Az	16,000	10,000	1,000,000	11,000

Important

• Application performance depends on multiple factors, such as end-to-end latency, and the number of traffic flows the application opens. The numbers in the table represent the upper limit that the application can theoretically achieve in an ideal environment. Additionally, Microsoft performs routine host and OS maintenance on the ExpressRoute Virtual Network Gateway, to maintain reliability of the service. During a maintenance period, the control plane and data path capacity of the gateway is reduced.
• During a maintenance period, you may experience intermittent connectivity issues to private endpoint resources.

Gateway subnet

Before you create an ExpressRoute gateway, you must create a gateway subnet. The gateway subnet contains the IP addresses that the virtual network gateway VMs and services use. When you create your virtual network gateway, gateway VMs are deployed to the gateway subnet and configured with the required ExpressRoute gateway settings. Never deploy anything else into the gateway subnet. The gateway subnet must be named 'GatewaySubnet' to work properly. Naming the gateway subnet 'GatewaySubnet' lets Azure know to deploy the virtual network gateway VMs and services into this subnet.

Note

User-defined routes with a 0.0.0.0/0 destination and NSGs on the GatewaySubnet are not supported. Gateways created with this configuration will be blocked from creation. Gateways require access to the management controllers in order to function properly. BGP Route Propagation should be set to "Enabled" on the GatewaySubnet to ensure availability of the gateway. If this is set to disabled, the gateway will not function.

When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. The IP addresses in the gateway subnet are allocated to the gateway VMs and gateway services. Some configurations require more IP addresses than others.

When you're planning your gateway subnet size, refer to the documentation for the configuration that you're planning to create. For example, the ExpressRoute/VPN Gateway coexist configuration requires a larger gateway subnet than most other configurations. Further more, you may want to make sure your gateway subnet contains enough IP addresses to accommodate possible future configurations. While you can create a gateway subnet as small as /29, we recommend that you create a gateway subnet of /27 or larger (/27, /26 etc.). If you plan on connecting 16 ExpressRoute circuits to your gateway, you must create a gateway subnet of /26 or larger. If you're creating a dual stack gateway subnet, we recommend that you also use an IPv6 range of /64 or larger. This set up will accommodate most configurations.

The following Resource Manager PowerShell example shows a gateway subnet named GatewaySubnet. You can see the CIDR notation specifies a /27, which allows for enough IP addresses for most configurations that currently exist.

Add-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix 10.0.3.0/27

Important

When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. Associating a network security group to this subnet may cause your virtual network gateway (VPN and Express Route gateways) to stop functioning as expected. For more information about network security groups, see What is a network security group?.

Zone-redundant gateway SKUs

You can also deploy ExpressRoute gateways in Azure Availability Zones. This configuration physically and logically separates them into different Availability Zones, protecting your on-premises network connectivity to Azure from zone-level failures.

Zone-redundant gateways use specific new gateway SKUs for ExpressRoute gateway.

• ErGw1AZ
• ErGw2AZ
• ErGw3AZ

The new gateway SKUs also support other deployment options to best match your needs. When creating a virtual network gateway using the new gateway SKUs, you can deploy the gateway in a specific zone. This type of gateway is referred to as a zonal gateway. When you deploy a zonal gateway, all the instances of the gateway are deployed in the same Availability Zone.

FastPath

ExpressRoute virtual network gateway is designed to exchange network routes and route network traffic. FastPath is designed to improve the data path performance between your on-premises network and your virtual network. When enabled, FastPath sends network traffic directly to virtual machines in the virtual network, bypassing the gateway.

For more information about FastPath, including limitations and requirements, see About FastPath.

Connectivity to Private Endpoints

The ExpressRoute virtual network gateway facilitates connectivity to private endpoints deployed in the same virtual network as the virtual network gateway and across virtual network peers.

Important

• Throughput and control plane capacity may be half compared to connectivity to non-private-endpoint resources.
• During a maintenance period, you may experience intermittent connectivity issues to private endpoint resources.

Route Server

When you create or delete an Azure Route Server from a virtual network that contains a Virtual Network Gateway (ExpressRoute or VPN), expect downtime until the operation gets completed.

REST APIs and PowerShell cmdlets

For more technical resources and specific syntax requirements when using REST APIs and PowerShell cmdlets for virtual network gateway configurations, see the following pages:

ClassicResource Manager

PowerShell	PowerShell
REST API	REST API

VNet-to-VNet connectivity

By default, connectivity between virtual networks are enabled when you link multiple virtual networks to the same ExpressRoute circuit. However, Microsoft advises against using your ExpressRoute circuit for communication between virtual networks and instead uses VNet peering. For more information about why VNet-to-VNet connectivity isn't recommended over ExpressRoute, see connectivity between virtual networks over ExpressRoute.

Virtual network peering

A virtual network with an ExpressRoute gateway can have virtual network peering with up to 500 other virtual networks. Virtual network peering without an ExpressRoute gateway may have a higher peering limitation.

Next steps

For more information about available connection configurations, see ExpressRoute Overview.

For more information about creating ExpressRoute gateways, see Create a virtual network gateway for ExpressRoute.

For more information about configuring zone-redundant gateways, see Create a zone-redundant virtual network gateway.

For more information about FastPath, see About FastPath.

Feedback

Submit and view feedback for

Which method is used to connect two or more virtual networks in Azure?

Which of the following can be used to connect two virtual networks in Azure?

Which two ways can be used to connect virtual network subnets in two different regions each is a complete solution choose only two?

What is VNet and subnet?