Azure ExpressRoute: Private Connections Between Microsoft Datacenters and Your On-Premises Infrastructure

Azure ExpressRoute: Private Connections to Microsoft Datacenters

Azure ExpressRoute offers private, dedicated network connections between your on-premises infrastructure and Microsoft Azure datacenters. It avoids the public internet, which results in lower latency and higher throughput.

Key features include:

• Built-in redundancy
• Pricing starts at $0/month for ExpressRoute Local
• Standard pricing is $300/month for 1 Gbps

EPC Group designs and deploys ExpressRoute for enterprises that require HIPAA, PCI DSS, and FedRAMP compliance.

Key facts

• ExpressRoute operates over Layer 2 or Layer 3 connections through authorized connectivity providers.
• Three pricing tiers: Local ($0/month metered), Standard ($300/month for 1 Gbps), Premium (+$300/month add-on).
• Bandwidth options: 50 Mbps, 100 Mbps, 200 Mbps, 500 Mbps, 1 Gbps, 2 Gbps, 5 Gbps, 10 Gbps, 100 Gbps.
• Built-in redundancy: each circuit includes two physical connections for fault tolerance.
• Encryption: MACsec (IEEE 802.1AE) for Layer 2 or IPsec VPN tunnels for Layer 3 encryption over ExpressRoute.
• EPC Group: 29 years Microsoft consulting, 11,000+ enterprise engagements.

What is Azure ExpressRoute?

Azure ExpressRoute is a private network connection between your on-premises data center and Microsoft Azure. The connection does not traverse the public internet.

Instead, ExpressRoute circuits run over Layer 2 or Layer 3 connections through authorized connectivity providers. This delivers lower latency, higher throughput, and built-in redundancy compared to site-to-site VPNs.

Each ExpressRoute circuit includes two physical connections for fault tolerance. This redundancy supports the reliability requirements of regulated industries — healthcare, financial services, and government.

ExpressRoute Pricing (2026)

ExpressRoute uses a tiered pricing model based on geographic reach:

• ExpressRoute Local — $0/month metered, plus bandwidth charges. Provides connectivity to Azure regions in the same metropolitan area as the peering location. For workloads that primarily egress within one region.
• ExpressRoute Standard — $300/month for 1 Gbps, plus bandwidth charges. Provides cross-region connectivity across all Azure regions in one geopolitical area (e.g., all U.S. regions).
• ExpressRoute Premium — $300/month add-on to Standard. Extends connectivity to all Azure regions globally and to Microsoft 365 services worldwide.

ExpressRoute vs. VPN Gateway

Both connect on-premises infrastructure to Azure. The right choice depends on your bandwidth and reliability requirements:

• ExpressRoute — Private, dedicated connection. Higher bandwidth (up to 100 Gbps). Lower latency. SLA-backed. Higher cost. Best for mission-critical production workloads.
• VPN Gateway — Public internet traversal over encrypted tunnel. Lower bandwidth (up to ~10 Gbps Gateway). Lower cost. Best for lower-priority workloads, disaster recovery, or where ExpressRoute providers are unavailable.

Many enterprises use both: ExpressRoute for primary connectivity and VPN Gateway as a failover path.

Encryption over ExpressRoute

ExpressRoute circuits are private but not encrypted by default. For organizations that require encryption (HIPAA, PCI DSS), two options are available:

• MACsec (IEEE 802.1AE) — Layer 2 encryption on ExpressRoute Direct ports. Encrypts traffic between your routers and the Microsoft edge. Available on ExpressRoute Direct only (10 Gbps, 100 Gbps ports).
• IPsec VPN over ExpressRoute — Layer 3 encryption. Run an IPsec tunnel over the ExpressRoute circuit. Available on all ExpressRoute tiers. Adds encryption overhead but works on shared provider circuits.

ExpressRoute Direct

ExpressRoute Direct gives you direct physical connections to Microsoft's global network at peering locations — no connectivity provider in between.

• Available in 10 Gbps and 100 Gbps port speeds.
• Supports multiple ExpressRoute circuits on a single physical port.
• Supports MACsec for Layer 2 encryption.
• Best for the highest-bandwidth requirements (large-scale data migrations, media production, wholesale connectivity).

EPC Group ExpressRoute Consulting

EPC Group designs and deploys ExpressRoute circuits for enterprise clients. Our engagement covers:

• Provider selection — Identify the best connectivity provider for your physical location and bandwidth needs.
• Circuit design — Tier selection (Local, Standard, Premium), bandwidth sizing, and redundancy planning.
• Routing design — BGP configuration, private peering, and Microsoft peering for Microsoft 365 traffic.
• Encryption — Configure MACsec or IPsec based on your compliance requirements (HIPAA, PCI DSS, FedRAMP).
• Failover design — VPN Gateway backup path configuration and failover testing.

Frequently asked questions

What is Azure ExpressRoute?

Azure ExpressRoute provides a private, dedicated network connection between your on-premises infrastructure and Microsoft Azure datacenters. This connection does not use the public internet.

It employs Layer 2 or Layer 3 connections through authorized providers. This setup ensures lower latency and higher reliability.

How much does ExpressRoute cost?

ExpressRoute offers different pricing options based on your needs:

• ExpressRoute Local: $0/month metered, plus bandwidth charges.
• ExpressRoute Standard: $300/month for 1 Gbps, plus bandwidth.
• ExpressRoute Premium: Adds $300/month for global reach and Microsoft 365 connectivity.

What is the difference between ExpressRoute and VPN Gateway?

ExpressRoute is a private and dedicated connection. It does not use the public internet. In contrast, VPN Gateway runs an encrypted tunnel over the public internet.

Here are some key differences between the two:

• ExpressRoute: Offers higher bandwidth, lower latency, and SLA-backed reliability.
• VPN Gateway: Is lower cost and available anywhere.

Is ExpressRoute encrypted?

ExpressRoute circuits are private but not encrypted by default. You can add MACsec (Layer 2, ExpressRoute Direct only) or run IPsec VPN tunnels over the circuit (Layer 3, all tiers) to meet HIPAA, PCI DSS, or FedRAMP encryption requirements.

What bandwidth options does ExpressRoute offer?

ExpressRoute bandwidth options: 50 Mbps, 100 Mbps, 200 Mbps, 500 Mbps, 1 Gbps, 2 Gbps, 5 Gbps, 10 Gbps, and 100 Gbps (ExpressRoute Direct only). Most enterprise clients start at 1 Gbps and scale up with usage.

Design your ExpressRoute architecture

Talk to an EPC Group network architect about ExpressRoute circuit design, provider selection, and compliance configuration. Call (888) 381-9725 or request a 30-minute discovery call.