I'm trying to add IPSec Encryption to my ExpressRoute setup while also using Azure VPN for failover. I've heard it might be possible to use the same Azure VPN gateway for both purposes. My question is, can I leverage my current Azure VPN gateway for encrypting ExpressRoute traffic, or do I need to set up a new one? Any insights would be appreciated!
2 Answers
Unfortunately, you can't use the same VPN gateway for both standard VPN traffic and ExpressRoute traffic at the same time. It creates routing issues that are hard to manage. You'll need a separate gateway for this. Alternatively, there's MACsec, but that’s limited to the ExpressRoute Direct SKU. Just a heads up!
Yes, you can actually use your existing VPN gateway to create an IPSec connection to devices over an ExpressRoute circuit. This way, you can manage failover connections with the same VPN gateway. Just remember, you will always need an ExpressRoute gateway to terminate the ExpressRoute connection. Personally, I’d only go for the encryption if you absolutely need it for compliance reasons; it’s best to encrypt data at the application level first before complicating things further.
That’s a bit conflicting though, since the first answer said no. What’s the right approach?
Thanks for clarifying that! If I set up a new VPN gateway for ExpressRoute, will I still need the ExpressRoute gateway itself?