Azure ExpressRoute and VPN Gateway

When an organisation migrates workloads to Azure, it typically needs its on-premises offices, data centres, and users to communicate with Azure resources privately — without traffic traversing the public internet. This is required for security (avoid exposure to internet threats), compliance (some regulations prohibit certain data travelling over public networks), and performance (predictable latency without internet congestion). Azure provides two connectivity options: Azure VPN Gateway (encrypted tunnels over the internet) and Azure ExpressRoute (dedicated private circuits).

An Azure VPN Gateway is a managed gateway resource deployed in a virtual network that creates encrypted IPsec/IKE tunnels between Azure and on-premises networks. It supports two types of connections: Site-to-Site (S2S) — connecting an entire on-premises network to Azure VNet, typically from a physical VPN device; and Point-to-Site (P2S) — individual clients (laptops, developer machines) connect to Azure using the Azure VPN client application. S2S is for branch-to-cloud; P2S is for remote workers.