![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 34%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENR%3C/text%3E%3C/svg%3E)
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,554 questions
Hello @Nithin Radhakrishnan ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to know if you can deploy an ExpressRoute Gateway and use it for IPSec.
ExpressRoute supports a couple of encryption technologies to ensure confidentiality and integrity of the data traversing between your network and Microsoft's network. This requires you to have ExpressRoute circuit.
https://learn.microsoft.com/en-us/azure/vpn-gateway/site-to-site-vpn-private-peering
But from your question, I understand that the ExpressRoute circuit is yet to be setup and you just want to use an IPSec connection for the time being to connect to Azure.
ExpressRoute gateway is used to send network traffic on a private connection and is used when configuring ExpressRoute. With ExpressRoute gateway, you can create a connection to link a virtual network to an Azure ExpressRoute circuit. It is not used for IPSec connection.
If you want to configure IPSec connection, you need to consider VPN gateway, which is used to send encrypted traffic across the public Internet. Site-to-Site, Point-to-Site, and VNet-to-VNet connections all use a VPN gateway.
Refer: https://learn.microsoft.com/en-us/azure/expressroute/expressroute-about-virtual-network-gateways
https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/
https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
My suggestion is as below:
- Create a gateway subnet with /27 or a shorter prefix and deploy a route-based (non-Basic SKU) VPN gateway in Azure and connect to your on-premises for the time being.
- Later when the ExpressRoute circuit is provisioned and active, you can create an ExpressRoute gateway in the same gateway subnet and connect it to your ExpressRoute circuit and delete the existing VPN gateway. Or you can keep both the gateways as a coexisting setup if required.
Refer: https://learn.microsoft.com/en-us/azure/expressroute/how-to-configure-coexisting-gateway-portal
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways
Kindly let us know if the above helps or you need further assistance on this issue.
Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.