Choosing Your Hybrid Connection
Compare Site-to-Site VPN, Point-to-Site VPN, ExpressRoute, and Virtual WAN to make the right connectivity choice for any scenario.
Choosing Your Hybrid Connection
This is the decision module. The exam presents scenarios and expects you to choose the right connectivity option. This module gives you the decision framework.
🎬 Video coming soon
Hybrid Connectivity Decision Guide
Hybrid Connectivity Decision Guide
~11:00Choosing a hybrid connection is like choosing how to commute. S2S VPN is driving your car (flexible, affordable, traffic varies). ExpressRoute is a private train line (fast, predictable, expensive). P2S VPN is ride-sharing for individuals. Virtual WAN is hiring a transport company to manage all routes.
The Decision Matrix
| Feature | S2S VPN | P2S VPN | ExpressRoute | Virtual WAN |
|---|---|---|---|---|
| Connects | On-prem network to Azure VNet | Individual devices to Azure VNet | On-prem DC to Azure (private) | All of the above + multi-hub |
| Bandwidth | Up to 10 Gbps (VpnGw5) | Up to 10 Gbps (VpnGw5) | Up to 100 Gbps (Direct) | Scale units per gateway |
| Path | Public internet (encrypted) | Public internet (encrypted) | Private (provider network) | Mixed — VPN over internet, ER private |
| Latency | Variable (internet-dependent) | Variable | Low and predictable | Depends on connection type |
| SLA | 99.95% (active-active) | 99.95% | 99.95% (99.99% with premium HA) | 99.95% per hub |
| Setup time | Minutes to hours | Minutes | Weeks (provider provisioning) | Hours per hub |
| Monthly cost | Low (gateway + bandwidth) | Low (gateway based) | Medium-high (circuit + egress) | Medium-high (hub + gateways) |
| On-prem device | VPN appliance/software required | VPN client software | Provider-managed or Direct ports | VPN device and/or ER circuit |
| Encryption | IPsec built-in | IPsec/TLS built-in | Optional (MACsec or IPsec overlay) | Per connection type |
| Best scale | Under 30 sites | Under 10,000 users | 1-16 circuits | 30+ sites, global |
When to Use Each — Character Scenarios
🏪 Sam Nguyen — Harbour Retail: S2S VPN 50 stores in NZ/AU. Each store has a small network. Sam doesn’t need the cost of ExpressRoute — S2S VPN provides encrypted connectivity at a fraction of the price. Active-active VPN Gateway for high availability.
🏢 Ravi Sharma — Pinnacle Financial: ExpressRoute Enterprise with two data centres. Needs predictable latency, high throughput, and private connectivity. ExpressRoute Local SKU for the nearby DC, Premium for global reach. VPN as backup.
☁️ Elena Torres — Skyline Logistics: Virtual WAN 15 countries. Dozens of branches. Multiple Azure regions. Manual hub-and-spoke would be unmanageable. VWAN provides automated hub-to-hub transit, centralised policy, and mixed connectivity (VPN for small branches, ExpressRoute for large DCs).
P2S VPN: Supplemental P2S supplements the others. Ravi’s employees working from home use P2S with Entra ID auth. Sam’s IT admins use P2S for emergency access. Elena’s field engineers use P2S when visiting customer sites.
Coexistence Patterns
You don’t always choose just one. Common combinations:
ExpressRoute + VPN Backup: Primary traffic flows over ExpressRoute (low latency, high bandwidth). If the ER circuit fails, traffic automatically fails over to the S2S VPN tunnel. BGP manages the failover — ER routes are preferred; when withdrawn, VPN routes take over.
VWAN with Mixed Connectivity: Large DCs connect via ExpressRoute to the VWAN hub. Small branches connect via S2S VPN. Remote workers connect via P2S. VWAN manages all of these through a single hub.
S2S VPN + P2S on Same Gateway: A single VPN Gateway can handle both S2S tunnels (office connectivity) and P2S connections (remote workers). Both run simultaneously on the same gateway.
Custom Hub-and-Spoke vs Virtual WAN
| Feature | Custom Hub-and-Spoke | Virtual WAN |
|---|---|---|
| Hub management | You build and manage (VNet + NVAs + gateways) | Azure manages the hub infrastructure |
| Routing | Manual UDRs and route tables | Automatic with optional custom route tables |
| Hub-to-hub | Manual peering + routing | Automatic backbone connectivity |
| Firewall | Deploy and manage Azure Firewall yourself | Deploy in hub with routing intent |
| NVA flexibility | Full IaaS control — any NVA | Limited to approved partner NVAs |
| Customisation | Maximum — you control everything | Less — Azure makes some decisions |
| Complexity | High at scale | Lower — managed service |
| Cost | Pay for individual resources | Hub fee + gateway scale units |
| Best for | Under 10 VNets with custom requirements | 10+ VNets or global multi-region |
Exam Decision Scenarios
When the exam presents a scenario, use this elimination process:
Step 1 — Does it need private connectivity (no public internet)? Yes → ExpressRoute. No → VPN is fine.
Step 2 — Is it one device or a network? One device → P2S. Network → S2S or ExpressRoute.
Step 3 — How much bandwidth? Under 10 Gbps → VPN can work. Over 10 Gbps → ExpressRoute.
Step 4 — How many sites/regions? Under 10 sites, one region → Custom hub-and-spoke. Over 10 sites or multi-region → Virtual WAN.
Step 5 — Is there a latency requirement? Predictable, low latency → ExpressRoute. Acceptable, variable → VPN.
Step 6 — Budget constraints? Tight budget → S2S VPN. Medium → ExpressRoute Standard. Flexible → ExpressRoute Premium or VWAN.
Common exam traps:
- “Company needs private connectivity” = ExpressRoute (VPN goes over internet, even though encrypted)
- “Company has 50 branch offices worldwide” = Virtual WAN (too many for manual hub-and-spoke)
- “Remote workers need Conditional Access” = P2S with OpenVPN and Entra ID auth
- “Backup for ExpressRoute” = S2S VPN as backup (not another ER circuit in the same location)
Key Takeaways
- S2S VPN: simple, affordable, internet-based. Best for small-to-medium sites.
- ExpressRoute: private, predictable, high-bandwidth. Best for enterprise DCs.
- Virtual WAN: managed hub-and-spoke at scale. Best for global multi-site.
- P2S VPN: supplemental for individual devices. Entra ID auth for Conditional Access.
- Coexistence is common — ER + VPN backup, VWAN with mixed connections.
Test Your Knowledge
A startup with 3 offices and a modest budget needs to connect to Azure. They don't need predictable latency. What should they choose?
Elena's company has 50 offices across 15 countries, with data centres on 3 continents using ExpressRoute and smaller branches using VPN. What connectivity approach should she use?
Next up: Azure Load Balancer: Layer 4 — Start Domain 3 with Layer 4 load balancing, SKU selection, and cross-region load balancing.