Ignite 2025: ErGwScale GA, 400G Direct, and VPN Advanced Connectivity

Blog ENG - MS Azure - Post 10 2025

At Ignite 2025, Azure Networking shipped exactly what many of us have been asking for:

Elastic ExpressRoute gateway (ErGwScale)
Fatter private pipes (400G Direct)
Encrypted overlays at line‑rate (VPN Gateway Advanced Connectivity)

Below I’ll cut through the noise with a technical article: when to use each capability, design patterns that scale, and the gotchas you’ll want to avoid.

1) ExpressRoute Scalable Gateway (ErGwScale) is GA: capacity without forklift upgrades

ErGwScale is a new ExpressRoute virtual network gateway SKU that scales from 1 to 40 “scale units”. You can run it auto‑scaled (set min/max) based on bandwidth or flow utilization, or fixed for deterministic throughput. Max throughput tops out at ≈40 Gbps (data‑plane via the gateway) with materially higher PPS and flow ceilings as you add units. Scale operations typically complete in ≤30 minutes.

We finally get capacity elasticity for hybrid backbones without disruptive gateway swaps. For bursty data movement (e.g., periodic ingest, analytics waves), we can dial min/max to maintain guardrails yet avoid over‑provisioning. For steady state or regulated environments, we lock both values to a fixed rate for predictable behavior.

Upgrade & migration:
– From ErGw1/2/3Az: in‑place upgrade directly to ErGwScale.
– From Standard/HighPerformance/UltraPerformance: use the guided migration (parallel gateway, minimal disruption), then delete the old one when the cutover is complete.

Caveats:
– IPsec over ExpressRoute is not supported on ErGwScale.
– Standard public IP required; Basic is not supported.
– Region availability is broad but not universal (check the Learn page before stamping hubs).

2) ExpressRoute 400G Direct ports: AI‑scale private connectivity (announced; starts 2026)

Microsoft announced 400 Gbps ExpressRoute Direct ports to meet AI/HPC data gravity needs, with availability targeted for 2026. If you’re today running banks of 100G, this means fewer optics, fewer LAG members, cleaner jitter profiles, and simpler operations, with room to aggregate to multi‑terabit bandwidth cleanly.

What to do now:
– Continue to design on dual 10/100G Direct pairs (today’s ER Direct spec), and plan a clean optical + router silicon path to 400G.
– Revisit power budgets, line card density, SRv6/ECMP strategies, and MACsec posture. Today’s ER Direct documentation lists dual 10G/100G; treat 400G as forward‑planning for 2026 RFPs and capacity programs.

3) VPN Gateway “Advanced Connectivity”: encrypted overlays at up to 20 Gbps (preview)

“Advanced Connectivity” introduces High Bandwidth IPsec tunnels between your on‑prem VPN device and Azure VPN Gateway, with the traffic transiting ExpressRoute private peering and using FastPath for low latency.
You can establish up to four tunnels (two connections × two tunnels each), with ≈5 Gbps per tunnel and ≈20 Gbps aggregate (great for compliance‑bound flows that must be encrypted end‑to‑end even on private circuits).

Requirements:
– ExpressRoute Direct with FastPath (currently supported only on Direct port pairs for this feature).
– VpnGw5AZ (or highest SKU) for the VPN side; ER gateway must be a high‑bandwidth SKU (UltraPerformance, ErGw3AZ, or ErGwScale with ≥20 scale units as documented).

This lets you run encrypted “lanes” for sensitive traffic while leaving the rest of your ER private peering unencrypted (no public internet hairpin, no added latency tax).
Microsoft’s 2025 networking roundup also references the throughput uplift (≈ 20 Gbps per gateway, 5 Gbps per tunnel) as part of the broader hybrid performance story.

Gotchas & guardrails
– ErGwScale ≠ IPsec over ER: If you need encryption over the private peering, use Advanced Connectivity (VPN GW side), not the ER GW.
– GatewaySubnet sizing: use /26 or larger for large scale (many circuits/scale units) and future‑proofing; do not use NSGs/UDRs that block gateway control traffic.
– FastPath scope: verify your circuit type + ER connection support it; Advanced Connectivity currently ties to ER Direct FastPath.
– Regions: ErGwScale is broadly available but not everywhere; validate before hub placement.

Closing thought
Ignite 2025’s networking story is about determinism at scale: elastic gateways to follow your traffic curve, bigger private pipes for AI, and encrypted lanes where policy demands it. If “the network is the computer,” these three updates make that computer boringly reliable, which is precisely what our AI‑driven businesses need.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.