Q. What types of traffic can be sent using ExpressRoute?
A. Although a regular site-to-site VPN connects an on-premises network to a virtual network in Azure, an ExpressRoute offers a greater range of connectivity to Azure and additional Microsoft services. These fall into three types of Microsoft cloud and as the administrator you control which of these are enabled for your ExpressRoute connection (noting that the last cloud type is not available with all carriers and locations).
- Traffic to Virtual Networks (private peering). This is the same as the site-to-site VPN option and connects your on-premises network to Virtual Networks in Azure
- Traffic to Azure Public IPs (public peering). This expands connectivity to most other Azure services such as storage, Azure Websites in fact nearly every service is with the exception of those documented at https://azure.microsoft.com/en-us/documentation/articles/expressroute-faqs/#supported-services
- Traffic to Office 365 Services (Microsoft peering). This expands the connectivity to the Office 365 services (and is not available with all carriers and locations. Check https://azure.microsoft.com/en-us/documentation/articles/expressroute-locations/ for which support Office 365)
As the administrator of your ExpressRoute connection, you control which are enabled, and while it may seem a no brainer to always enable public peering, some organizations have objections. Why? Because traffic to Azure now bypasses the normal route to the Internet and instead goes via the dedicated ExpressRoute path. This is an issue if certain monitoring and data leakage prevention solutions are in-place to monitor traffic leaving the on-premises network via the Internet which would now be bypassed for Azure/Office 365. If using EXP then these solutions could still be deployed but still a consideration.