ASR only replicates content over a public endpoint. Express Route can be used to replicate data, but VPN cannot be used for ASR replication traffic. While this is true for replication from on-prem to Azure, a restore process back to on-prem environment needs a Site to Site VPN connection which allows access to the configuration server on prem.