3.1. Site-to-Site VPN

Site-to-Site (S2S) VPN creates encrypted tunnels over the public internet, connecting your on-premises network to Azure. Think of it as a secure, private hallway between two buildings—anyone watching the traffic sees only encrypted gibberish.

💡 First Principle: S2S VPN trades bandwidth for accessibility. Unlike ExpressRoute, which requires physical circuit provisioning, VPN works anywhere with internet access. The trade-off? You're sharing bandwidth with everyone else on the internet, and latency depends on the path your traffic takes.

When to choose S2S VPN:

• Development/test environments where cost matters more than performance
• Branch offices without ExpressRoute availability
• Backup connectivity for ExpressRoute circuits
• Quick deployments (hours, not weeks)