VPN Explained: Site-to-Site, Remote Access and Zero...

In a nutshell: A VPN creates an encrypted tunnel over an untrusted network. It is still useful, but it is not a security strategy by itself. The real design question is who can connect, what they can reach, how devices are verified and how traffic is monitored.

What a VPN actually does

A virtual private network connects users, offices, cloud networks or partners over an encrypted tunnel. The goal is to protect traffic over networks you do not control, such as the public internet, hotel Wi-Fi or a broadband underlay.

Business VPNs usually fall into two families. Site-to-site VPNs connect networks, such as a branch firewall to a data-centre firewall. Remote-access VPNs connect individual users or devices to corporate applications.

Common VPN types

Type	Where it fits	Watch-outs
IPsec site-to-site	Branch, data centre, partner and cloud network tunnels.	Key rotation, routing, tunnel failover, NAT traversal and crypto policy drift.
SSL/TLS remote access	User access from laptops or managed endpoints.	MFA, posture checks, client health, split tunnelling and least privilege.
Clientless portal VPN	Browser access to selected web apps.	Limited app support and risk of over-exposing internal web systems.
Cloud VPN	Connecting enterprise networks to cloud VPCs/VNets.	Throughput limits, route propagation, availability zones and HA design.

VPN vs zero trust access

Traditional VPNs often put an authenticated user onto a broad internal network. Zero trust network access narrows the model: the user, device, identity, application and context are evaluated before access is granted to a specific resource.

That does not make VPNs obsolete overnight. Site-to-site tunnels, cloud network tunnels and emergency remote access still exist. But remote workforce access should be reviewed carefully if a VPN gives users more network reach than they need.

Performance and operations

VPN throughput depends on firewall capacity, encryption overhead, packet size, latency, route path and whether traffic is hairpinned through a central site. A 1 Gbps internet link does not mean a firewall can encrypt 1 Gbps of VPN traffic with all security features enabled.

Operations also matter: certificate expiry, shared secrets, stale user accounts, unmanaged devices and forgotten partner tunnels are common failure and risk sources.

VPN buyer checklist

List every use case: branch, cloud, partner, emergency admin and remote workforce. Require MFA and device posture checks for remote access. Confirm encrypted throughput with inspection features enabled. Define split tunnelling, DNS, logging and route propagation rules. Review who can reach which applications after connecting. Track certificate expiry, key rotation and stale tunnel removal.

Sources and further reading

Find vendors: use the TechDirectory company directory to compare telecom providers, system integrators, data-centre operators, IoT specialists and managed service providers in Singapore.

VPN Explained: Site-to-Site, Remote Access and Zero Trust Trade-Offs