Very noob question please help explain Thanks 
My boss’s very layman way of putting it:
“Why worry about a line of 10 different idiots to pass a bucket of water back and forth between source and destination all the time when you could just run a hose”
I suppose this is more of a transport metaphor than a security one but hey he’s been in the business longer so who am I to question it lol.
Two reasons:
- What about traffic that isn’t transported using HTTP/S and doesn’t use TLS?
- What about protecting traffic from TLS or certificate misconfiguration?
- A network VPN certainly isn’t immune to failure or misconfiguration, but they fail/break/are broken much less frequently than server-side options.
There are applications that don’t support TLS. Also you could leak metadata. Furthermore, it can be more convenient if you want to use legacy IP services which don’t have a public IP
As a person more often on the audit/compliance side, it’s easier to make me happy this way. If I’m a regulator or auditor, and you’re running connections that go through any pipe that’s not explicitly owned and operated privately only for your company’s use, I need to now test that each one of them is encrypted and secured. Best practice, I’m doing this no matter what for every system, platform, protocol, etc. But, if you have a tunnel, I’m less likely to pitch a fit when one of your systems is using a deprecated protocol or isn’t locking down or encrypting every single packet that goes out.
Another flavor of this answer: it’s what has always passed audits in the past, so why change what works? There will be, at some point in the future, theoretically, an inflection point where encryption and other controls are inherent/built into the protocols and infrastructure, and we no longer have to scrutinize each connection as if it was hand coded in 1987. We are not quite there yet. So “it goes over VPN” is still the answer that even the auditor is looking for, and despite it being overkill if your teams are good at securing connections, it’s still probably easier than having to convince me otherwise.
In addition to what’s already been posted, if you didn’t have a vpn between two networks, then any device (assuming that everything was capable of TLS) that would need to receive connections from the other site would need to be opened up to the Internet. Then you will have a shit-ton of firewall NAT and security rules.
I feel like many posts are ignoring the simple fact that a routed VPN like IPSEC or Wireguard allows private routability between sites for those TLS packets to transit across.
MPLS and macsec why use vpn when you can go L2
Contrary opinion. A VPN tunnel is not about security. It’s a workaround for privately addressed networks.
Had that never been a thing, we would not be using tunnels.
You’re 100% right both are not needed.
I expect most places it exists cos network and server teams are separate, and for a long time server to server comms would not have been encrypted, so doing it on the network level was required.
Ultimately IPsec and TLS offer similar levels of security, so it’s just a question of where and how you implement them. Wherever that is it’s gotta be done right.
I would need more information. Because yes, if you’re connecting to a server over https, then there’s a good argument that you don’t then also need that traffic to go over a VPN.
But if you’re going between two data centers, then it’s possible you’re doing some things that are a bit sensitive. Maybe not all of the traffic is encrypted. Maybe you don’t want it publicly visible what kinds of traffic are going back and forth.
Or let’s say it’s something simple, like you’re hosting a single website. It would be reasonable to argue that you don’t need a VPN because it’s already encrypted with HTTPS. But maybe the site doesn’t need to be available to anyone outside of the company, and putting the site on the internet means it’s going to get probed and prodded by potential attackers. You might get brute-force attacks on the server, or DDOS attacks. Or maybe the sign-in page itself has a security flaw that could be exploited, or the server isn’t patched. By requiring the traffic goes over a VPN tunnel, you avoid putting it on the public internet, and therefore you don’t need to worry about the mass of malicious activity that it might be hit by.