In March 2020, every enterprise VPN concentrator got a call it wasn't sized for. Ops teams doubled capacity over a weekend, pushed full-tunnel configs to laptops that would now route Zoom through headquarters, and declared victory. Six years later, a surprising number of those same configurations are still running. The pandemic broke the network architecture. Nobody rebuilt it.

Hybrid work isn't a temporary condition. It's the operating mode. And the operating mode doesn't fit an architecture designed to pull every packet back to a corporate firewall before it reaches Microsoft 365.

The VPN-everywhere problem

The full-tunnel VPN was built for a world where most of what the user needed lived inside the corporate network — file shares, intranet apps, AD-integrated services. In 2026 that distribution has inverted. The user opens their laptop and immediately talks to M365, Salesforce, ServiceNow, GitHub, a handful of SaaS tools, and maybe — maybe — one or two internal apps.

Routing that traffic through a VPN concentrator in us-east-1 to reach a Microsoft endpoint also in us-east-1 is absurd. The user experience is bad, the backhaul is expensive, and the security theater is just that — theater. The VPN isn't inspecting TLS, your SaaS vendors already authenticate the user, and the only thing the detour accomplishes is worse latency.

ZTNA and SASE: what's real, what's marketing

Zero Trust Network Access (ZTNA) is the replacement for the always-on VPN. SASE (Secure Access Service Edge) is the marketing umbrella that bundles ZTNA with SWG, CASB, DLP, and FWaaS. The real vendors in 2026 — Zscaler, Netskope, Cloudflare, Palo Alto Prisma — deliver most of these actually working, with wildly varying quality per module.

What you want architecturally:

  • Identity-aware proxy in front of internal applications. No IP allowlisting, no VPN. The user authenticates to the proxy; the proxy brokers the connection to the internal app. Cloudflare Access, Google IAP, Tailscale, Twingate, Zscaler Private Access — pick your flavor.
  • Direct-to-SaaS routing for M365, Salesforce, etc. The endpoint connects to the SaaS over the open internet. Authentication, DLP, and threat inspection happen at a cloud-hosted security edge, not in your datacenter.
  • Split DNS with intelligent routing. Internal hostnames resolve to the ZTNA proxy. External hostnames resolve normally. No "VPN on/off" toggle.
  • Device posture as an access condition. The ZTNA broker checks the MDM signal before brokering.

DNS-based split tunneling is the unglamorous win

The fastest wins I've seen on hybrid-work network projects aren't rip-and-replace. They're DNS. Move to a managed resolver (Cloudflare Gateway, Cisco Umbrella, NextDNS for smaller shops), push it to endpoints via MDM, and let it make routing decisions:

Resolve *.corp.example.com to the ZTNA broker. Resolve *.microsoft.com, *.salesforce.com, *.okta.com direct. Block known-bad domains at the resolver. Log everything.

This is a weekend of work for a mid-size org and eliminates 80% of the reasons anyone had a full-tunnel VPN in the first place. It also gives you DNS-layer threat blocking and visibility for every endpoint, on or off corporate network.

When VPN still makes sense

VPN isn't dead. It's narrower.

  • Third-party or legacy applications that can't sit behind a modern identity-aware proxy — SCADA, old client-server apps, stuff that speaks proprietary TCP protocols.
  • Administrative access to network infrastructure itself — jumping to a core switch or firewall management interface.
  • Site-to-site connectivity — between datacenters, between cloud VPCs, between offices. IPsec and WireGuard aren't going anywhere here.
  • Offline-first field scenarios where intermittent connectivity and bulk data transfer make a tunnel the simpler model.

The distinction: VPN for specific, justified use cases. Not "VPN by default, exceptions on request."

What the office network becomes

If all the security controls live at the identity and edge layer, what's the corporate LAN for? Mostly: print, conference room AV, on-site-only peripherals, and a reasonably good internet uplink. Treat the office network like a hotel network — untrusted by default, nothing sensitive on it, wired to the same ZTNA broker your remote users hit. SD-WAN for branches, direct internet breakout, no MPLS nostalgia.

The takeaway: If your hybrid-work architecture still starts with "connect to VPN," you're running 2015's network in 2026's operating model. Push DNS and identity to the edge, put internal apps behind an identity-aware proxy, and keep the VPN for the specific cases that actually need it. The user experience improves, the attack surface shrinks, and your VPN capacity becomes a budget line you can actually reduce.