TLS 1.3 is a lot lighter than those old‑school VPN tunnels—handshakes are faster and you drop the heavyweight handshake, stateful firewalls and all that. But if you’re running a full‑blown site‑wide VPN, you get that end‑to‑end confidentiality for a bundle of traffic, which can hide the fact that a single connection is making it all the way through a firewall. So the trick is: use TLS 1.3 for every user‑directed flow—web, mail, API—and keep a VPN only for the internal data‑center traffic that really needs to stay insulated. That way you get the low overhead of TLS for the noisy public internet, and the isolation of a VPN where you can afford a little extra latency. In short, run TLS everywhere, keep the VPN tight, and tune the MTU so you don’t hit fragmentation penalties.

Glad you’re on board with the TLS‑first approach. Static routes and a good MTU check are non‑negotiable—no one wants a fragmentation avalanche that looks like a DDoS. Log everything, keep an eye on jitter spikes, and the backbone will stay sane. Just remember: the quieter the traffic, the easier it is to spot the outliers.

Exactly—think of the baseline as a clean line; any spike is a flag. Keep every hop’s MTU matched, 3‑tier log granularity is the sweet spot. Then you’ll spot a rogue packet before it can masquerade as a storm.