Naming and tagging are applied consistently at deployment time: all resources follow the CAF pattern {type}-{workload}-{env}-{locationAbbr}-{namingIndex}, with Workload, Environment, and createdBy tags applied automatically. The deployment is designed for hub VNet integration and supports CAF landing zone architectures. Governance items address resource locks, Azure Policy compliance, and the additional CAF-recommended tags — CostCenter, DataClassification, BusinessUnit, and ServiceClass — that must be supplied via the -Tags parameter before deployment.

Reliability: zone-redundant AZ SKU selection, active-active mode evaluation, and Standard Static Public IP for predictable addressing. Security: Entra ID as the sole authentication mechanism, group-based access control, and Conditional Access policy as the critical post-deployment security item. Performance Efficiency: SKU selection based on concurrent connection count (250–1000) and Generation2 hardware for maximum throughput. Cost Optimization: SKU cost guidance (~$140–$530/month range) and budget alerting. Operational Excellence: full IaC with idempotent deployment, what-if validation, and timestamped deployment names.

Verify explicitly: all P2S connections require Entra ID authentication — no certificates or shared keys distributed to clients. Group-based access with Assignment required enforced denies unenrolled users at the app layer. A Conditional Access policy requiring MFA and device compliance is the single most critical gap to address before production go-live. Least privilege: VPN access is scoped to a named security group, no standing credentials distributed, and PIM/JIT for operational teams. Assume breach: NSGs on workload subnets prevent lateral movement from connected VPN clients, and diagnostic logging to Log Analytics is required for connection auditing.