When you say “Overlapping boundaries are supported for content but you would probably still some some(?) clients going to on prem sources. Best option is to get the AD site split out”, you mean that I should remove the VPN subnet from AD sites in active directory? Is it possible to exclude a subnet from the AD site boundary instead?