MicrosoftEsteban Patrigeon We are currently in process of deploying the on prem DPs. We are getting new servers provisioned to do this. What we had tested in our lower environments was so, we simply didnt select any option for fallback to neighbour or default boundary group. We also didnt select the option to go to Microsoft updates when content is not found on local DPs. We are allowing the client to look at CMG, where the content is not staged. By default the client will look to the next set of DPs in the BG which will be on prem and will get content from the on prem DPs. This has worked in our lower environments.
The reason to now allow clients to go to Microsoft updates is the fact that we will not be able to control the time when the updates are downloaded and also we do not want to consume our VPN Bandwidth with the download of this update content over the internet while connected to VPN. We are not able to split tunnel based on FQDN due to limitations on our VPN infrastructure.
