"Specially with Cisco routers there is an advantage on using p2p GRE tunnels that are then protected by IPSec: . . ."

BTW, later IOS versions also support IPSec VTI tunnels. You can do dynamic routing protocols across them too (I believe [?] multicast too), but they don't have the additional overhead of GRE.

You can also do ordinary GRE (i.e. no IPSec), but then your traffic isn't encrypted. This, of course, is less secure, but not quite as much as many think. (Mostly because, Internet security hacks are aimed more at the end-points than transit traffic.)

Lastly, using the Internet for private business connections is often much, much less expensive than "private" WAN clouds (MetroE, MPLS, etc.) Such connections are often much easier to obtain in many parts of the world. Some features of private clouds, like MPLS, is "guaranteed" bandwidth and/or QoS vs. Internet. However, those aspects aren't quite like the private WAN vendors would like you to believe.

Thank you so much for your englighment sir.
Could you please explain a little bit technical? Because i can't grasp the idea how to advertise branch network to the internet and how the HQ edge router receive the branch prefix from the internet.
For the comparison, my company also use get vpn to secure the branches network. We use two routers as key server. The key server can connect to the branch router via BGP and MPLS. The bgp configuration is my edge router (ce) advertise and receitve prefix via bgp to the isp router (pe), as well as my branch router advertise and receive prefix via bgp to the isp router.
If we use internet, how we advertise and receive prefix with bgp?

When you create a VPN across the Internet, using something like tunnels, you normally make those logical "links" part of your internal network. Depending upon the "kind" of VPN, you can pass L2 or L3 across it, just as you might within your LAN or a private MAN/WAN. I.e. you can route across some VPN using an IGP or something like BGP.

I'm sorry for my lack of knowledge and experience sir, i still can not understand how to connect dc - branch via internet.

This is my current understanding :
If we want to establish vpn, branch router (lets say BR) and dc (lets say DR) have to know eacH other ip address for keyring or for pre share key target. Lets make a scenarion with BR interface is 192.168.10.10 and DR is 172.16.10.10. In my understanding, if they use internet, they topology become :

DR - internet - BR.

How DR know BR's 192.168.10.10 address? In theory BR have to advertise 192.168.10.10 to internet, but also in theory we can not advertise private ip address to internet. Yes we can use company public address on BR and nat the 192.168.10.10 to that public ip address, but if we have 300 brances, it's impossible to assign public ip address per branch.

In summary, yes we need vpn on branch - dc connection, but before vpn established, branch - dc have to know each other ip addresses, how they know each other ip addresss (beofre vpn established)?

Once again, thank you, thank you very much for your time.

Wow, that explanation is an "aha moment" for me, i finally understand, once again thank you very much sir.

I wish you all the successs and please keep inspiring junior network engineer like me!