Intranet and extranet concepts are understood differently by different people?for example, product manager, analysts, sales people, and engineers?in much the same way that VPNs are understood. For purposes of this discussion, however, an intranet is a trusted realm within a corporate organization that also can be geographically disperse and tied in via a VPN architecture.
Hub-and-spoke or partial-mesh physical or virtual topologies (architectures resulting from administrative considerations) are common, with the majority of the computing power and services located at the hub site (corporate headquarters). Any-to-any connectivity is rarely used in context with tunnel-based topologies because of administrative burden, difficulty of policy enforcement, and lack of scalability. MPLS VPNs are a different story because their design is not based on point-to-point tunnel links but a "point-to-cloud" paradigm. With all these choices, network administrators and architects have flexible and scalable measures to realize routing policies within a VPN, including topological measures, default-route injection, or route filters. Withholding routing information constitutes an excellent security mechanism.
An extranet usually refers to a lower trust level commonly separated via security measures such as firewalls, demilitarized network segments, and proxies from the actual intranet (as well as the Internet).
Extranets are deployed to support the requirements for limited and controlled connectivity to commercial partners, organizations, and other third parties.