They can be implemented using a variety of technical patterns but they all share a common "each request is authenticated, encrypted" property instead of "anything goes once the tunnel is up" property.
HTTPS calls with any kind of authentication (cookies, tokens, even basic auth) are one way to be "authenticated, encrypted" for "each request". If they go to a reverse proxy at the entrance of a company network (a common setup for every internet facing http server) they are a way to do without a VPN.
And yet every customer of mine have some of their servers on a VPN. At the very least they enable ssh only on ports on the private network.
They can be implemented using a variety of technical patterns but they all share a common "each request is authenticated, encrypted" property instead of "anything goes once the tunnel is up" property.