encryption: transactional replication through VPN, do I need to encrypt the connection?

New in security

We are planning to configure transactional replication of SQL Server through a VPN to Azure over the Internet. The source server is inside our data center and the destination will be an instance managed in Azure.

Initially, we thought that VPN should provide enough security to pass data through the Internet, but now our security team also wants to encrypt the connection between the SQL servers. Is it really necessary or are we paranoid and that is redundant?