Typical On-Premise to Azure Config

I'm fairly new to Azure and am trying to learn best practices for setting up an Azure environment with connection to on-premise resources.

Is it typical to merely setup a site-to-site VPN connection with the Azure and use NSG's for security? Or is it necessary to setup Azure Firewall as well?

Additionally, when is Expressroute typically used? And is it more reliable/secure compared to site-to-site VPN?

My org has no Azure presence at the moment, and I'm trying to wrap my head around getting this eventually implemented.