We have a client wanting us to do some work on their Azure SQL Server and they require a static IP for whitelisting.
The company I manage is a fully remote workforce of around 60 employees. We have no on-prem resources. We don’t have any kind of VPN product. Everything we access is Microsoft 365 and SaaS products.
Only one or two users need to work with this client, but they have dynamically assigned public IP’s at home.
I looked at Azure VPN Gateway and in theory, this seems right. Users install the Azure VPN Client, connect to our Azure VNET, and egress traffic all routes through the static public IP directly attached to the VPN Gateway. But I’m not sure it’s the most cost effective at $130/month, then paying for egress traffic on top.
I looked at ZScaler, Cloudflare, and Twingate, but all of them went way over my head. A lot of it sounded like what I needed on the surface, but when I got into the specifics it didn’t. I trialled Twingate, but couldn’t find a may to manage my public IP. Cloudflare offered a secure web gateway, but to get a dedicated IP for egress required an enterprise plan + an add-on.
I looked at NordVPN. They offer a dedicated static IP solution, but it is assigned per user and is limited to 2 devices. This is seeming like the cheapest, simplest and fastest to deploy solution for my current use case. But it’s going to require a shared account (if 2 people need to use it) and isn’t scalable.
I feel like I’ve gone full circle here and would appreciate any additional perspective or options I’m missing, because at this point I’m a bit overwhelmed with information.
Cheap Azure VM b1ms with static IP.
Deploy wireguard and do tunneling.
I guess I would simply ask, do you want to invest and setup VPN or do you just want a static IP to accomodate a client?
I bring that up to suggest that a simple option may be to pay for your 1 or 2 remote workers to have static IP addresses thru their ISP. It should cost around $10 per month for a static IP address, maybe less.
If the client needs them to use VPN, they may already have the VPN service the two staff could be using. We have contractors that we provide restricted VPN access for.
Just figure it might be another option.
Smallest Linux vm with open vpn and a pip will put you back 20 dollars.
P2S VPN with a VPN Gateway is your solution.
Are you sure about those 130 / month? It shouldn’t ne that expensive… Basically the 1 public ip and traffic, especially if it’s only 1 or 2 employees from time to time.
I had set up one in the Test tenant with credits and used it a bit , cost me few cents. Checked after few days without traffic, around 1$
Where does your calculation come from? Be aware that Azure VPN is a different service.
So, if the target sql server doesn’t have private link (which probably would fly cross tenant anyway), you would need a point-to-site vpn and a firewall attached to provide internet access. A vnet by itself doesn’t inherently have outbound access. (The sql connection will go over the public internet)
I think your most cost effective solution is to deploy a VM with a public IP and give that it the customer. Allow your staff to add their IPs to an allow list for RDPing to the VM. If it were me, I’d use a sql server developer edition VM (just make sure everything goes into c:\ (it’s in the sal server options tab when you are creating the vm) so you don’t pay extra for disks you don’t need). Using that VM will ensure you have all the tools your team needs to connect to azure sql.
I use ehvpn.ca there’s no port forwarding but its a wide open static ip address and works for my home server without issues, I had server hosting but was more expensive, this way is cheaper and I have my server at home.
Hi there! Thought I’d just drop a note relating to your Twingate trial, as that’s a product I know well. Your use case is actually exactly what Twingate caters for, but as you are the contractor wanting to securely access their remote resource, they need to set up Twingate by creating tenant and a remote network, then adding a resource (in this case the Azure SQL Server) to that remote network, add you as a user and deploy a connector within their remote network to allow communications to be established. Once that is done, then all you need to do is install the Twingate client and then connect to the resource. They then have full control and visibility of your access to that resource.
Twingate doesn’t work like your traditional VPN, it’s actually far easier to set up and more secure than VPN as it doesn’t require any ports to be opened to establish a connection. It’s pretty quick to spin up and test for free if your client wants to trial it. They might like it so much they’ll want to get rid of their VPN!
If you’d like to suggest it as an option to them, they can use this quick start guide to create a POC.
This article explains the difference between Twingate and VPNs.
This article explains how Twingate works.
Hope that helps!
I spent today on this solution. I got the client connecting to the server, but I had no internet access on the client. I might take this over to /r/wireguard.
Yeah legitimate option, I’ll go this route if I run out of time getting a self hosted von server running. Thanks.
Do you know if openvpn requires a similar technical level to host to wireguard?
You may be looking at the Basic tier, but to use VPN Gateway with a static IP it says you must use at least VpnGw1 tier. FAQ
Although we aren’t really in a position to be making recommendations for the client, I’ll definitely look at setting this up for our own Azure SQL Servers. Thanks for the explanation!
I don’t understand what you are asking?
No, I’ve used VpnGw1 - basic IP and basic VPN Gateway are deprecated anyway.
Sorry, I believe wireguard and openvpn are competing products. I tried setting up wireguard on a Ubuntu VM and couldn’t get it working. I wasn’t strong enough in Linux + networking. Do you think I’d have similar issues with OpenVPN? Or is it quite easy to configure? Maybe it’s too subjective a question.
You won’t be able to egress traffic using azure VPN gateway.
It does split tunnel by default, and can’t do full tunnel unless you buy some other resource like azure firewall, the cost won’t make sense.
Better to run a small VM in azure with openVPN on top of it and shut it down when not in use.
Also check Pritunl VPN in azure marketplace…
Provides Gui and does everything you need.
That’s subjective yes. I would say it’s easy but I don’t know your skill level. If you are scared of the command line look into opensense it’s a firewall but it has openvpn installed and it might give you an easier start. It gives you an UI to fiddle with and you can find info online. I think there is a thing as windows vpn server that you could run on a b machine in azure. But at that point might be better to give the wfh users a static wan ip from isp.
Good to know! Thanks, that would have been an issue.