Looking for some input on cloud-based VPNs. I’m working with a healthcare-related entity that is looking for a cloud-based VPN. It will be used to provide access to a web-based SaaS. The VPN is needed to give all users a static IP to come from since the web app uses a IP whitelist to access it. The VPN client also needs to support split-tunneling so local network devices/resources can be accessed, if needed. Would prefer the split-tunneling to make use of FQDNs for tunneling rather than just IPs. Total user count will be about 50 users. The company is cloud-based, so there is no on-prem equipment and the users are spread out working from either home or shared office space.
So far I’ve looked at:
Palo Alto Prisma Access - Would fit, but requires a minimum of 200 user licenses. $$$
Palo Alto VM-series firewall in Azure - No idea what cost would be since I don’t have a frame of reference on what Azure costs would be.
NordVPN - Doesn’t support split-tunneling per their representative
ZScaler - pending a call with a sales guy
Perimeter81 - Never heard of these guys, but was refered to by NordVPN
Are there any other good VPN providers out there?
Edit: Would prefer stuff based on Azure if it’s a solution that needs to be hosted. Just because the company uses Azure/O365 and it would be nice to contain everything there.
So…
You got a web service hosted somewhere (Azure?) and you want better security than just opening https to the world…?
Is the cloud web in-house?
Or provided by a partner?
If it’s in-house, just use Azure’s Point-to-Site (P2S) VPN?
If it’s provided by a third party, I’m sorry but that’s a dumb fucking service.
Static IP white-listing a SaaS… that’s like anti-cloud without any of the benefits.
Not surprising and not your fault, just… ugh.
Can’t they use something else than IP for security? SSL client cert? Anything.
It sounds like Cloudflare Access could get the job done. Free for up to 50 users.
If I understand correctly it works like this:
Cloudflare VPN client (based on wireguard) → Cloudflare VPN server → Cloudflare web proxy → SaaS provider (public service or private IP on-prem)
So you’d only open the SaaS service to Cloudflare and all users access the SaaS through Cloudflares VPN tunnel. The web proxy will do authentication using your idp of choice.
We’ve started rolling out Perimeter 81 to most of our clients. It is a very mature product with a great interface, and we’ve set it so users need to be connected to P81 to sign into Office.com and other services.
We deployed Pulse Secure within AWS and it’s been solid. It also meets all your requirements (static IP for users, split tunneling via FQDN, licensing of 50 users). They also offer clientless VPN, which users would connect to the resources via a web browser (zero trust model).
You’ve probably crossed paths with this term already, but I want to signpost you to a new kind of overlay network, not software defined perimeter (appliance based) and also not the traditional hub and spoke VPN of the last twenty years, but a Zero Trust Network Access architecture based on direct connectivity between hosts combined with an overlay network.
There’s a range of emerging tooling that is super helpful if you’re in any way tired of traditional VPNs and VPN servers. Full disclosure: I work for one of the companies building tooling in this space (Enclave), so while this perhaps a bit of a shameless plug for https://enclave.io it sounds like it could be a good fit for your use-case.
Enclave is like a VPN; but-
Serverless (data is peer-to-peer, organised by a lightweight SaaS control channel)
Connections brought up on-demand (tunnels are not always on)
No open ports required (your firewall can stay closed, it works behind NAT)
Works with dynamic IPs (you don’t care where the other side is ahead of time)
Zero configuration (it works on the network you’ve already got, no changes)
Gives each system a static virtual IP address and DNS & FQDNs out of the box (also define your own TLDs)
Split tunnelling by default
Mutual authentication & end-to-end encryption
Completely free to use for up to 10 systems
We’re a funded & growing UK-based start-up, if you get a chance to try it we’d love to hear your feedback.
Routing over FQDN isn’t really a thing. For most (if not all I’ve seen), the FQDN is only looked up at the time of rule creation. Large or somewhat sizable orgs will have numerous A records for a single hostname.