Cost Analysis
Current Situation
Section titled “Current Situation”The PA-2020 is past EOSL — Palo Alto will not sell renewal subscriptions. Direct costs are low, but risk-adjusted costs are significant.
| Item | Estimated Annual Cost |
|---|---|
| PA-2020 licensing/support | $0 (EOSL — cannot renew) |
| Admin time managing legacy VPN | ~40 hrs/yr x loaded rate |
| Helpdesk tickets for password reset VPN issues | ~200 tickets/yr x $15/ticket = $3,000/yr |
| Risk-adjusted cost (credential compromise, ransomware, insurance) | $31,000 - $166,500/yr |
Recommended: Self-Hosted NetBird on Existing Infrastructure
Section titled “Recommended: Self-Hosted NetBird on Existing Infrastructure”The NetBird management server runs on a lightweight VM. GSISG already has Hyper-V hosts with available capacity at both sites and public IP addresses capable of port forwarding. There is no need to pay for a cloud VM.
Deployment Options for the Management Server
Section titled “Deployment Options for the Management Server”| Option | Location | Monthly Cost | Pros | Cons |
|---|---|---|---|---|
| On-prem Boulder (Recommended) | VM on DATA001/DATA007, port-forward through Netgate 6100 | $0 | Zero cost, Netgate handles ingress cleanly, Boulder has reliable Comcast business | If Boulder office goes down, new connections can’t be established (existing tunnels survive) |
| On-prem Honolulu | VM on DATA003/DATA004, port-forward through PA-2020 | $0 | Zero cost, colocated with most resources | Depends on the PA-2020 for ingress (the thing we’re replacing) |
| On-prem both sites | VMs at both sites for redundancy | $0 | Highest availability | HA management requires enterprise license |
| Azure B2s | Cloud VM (2 vCPU, 4GB) | $39/mo | Independent of both offices | Unnecessary cost when on-prem works |
Recommendation: Host the management server in Boulder on existing Hyper-V (DATA001 or DATA007). Port-forward TCP 80/443 and UDP 3478 through the Netgate 6100 (50.198.217.249). Point netbird.gsisg.com DNS to the Comcast IP. Total infrastructure cost: $0/month.
If site redundancy is desired later, add a second management VM in Honolulu. Note: management server HA (active-active) requires a NetBird enterprise license, but a cold standby (manual failover) is free.
Proposed Annual Costs
Section titled “Proposed Annual Costs”| Item | Annual Cost |
|---|---|
| Management server (on-prem Boulder VM) | $0 |
| NetBird software licensing | $0 (open source, self-hosted) |
| Per-user cost | $0 (unlimited users) |
| Honolulu routing peer (Hyper-V VM) | $0 |
| Boulder routing peer (Netgate 6100) | $0 |
| Total annual cost | $0 |
The only costs are IT labor for setup (~40 hours) and ongoing maintenance (~10 hours/year).
Five-Year Total Cost of Ownership
Section titled “Five-Year Total Cost of Ownership”| Option | Year 1 | 5-Year TCO | Notes |
|---|---|---|---|
| Self-hosted NetBird on-prem | ~$5,000 (setup labor only) | ~$10,000 | RECOMMENDED — zero infrastructure cost |
Self-hosted NetBird on existing infrastructure has zero ongoing infrastructure cost and saves ~88% on 5-year TCO vs. a replacement Palo Alto appliance.
Self-Hosted Feature Trade-offs
Section titled “Self-Hosted Feature Trade-offs”Self-hosted NetBird is free for unlimited users but loses 8 features vs. the cloud plans:
| Lost Feature | Impact | Why Acceptable |
|---|---|---|
| Background IdP-Sync | Groups sync at login (JWT), not continuously | Adequate for 100 users. Manual offboarding adds ~5 min per termination. |
| SCIM provisioning | Same as above | JWT group sync covers group lifecycle at this scale |
| Audit event streaming (SIEM) | No native SIEM streaming | API polling can be scripted. WireGuard packet captures available on routing peers. |
| Traffic event logging | Not available | Routing peer-level logging as alternative |
| Device posture checks | Cannot enforce OS version, disk encryption via NetBird | Enforce separately via TacticalRMM or GPO |
| MDM/EDR integration | No CrowdStrike/SentinelOne integration | Enforce via existing EDR tools directly |
| Management server HA | Single server (requires enterprise license for HA) | Existing tunnels survive outages. Mitigate with monitoring + auto-restart. |
| Peer approval | No approval workflow for new peers | Restrict setup key distribution + set usage limits |
When to reconsider: If GSISG grows beyond 200 users, needs automated deprovisioning for compliance, or requires device posture checks, evaluate Cloud Team ($5/user/mo) or self-hosted Enterprise license.