Cost Analysis
Current Situation
Section titled “Current Situation”The PA-2020 is past EOSL — Palo Alto will not sell renewal subscriptions. Direct costs are low, but risk-adjusted costs are significant.
| Item | Estimated Annual Cost |
|---|---|
| PA-2020 licensing/support | $0 (EOSL — cannot renew) |
| Risk-adjusted cost (credential compromise, ransomware, insurance) | $31,000 - $166,500/yr |
NetBird Options
Section titled “NetBird Options”All options support ~200 users / ~200 machines using the self-hosted community edition (free, unlimited users). On-prem routing peers run on existing Hyper-V hosts at both offices at no additional cost.
Option A (Recommended): Existing Azure VM + On-Prem Routing Peers
Section titled “Option A (Recommended): Existing Azure VM + On-Prem Routing Peers”The NetBird management server runs alongside existing Prefect workloads on GSI-AZ-IDM (B2s v2, 2 vCPU, 8 GB RAM, West US 2). NetBird needs ~1 CPU / ~2 GB RAM for signaling only — the VM has ample headroom.
| Component | Monthly Cost |
|---|---|
| Azure VM (GSI-AZ-IDM, already running) | $0 (already paid for) |
| On-prem routing peers (Hyper-V) | $0.00 |
| Domain name (amortized) | ~$1.00 |
| Total Monthly | ~$1 |
Why this is the recommendation: Uses existing Azure infrastructure at zero additional cost. Management server in Azure is independent of any single office. On-prem routing peers provide direct LAN access at both sites. If workload isolation is preferred, a new dedicated B2s VM can be provisioned for ~$35-51/month instead (see Installation Guide Step 1 for both options).
Option B: Full On-Prem (Boulder Hyper-V)
Section titled “Option B: Full On-Prem (Boulder Hyper-V)”Management server runs as a VM on existing Boulder Hyper-V hosts. Requires port-forwarding TCP 80/443 and UDP 3478 through the Netgate 6100.
| Component | Monthly Cost |
|---|---|
| Management server VM + routing peers | $0.00 |
| Domain + electricity | ~$3.00 |
| Total Monthly | ~$3 |
Risk: Single site of failure. If Boulder loses power, internet, or the Hyper-V host fails, ALL peer management is down. Existing WireGuard tunnels survive, but operational control is lost.
Option C: $300/Month Budget (Best Reliability)
Section titled “Option C: $300/Month Budget (Best Reliability)”Primary B2s management server plus a cold standby B1ms in a second Azure region, with automated backups.
| Component | Monthly Cost |
|---|---|
| Primary Azure VM (B2s, West US 3) | ~$36.21 |
| DR/Standby VM (B1ms, West US 2) | ~$15.11 |
| OS Disks (2x P6, 64 GB) | ~$20.42 |
| Static Public IPs (2) | ~$7.30 |
| Azure Backup + domain + routing peers | ~$6.00 |
| Total Monthly | ~$85 |
Budget headroom remaining: ~$215/month for future growth.
OpenVPN on pfSense — The “Free” Baseline
Section titled “OpenVPN on pfSense — The “Free” Baseline”OpenVPN on the Boulder pfSense with LDAP authentication has $0 infrastructure cost but requires PKI, LDAP, per-user certificates, and ongoing certificate lifecycle management that NetBird eliminates entirely. Every user needs a unique certificate generated, distributed, and eventually renewed or revoked. LDAP integration adds its own layer of troubleshooting (service accounts, CA imports, 15+ configuration fields). For ~200 users, this is a significant ongoing operational burden.
OpenVPN also has significant hidden labor costs for certificate management, LDAP troubleshooting, and per-user configuration that NetBird eliminates. Industry data consistently shows that ongoing support and maintenance accounts for ~80% of VPN TCO (Gartner), and 41% of organizations cite VPN maintenance as a significant resource drain (Zscaler 2025).
5-Year Infrastructure Comparison
Section titled “5-Year Infrastructure Comparison”| Option | Monthly | 5-Year Infrastructure | Notes |
|---|---|---|---|
| OpenVPN on pfSense | $0 | $0 | Requires PKI + LDAP + per-user certs |
| NetBird Option A (existing VM) | ~$1 | ~$60 | Recommended — uses GSI-AZ-IDM |
| NetBird Option A (new VM) | ~$35-51 | ~$2,100-3,100 | Dedicated VM if workload isolation preferred |
| NetBird Option B (On-prem) | ~$3 | ~$180 | Single site of failure risk |
| NetBird Option C ($300 budget) | ~$85 | ~$5,100 | Primary + DR across 2 regions |
Risk-Adjusted Cost of Inaction (PA-2020)
Section titled “Risk-Adjusted Cost of Inaction (PA-2020)”The PA-2020 firewall is past EOSL with no security patches. Continuing to rely on it as a VPN gateway introduces quantifiable breach risk.
| Risk Factor | Estimate |
|---|---|
| Annual probability of credential compromise via unpatched VPN | 5-15% |
| Median SMB breach cost (IBM/Ponemon 2024) | $332,000 |
| Ransomware recovery cost (Sophos 2024, median for <500 employees) | $1.11M |
| Risk-adjusted annual exposure (probability x impact) | $31,000 - $166,500/yr |
Even at the low end, the annual risk-adjusted cost of keeping the PA-2020 exceeds the entire 5-year infrastructure cost of any NetBird option.
Self-Hosted Feature Trade-offs
Section titled “Self-Hosted Feature Trade-offs”Self-hosted NetBird (community edition) is free for unlimited users but loses 8 features vs. the cloud plans:
| Lost Feature | Impact | Why Acceptable |
|---|---|---|
| Background IdP-Sync | Groups sync at login (JWT), not continuously | Adequate for ~200 users. Manual offboarding adds ~5 min per termination. |
| SCIM provisioning | Same as above | JWT group sync covers group lifecycle at this scale |
| Audit event streaming (SIEM) | No native SIEM streaming | API polling can be scripted |
| Traffic event logging | Not available | Routing peer-level logging as alternative |
| Device posture checks | Cannot enforce OS version, disk encryption via NetBird | Enforce separately via TacticalRMM or GPO |
| MDM/EDR integration | No CrowdStrike/SentinelOne integration | Enforce via existing EDR tools directly |
| Management server HA | Single server (enterprise license required for HA) | Existing tunnels survive outages. Cold standby possible for ~$15/mo (Option C). |
| Peer approval | No approval workflow for new peers | Restrict setup key distribution + set usage limits |
When to reconsider: If GSISG grows beyond 200 users, needs automated deprovisioning for compliance, or requires device posture checks, evaluate Cloud Team ($5/user/mo) or self-hosted Enterprise license.
Summary
Section titled “Summary”| OpenVPN on pfSense | NetBird Option A | NetBird Option B | NetBird Option C | |
|---|---|---|---|---|
| Monthly infrastructure | $0 | $35-51 | $3 | $85 |
| 5-year infrastructure | $0 | $2,100-3,100 | $180 | $5,100 |
| Single site of failure | Yes (pfSense) | No (Azure) | Yes (Boulder) | No (two regions) |
| PKI/certificate mgmt | Required | None | None | None |
| LDAP dependency | Required | None (OIDC) | None (OIDC) | None (OIDC) |
| Per-user deployment | ~200 unique configs | 1 universal script | 1 universal script | 1 universal script |
| Architecture | Hub-and-spoke | P2P mesh | P2P mesh | P2P mesh |
Recommendation: Option A (Azure VM management + on-prem routing peers) at $35-51/month. It eliminates PKI and LDAP management, provides cloud-grade availability without single-site risk, and the risk-adjusted cost of staying on the PA-2020 dwarfs the infrastructure spend of any NetBird option.