Enterprise vs Community Edition

NetBird Enterprise vs Community Edition

Executive Summary

NetBird self-hosted community edition is free with no per-user or per-peer licensing. Multi-site routing with HA failover between routing peers is a core feature available in all editions including the free community tier. Management Server HA (multiple management instances) requires an enterprise commercial license, but a cold standby strategy using SQLite backup/restore with DNS failover is viable for the community edition. Existing WireGuard tunnels survive management server outages; only new peer registration and configuration changes are affected. TacticalRMM can fully manage the NetBird lifecycle via PowerShell scripts.

Pricing Tiers

Aspect	Free (Cloud)	Team (Cloud)	Business (Cloud)	Enterprise (Cloud)	Self-Hosted Community
Price	$0/user/mo	$5/user/mo	$10/user/mo	Custom	Free
Users	5	Unlimited	Unlimited	Unlimited	Unlimited
Machines	100	100 + 10/user	100 + 10/user	Unlimited	Unlimited
Billing	N/A	Usage-based	Usage-based	Invoice	Infrastructure only

Enterprise self-hosted pricing is Custom / Contact Sales. No public per-user or per-peer rate exists.

Feature Matrix

Feature	Community (Self-Hosted)	Enterprise Required?
Multi-site routing	FREE — core feature in all editions	No
HA routing peer failover	FREE — automatic, built-in	No
Network routes + ACLs	FREE	No
SSO with Entra ID (OIDC)	FREE	No
DNS management	FREE	No
API access	FREE	No
Setup key peers (never expire)	FREE — exempt from login expiration	No
Unlimited users / peers	FREE (self-hosted)	No
SCIM provisioning	Requires Commercial License	Yes
Management Server HA (multi-instance)	Requires Commercial License	Yes
Audit/traffic event logging	Cloud-only feature	N/A for self-hosted
Device posture checks	Cloud-only feature	N/A for self-hosted
MDM & EDR integration	Cloud-only feature	N/A for self-hosted

Key finding: Multi-site routing with HA failover between routing peers is explicitly documented as available “in all plans, including the free tier.” Having routing peers at BOTH sites simultaneously with automatic failover is a standard community feature at zero cost.

Multi-Site Routing (Free)

Evidence that multi-site routing does NOT require enterprise licensing:

Official docs: “You can add unlimited routing peers to a highly available route.”
WZ-IT comparison: “High-Availability Routes and Exit Nodes are available in all plans, including the free tier.”
NetBird knowledge hub: “Highly available routes and exit nodes are available in all plans.”
GitHub: Users running self-hosted with HA routing peers in production.

For GSISG, this means:

Create a route for Honolulu LAN (10.100.7.0/24) with routing peers at Honolulu
Create a route for Boulder LAN (10.15.0.0/24) with routing peers at Boulder
Add HA routing peers at each site for redundancy
All free

Management Server HA

What It Is

Running multiple management server instances behind a load balancer for zero-downtime failover. Requires PostgreSQL (not SQLite) and a Commercial License.

What Happens When the Single Management Server Goes Down

Timeframe	Impact
0-30 minutes	LOW — existing tunnels continue, data plane is independent
30 min - 4 hours	MODERATE — no new peers, no dashboard, no API
4-24 hours	SIGNIFICANT — SSO peers begin expiring (24-hour default)
24+ hours	HIGH — only setup-key peers remain connected

Cold Standby Strategy (Without Enterprise License)

Primary Server (active)                  Standby Server (dormant)
+---------------------------+           +---------------------------+
| Docker Compose:           |           | Docker Compose:           |
|  - Management             |           |  - Management (stopped)   |
|  - Signal                 |           |  - Signal (stopped)       |
|  - Relay/STUN             |           |  - Relay/STUN (stopped)   |
|  - Dashboard              |           |  - Dashboard (stopped)    |
| SQLite DB: store.db       |           | SQLite DB: (from backup)  |
+---------------------------+           +---------------------------+
          |                                       |
    DNS A record: netbird.company.com ----> Primary IP
    (failover: change to Standby IP)

What to back up and sync:

Database: /var/lib/netbird/ (store.db)
Config files: docker-compose.yml, config.yaml, dashboard.env
TLS certificates (Let’s Encrypt)
IdP configuration (OIDC settings, client secrets)

Backup procedure: Daily cron job that briefly stops management, copies the database, rsyncs to standby, and restarts. Downtime: seconds.

Failover procedure (~10-15 minutes):

Copy latest backup into place on standby
Start Docker Compose services
Update DNS A record (pre-configure low TTL: 60-300 seconds)
Clients reconnect automatically after DNS propagates

Estimated Recovery Time:

Best case (pre-staged standby, low TTL): 5-10 minutes
Typical case (manual intervention): 15-30 minutes
Data loss window: equal to backup frequency

Routing Peer Redundancy

NetBird has native automatic failover for routing peers — no enterprise license required.

How it works:

Create a route for an office LAN
Add multiple routing peers with different metric priorities
Clients automatically select the best available peer
If the primary goes offline, failover is automatic

Recommended HA configuration:

Boulder: Primary on DATA001, secondary on DATA007
Honolulu: Primary on DATA003, secondary on DATA004

Setting	Value
Default period	24 hours
Range	1 hour to 180 days
Setup key peers	Completely exempt — never expire
Can be disabled	Globally or per-peer

When login expires, the WireGuard tunnel drops and the user must re-authenticate via SSO. Setup key peers (routing peers, servers) maintain connections indefinitely.

For TRMM-managed endpoints: Enroll infrastructure with setup keys (no expiration). User workstations can use either setup keys (convenient) or SSO login (more secure, periodic re-auth required).

TacticalRMM Integration

Silent Install

$DownloadUrl = "https://pkgs.netbird.io/windows/msi/x64/netbird_installer_windows_amd64.msi"
$NetBirdMSI = "$env:TEMP\netbird-installer.msi"
Invoke-WebRequest -Uri $DownloadUrl -OutFile $NetBirdMSI -UseBasicParsing
Start-Process "msiexec.exe" -ArgumentList "/i", $NetBirdMSI, "/qn", "/norestart", "SETUP_KEY=$SetupKey", "MANAGEMENT_URL=$ManagementUrl" -Wait

Status Check

$statusJson = & "C:\Program Files\NetBird\netbird.exe" status --json | ConvertFrom-Json
if ($statusJson.management.connected) { Write-Host "Connected"; exit 0 }
else { Write-Host "Disconnected"; exit 1 }

Uninstall

& "C:\Program Files\NetBird\netbird.exe" down
& "C:\Program Files\NetBird\netbird.exe" service uninstall
Start-Process "C:\Program Files\NetBird\netbird_uninstall.exe" -ArgumentList "/S" -Wait

TRMM Bulk Management

Bulk Script: Execute against Clients/Sites/Selected Agents/All
Automation Policies: Run scripts automatically on groups
Onboarding Tasks: Auto-install NetBird on new machines
Script Checks: Periodic status monitoring with alerts
API: Full REST API for programmatic management

This directly addresses the “no automatic deprovisioning” concern: when an employee leaves, run the uninstall script on their machines via TRMM bulk operations.

Deprovisioning Workflow

Five complementary mechanisms:

Login Expiration: Default 24 hours. Disable user in Entra ID; access revoked at next token refresh.
TRMM Uninstall: netbird down + netbird_uninstall.exe /S — 2-3 minutes per endpoint.
TRMM Bulk Uninstall: Fire-and-forget to all agents — 15-30 minutes for all endpoints.
NetBird API: Programmatic peer deletion, group management, policy updates.
Entra ID Integration: Disable user in Entra ID = access revoked at next token refresh.

Setup key peers (servers, routing peers) are completely exempt from login expiration and managed separately from user endpoint lifecycle.

Gaps & Uncertainties

Enterprise pricing: No public pricing found. Contact sales@netbird.io.
TLS certificate handling on standby: Let’s Encrypt HTTP-01 challenge requires the standby to be reachable. DNS-01 or wildcard certs are more reliable.
Signal server during management outage: If on the same host, connection re-establishment may fail. Consider separating Signal to its own host.
Route flapping in HA: Issue #2150 (fixed), but #4769 reports intermittent routing peer connectivity loss.

Sources

Official: netbird.io/pricing, docs.netbird.io (plans-and-billing, self-hosted-vs-cloud, network-routes, scaling guide, backup, login expiration, setup keys, Windows install, CLI reference)

GitHub: #1584, #4788, #2802, #4603, #2150, #4769

Community: WZ-IT comparison, NetBird knowledge hub, forum.netbird.io, TacticalRMM docs