Self-Hosted Feature Parity
NetBird Self-Hosted vs Cloud Feature Parity
Section titled “NetBird Self-Hosted vs Cloud Feature Parity”Executive Summary
Section titled “Executive Summary”Self-hosted NetBird is genuinely free for unlimited users/peers with no license fees. However, it is not feature-equivalent to the cloud version. Eight specific capabilities are unavailable, the most operationally significant being: (1) background IdP-Sync (self-hosted uses JWT-at-login group sync instead), (2) SCIM provisioning (requires commercial license), (3) peer approval (cloud-only), (4) traffic event logging and SIEM streaming (cloud-only), and (5) device posture checks (cloud-only). For GSISG’s 100-user deployment, the JWT group sync workaround is adequate but not identical to cloud IdP-Sync, and single-management-server risk is the primary operational concern.
Complete Feature Matrix
Section titled “Complete Feature Matrix”| Feature | Free (Cloud) | Team ($5/user/mo) | Business ($10/user/mo) | Self-Hosted (Free) |
|---|---|---|---|---|
| Users | 5 | Unlimited | Unlimited | Unlimited |
| Machines | 100 | 100 + 10/user | 100 + 10/user | Unlimited |
| P2P WireGuard encryption | Yes | Yes | Yes | Yes |
| Access controls (policies) | Yes | Yes | Yes | Yes |
| Network Routes / Networks | Yes | Yes | Yes | Yes |
| Private DNS | Yes | Yes | Yes | Yes |
| Enterprise IdP SSO/MFA | No | Yes | Yes | Yes (via external OIDC) |
| IdP-Sync (background) | No | Yes | Yes | NO (JWT sync only) |
| SCIM provisioning | No | Yes | Yes | Enterprise license |
| User invites (email) | No | Yes | Yes | NO |
| Peer approval | No | No | Yes | NO |
| Audit events logging | No | Yes | Yes | NO |
| Traffic events / SIEM streaming | No | No | Yes | NO |
| MDM & EDR integration | No | No | Yes | NO |
| Device posture checks | No | No | Yes | NO |
| Geo-distributed relays | Yes (managed) | Yes (managed) | Yes (managed) | DIY |
| High availability | Yes (managed) | Yes (managed) | Yes (managed) | DIY / Enterprise |
| Support | Community | Ticketing | Priority | Community only |
Entra ID Sync: Self-Hosted vs Cloud
Section titled “Entra ID Sync: Self-Hosted vs Cloud”Cloud IdP-Sync (Team plan+, cloud only)
Section titled “Cloud IdP-Sync (Team plan+, cloud only)”| Aspect | Detail |
|---|---|
| How it works | NetBird polls Entra ID via Microsoft Graph API continuously |
| Sync timing | Background, automatic, continuous |
| User provisioning | Users appear in NetBird before they log in |
| User deprovisioning | Automatic — access revoked at next sync |
| Group names | Display names (“Engineering”) |
| Group limit | No 200-group JWT limit |
Self-Hosted JWT Group Sync
Section titled “Self-Hosted JWT Group Sync”| Aspect | Detail |
|---|---|
| How it works | Groups embedded in JWT ID token during OIDC authentication |
| Sync timing | At login time only |
| User provisioning | Users appear only after first login |
| User deprovisioning | NOT automatic — sessions persist until expiry |
| Group names | GUIDs by default (unless Azure AD Premium) |
| Group limit | 200 groups per JWT token |
Practical Differences for GSISG:
| Scenario | Cloud IdP-Sync | Self-Hosted JWT Sync |
|---|---|---|
| New employee starts | Appears in minutes | Must log in first |
| Employee terminated | Removed at next sync | Sessions persist until timeout |
| Group membership changed | Updated within minutes | Updated at next user login |
| 200+ groups per user | Works | Breaks (JWT limit) |
The biggest operational gap is deprovisioning. There is no automatic revocation when a user is disabled in Entra ID. Users must be manually removed from NetBird or their setup keys revoked. For a 100-user org, this is manageable with a documented offboarding procedure.
Self-Hosted HA
Section titled “Self-Hosted HA”The NetBird scaling documentation states:
“If you are looking for a high-availability setup for the Management and Signal services, this is available through an enterprise commercial license.”
What you CAN do without enterprise license:
| Component | HA Possible? | How |
|---|---|---|
| Relay servers | Yes | Deploy multiple relay servers |
| Database | Yes | Migrate to PostgreSQL for replication |
| Management server | No | Single instance only |
| Signal server | No | Single instance only |
| Dashboard | Yes (stateless) | Load-balanced nginx |
When the management server goes down: Existing WireGuard tunnels continue working (data plane is independent). New peer connections cannot be established. Policy changes cannot be applied. Setup-key peers remain connected indefinitely; SSO-authenticated peers expire per login expiration setting (default 24 hours).
Practical Mitigation: Docker restart policies, monitoring (Uptime Kuma/Prometheus), regular SQLite backups, separated relay servers. Blast radius is limited to control plane; data plane is unaffected.
AGPLv3 License Implications
Section titled “AGPLv3 License Implications”Since v0.53.0 (August 2025), server components (management, relay, signal) are AGPLv3. Client applications remain BSD-3.
For GSISG self-hosting internally: absolutely nothing changes. AGPL obligations trigger ONLY when you modify the server code AND offer the modified version as a service to external users/organizations. Internal use — even with modifications — is fully permitted.
| Concern | Risk Level |
|---|---|
| Internal deployment without modifications | ZERO |
| Internal deployment with modifications | ZERO |
| Corporate policy prohibiting AGPL on devices | LOW — client is BSD-3, not AGPL |
| Legal review | LOW-MEDIUM — brief review of client/server split recommended |
Self-Hosted Enterprise License
Section titled “Self-Hosted Enterprise License”NetBird offers a Commercial License for self-hosted deployments with enterprise needs:
| Feature | Free Self-Hosted | Enterprise Self-Hosted |
|---|---|---|
| Management + Signal HA | Single instance | Multiple instances + load balancer |
| SCIM provisioning | Not available | Available |
| Support | Community only | Custom SLA |
| Installation assistance | None | Included |
Pricing is custom (contact sales@netbird.io). Not publicly listed.
Local Users + External Entra ID OIDC
Section titled “Local Users + External Entra ID OIDC”Since v0.62, NetBird supports embedded Dex IdP with local user management AND multiple external OIDC providers simultaneously:
- Deploy self-hosted NetBird (creates embedded IdP with local users)
- Create admin account via Dashboard setup wizard (local email/password)
- Add Microsoft Entra ID as external provider (client ID, secret, issuer)
- Users see both login options: “Continue with Email” (local) AND Microsoft button
- Each user’s provider is tracked with a badge in the Users list
This gives GSISG SSO through Entra ID without needing the cloud Team plan. 2-3 local break-glass admin accounts provide emergency access if Entra ID has an outage.
What You Lose Going Self-Hosted
Section titled “What You Lose Going Self-Hosted”| # | Feature | Cloud Plan | Impact for GSISG | Workaround |
|---|---|---|---|---|
| 1 | IdP-Sync (background) | Team+ | MEDIUM — no auto-deprovision | JWT sync at login; manual offboarding |
| 2 | SCIM provisioning | Team+ / Enterprise | LOW | JWT sync; or purchase enterprise license |
| 3 | Peer approval | Business+ | LOW | Restrict setup key distribution |
| 4 | Traffic events logging | Business+ | LOW | WireGuard packet captures; API for peer status |
| 5 | Audit & traffic streaming | Business+ | LOW | Manual log aggregation |
| 6 | MDM & EDR integration | Business+ | LOW | Enforce compliance through Intune separately |
| 7 | Device posture checks | Business+ | LOW | Manual policy enforcement |
| 8 | User invites | Team+ | LOW | Share setup keys or login URL directly |
All core networking features are retained: P2P WireGuard, access controls, network routes, networks, private DNS, split DNS, SSH, setup keys, SSO/OIDC, local user management, reverse proxy (beta), unlimited users and machines.
Recommendation for GSISG
Section titled “Recommendation for GSISG”| Priority | Self-Hosted Free | Cloud Team ($500/mo) | Self-Hosted Enterprise |
|---|---|---|---|
| Cost minimization | Best | Moderate | Unknown |
| Data sovereignty | Best | Moderate | Best |
| Auto-deprovisioning | Manual workaround | Best | Good (SCIM) |
| Management HA | Weakest | Best | Good |
| Operational simplicity | Moderate | Best | Moderate |
Recommended starting point: Self-hosted free. Upgrade to Cloud Team ($6,000/year) only if automatic deprovisioning or managed HA becomes critical. Contact sales@netbird.io for enterprise self-hosted pricing if SCIM or management HA is needed while retaining data sovereignty.
Sources
Section titled “Sources”Official: netbird.io/pricing, docs.netbird.io (self-hosted-vs-cloud, identity-providers, local users, plans-and-billing, scaling guide)
Community: netbird.io/knowledge-hub (AGPL announcement, v0.62 local users), GitHub #2073, #5335, Reddit, NetBird Forum