GoodAccess logo

VPN with Static IP Explained

Using a dedicated static IP address is considered best practice when ensuring remote access for the workforce via VPN (Virtual Private Network). How to get a static IP address? What is IP whitelisting? What are the typical use cases? Let's break this topic down.

User authentication via 2 factor or multifactor authentication

Table of Contents

What Is a Static IP Address?

A static IP address, also known as a fixed IP address, is an identification number assigned to a host. It remains the same in time and is indefinitely reserved for that particular service. The static IP doesn't change even after turning the device off and switching it back on. Typically, static IP is used within an internal network (LAN) for services where it is undesirable to have their IP change dynamically to ensure continuous availability (servers typically).

This draws the main difference with a dynamic IP. A dynamic IP is (surprisingly) dynamically assigned to a host (server, PC, laptop, mobile device, etc.) by DHCP service. It changes at the end of the leased period, usually 24 hours, but this is a custom configuration.

How to Get a Static IP Address?

There are two main options how to get a static IP:

Both ISP and business cloud VPN providers can assign you a shared or dedicated public IP address. The shared one remains the same every time you go online. However, it is mutual to other entities (tenants, organizations), which is not overly convenient when you want to hide your servers by IP whitelisting. A dedicated static IP address is a private address for a user or a group of users which is not shared with anyone outside your organization.

Additional Gateway with static IP

Fig 1: Getting a gateway with dedicated static IP from cloud VPN vendor is quite straightforward. Just be sure to select the closest one to preserve the best latency.

Gateway whitelisted on the server

Fig 2: Once the gateway is selected, public static IP is assigned to the user/device so that ie. it can be whitelisted on the server.

So we’ve learned how to get a dedicated static IP, but in what scenarios doesn’t it come in useful? Before jumping into the typical use cases, we need to clarify one key term known as IP whitelisting.

What Is IP Whitelisting?

IP whitelisting is a method of preventing unauthorized access by allowing only trusted IP addresses to connect to the system. A prerequisite is a static IP address, as dynamic addresses change regularly, and therefore the whitelist would be outdated with each change, requiring extensive manual work to make continuous adjustments.

Using IP whitelisting (firewall/ACL/webserver/source code) on the server can easily hide online systems from the public. Such systems are only available to the users with the organization’s IP address, whether they connect from a private corporate network or through a VPN gateway. Users connecting to the system from an unlisted IP address will be restricted.

having additional gateway

Fig 3: In case you have additional gateway, you can whitelist both static public IPs. But naturally, you can use only one based on your geo-location. Using different gateways is best practice for preserving low latency across regions.

What Is a Static IP Used for?

There are several reasons why to use static IP when operating a network. The most common ones include network access restriction and remote access to services.

Restrict Network Access

One of the most common use cases is restricting network access to your internet-facing services by using a firewall, where only whitelisted IP addresses are allowed to connect to the service. Only with static IP can you define a firewall rule valid indefinitely.

When using a dynamic IP address, the firewall rule would become obsolete anytime the IP address changes. As a result, the whitelist update would be necessary (which implies extensive manual work in large networks).

Enable Remote Access

Another common use case is when you host some service inside your local network and need to access it without geographical limitations. Your ISP has a range of IP addresses. Without a static IP, you use one of their shared IP addresses that don’t uniquely represent your network.

Having a static IP address means you can connect from anywhere (local firewall rules apply). Resting assured the IP address remains the same all the time.

Why Use VPN Static IP?

Imagine you host services inside your local network, data center, or even in the cloud and need your employees to access them from anywhere. It is possible to make the system available publicly, but it would make it vulnerable to network attacks (man-in-the-middle attacks, DoS and DDoS attacks, eavesdropping typically, data breach).

Therefore, it is reasonable to make your resources available only to known IP addresses (so-called IP whitelisting - see the box above) as part of security controls.

Without a static IP provided by the VPN service, your users connect with one of ISP’s shared IP addresses that don’t belong into your trusted IP range and don’t uniquely identify them as one of your internal employees.

With a static IP address whitelisted by the server (i.e., your CRM application server), users’ IP addresses always remain the same. This is why users can connect from everywhere(local firewall rules apply) securely. Static IP is essentially a unique online ID of the user used for secure remote system access.

VPN creates a secure encrypted tunnel connection from a device to a VPN server based in the selected country (see business cloud VPN for more). The user device is assigned an actual static IP address, and all their data is routed via an encrypted tunnel. This is the way to ensure users always have the same static IP wherever they connect from. The IP address is fixed and dedicated to the user or a group of users, so only they can use it for accessing remote systems.

Business Cloud VPN typically delivers:


Today, employees often use unprotected devices that may be exposed to threats stealing sensitive credentials and data. Bad actors cannot breach the system even if they have login information when using a static IP because they connect from a different IP than the whitelisted one.