GoodAccess logo
News: Introducing Threat Blocker for Online Protection.
Join our webinar on March 30
hosted by our CEO, Michal Cizek.

VPN with Static IP Explained

Using a dedicated static IP address is considered best practice when ensuring remote access for the workforce via VPN (Virtual Private Network). How to get a static IP address? What is IP whitelisting? What are the typical use cases? Let's break this topic down.

User authentication via 2 factor or multifactor authentication

Table of Contents

What Is a Static IP Address?

A static IP address, also known as a fixed IP address, is an identification number assigned to a host. It remains the same in time and is indefinitely reserved for that particular service. The static IP doesn't change even after turning the device off and switching it back on. Typically, static IP is used within an internal network (LAN) for services where it is undesirable to have their IP change dynamically to ensure continuous availability (servers usually).

Hence the main difference between a static and dynamic IP address. A dynamic IP address is assigned to a host (server, PC, laptop, mobile device, etc.) by a DHCP service (Dynamic Host Configuration Protocol). It only lasts for the duration of the leased period, which is usually 24 hours, although this is down to custom configuration.

On the other hand, a static IP address remains the same for as long as the user needs it. It does not reset with the device being switched off and on but remains permanently reserved for that particular service. Learn more about the usage and differences between static IP vs dynamic IP addresses in this blog.

How to Get a Static IP Address?

There are two main ways how to obtain a static IP address:

Both the ISP and business cloud VPN can provide you with a public static IP address. This IP address can be either dedicated or shared.

A shared static IP address is a single address used by several entities, i.e. tenants or organizations, which is convenient for the purposes of home users as shared IP addresses are often free. However, a shared IP address is ill suited for security measures like IP whitelisting.

On the other hand, a dedicated IP address is completely private to one user or a group of users and is not shared with anyone outside your organization. For this reason, it can be used for a variety of purposes ranging from routing to securing remote access.

Additional Gateway with static IP

Fig 1: Getting a gateway with dedicated static IP from cloud VPN vendor is quite straightforward. Just be sure to select the closest one to preserve the best latency.

Gateway whitelisted on the server

Fig 2: Once the gateway is selected, public static IP is assigned to the user/device so that ie. it can be whitelisted on the server.

What Is a Static IP Address Used for?

Besides home and local networks, you will see static IP addresses used by devices and services that want to be found. A typical example are DNS servers which need to remain accessible to machines requiring DNS resolution services for navigating the internet.

Another example is direct access without a domain name. If you connect to a server using its static IP address, you can always do so even if the DNS service is unavailable or it has no domain name at all. This is particularly useful in remote access scenarios for ensuring access via an access gateway of one kind or another (router, firewall, or a VPN server).

The latter concept is known as IP whitelisting.

What Is IP Whitelisting?

IP whitelisting is a method of preventing unauthorized access by allowing only trusted IP addresses to connect to the system. A prerequisite is a static IP address, as dynamic addresses change regularly, and therefore the whitelist would be outdated with each change, requiring extensive manual work to make continuous adjustments.

Using IP whitelisting (firewall/ACL/webserver/source code) on the server can easily hide online systems from the public. Such systems are only available to the users with the organization’s IP address, whether they connect from a private corporate network or through a VPN gateway. Users connecting to the system from an unlisted IP address will be restricted.

having additional gateway

Fig 3: In case you have additional gateway, you can whitelist both static public IPs. But naturally, you can use only one based on your geo-location. Using different gateways is best practice for preserving low latency across regions.

Using a static IP: Use Cases

There are several reasons why to use static IP when operating a network. The most common ones include network access restriction and remote access to services.

Restrict Network Access

One of the most common use cases is restricting network access to your internet-facing services by using a firewall, where only whitelisted IP addresses are allowed to connect to the service. Only with static IP can you define a firewall rule valid indefinitely.

When using a dynamic IP address, the firewall rule would become obsolete anytime the IP address changes. As a result, a whitelist update would be necessary (which implies extensive manual work in large networks).

Enable Remote Access

Another common use case is when you host some service inside your local network and need to access it without geographical limitations. Your ISP has a range of IP addresses. Without a static IP, you use one of their shared IP addresses that don’t uniquely represent your network.

Having a static IP address therefore allows you to connect from any remote location (local firewall rules apply), knowing the IP address is always the same and resting assured the connection remains available.

Access to Cloud Resources

Data stored in the public cloud is protected by the provider along with the rest of their cloud infrastructure, but the business subscribing to the cloud hosting services is still responsible for the protection of their data during transit.

IP whitelisting is an effective method of establishing a trusted connection between the cloud and another key element of the company infrastructure, such as a VPN server. Doing this makes the cloud resources quicker and easier to access, as well as more secure, since access would only be allowed from the trusted IP address.

Why Use VPN Static IP?

Imagine you host services inside your local network, data center, or even in the cloud and need your employees to access them from anywhere. It is possible to make the system available publicly, but it would make it vulnerable to network attacks (man-in-the-middle attacks, DoS and DDoS attacks, eavesdropping typically, data breach).

Therefore, it is reasonable to make your resources available only to known IP addresses (so-called IP whitelisting - see the box above) as part of security controls.

Without a VPN with static IP, your users connect with one of ISP’s shared IP addresses that don’t belong into your trusted IP range and don’t uniquely identify them as one of your internal employees.

With a static IP address whitelisted by the server (e.g., your CRM application server), users’ IP addresses always remain the same. This is why users can connect from everywhere(local firewall rules apply) securely. Static IP is essentially a unique online ID of the user used for secure remote system access.

VPN creates a secure encrypted tunnel connection from a device to a VPN server based in the selected country (see business cloud VPN for more). The user device is assigned an actual static IP address, and all their data is routed via an encrypted tunnel. This is the way to ensure users always have the same static IP wherever they connect from. The IP address is fixed and dedicated to the user or a group of users, so only they can use it for accessing remote systems.

Business Cloud VPN typically delivers:

Conclusion

A business VPN with a static IP address enables companies to deal with the current reality of work. Employees often use unprotected devices and connect via non-company-owned infrastructures, which carries the risk of picking up malware and compromising access credentials.

However, even if bad actors do get a hold of your login information, it is not enough to breach your systems, because they connect from a different IP address than the whitelisted one. A VPN with a static IP address therefore helps you implement a multi-faceted security policy that places additional obstacles in the path of adversaries while making life easier for you.