Our COO is asking, “can you look into how we implement MS’s VPN Solution”? But I’m not aware of one that MS offers for our kind of environment (all remote employees, all cloud-based resources and assets).

Would love some help learning which Microsoft solutions she could be referring to, and some insight into best practice.

3 Spice ups

AOVPN or always-on VPN is likely what your COO is asking about.

About Always On VPN for Windows Server Remote Access | Microsoft Learn

It would only be useful if you needed to connect back to an on-prem system though, so not sure why they’re asking if your fully cloud.

4 Spice ups

Is it possible the COO was asking about the built-in VPN connection in Windows? That’s a long shot but it kind of makes sense?

1 Spice up

Absolutely, but for what use case if everything is in the cloud. That is, to connect where?

4 Spice ups

That’s probably something we’ll have to wait for OP to go back and ask. There’s a lot of detail missing.

1 Spice up

They are probably referring to Entra Private Access (and for filtering, Entra Internet Access)

It’s a ZTNA solution not a VPN. It’s nearest equivalent would likely be Zscaler.

3 Spice ups

OH! Ok, that makes more sense than my first thought lol

Is this a effective solution vs vpn for users?

Low cost
Low maintence
secure??

Can you try it before you buy it ??

1 Spice up

Compared to what. Around the same costs as Zscaler I believe. $5 USD per user for private access and another $5 USD for “internet access” which is content filtering for secure web browsing. The second is optional.

Reasonably once you spend the up front time getting it set up.

Yes so long as you do things like enforce MFA, don’t just put in a rule that allows ports 1-65535 to all hosts etc. Anything secure can be made insecure with bad implementation.

Yes Microsoft

1 Spice up

Compared to regular vpn for clients say ipsec with ad auth

Is it faster or slower trying to wrap head around this like the OP

1 Spice up

VPNs tend to be slow because of what they are.

What matters is the objective, what is your goal?

1 Spice up

Well OP resources are all in the cloud and there users are using vpn like I mentioned I assume but if its all in the could then why not use what @PatrickFarrell suggest…

My situation is a hybrid situation so goal first would be to get it all in the cloud a whole other box of worms…

Thanks @Rod-IT AI :smiling_face_with_sunglasses:

1 Spice up

Honestly, I’m not sure what she was asking for. She just knows previously they got a quote for “something that’d protect us like a VPN”

It seems her concern is that many remote workers could be working on public wifi.

Some of that is just teaching users good digital hygiene, but they’ve only ever had reactive MSP for their IT department here.

We’re cloud based with conditional access, locked down resources, and mulitfactor authentication, so really our resources are as safe as your user’s are with their passwords and MFA method and with their devices they’re using to access our resources.

1 Spice up

What I suggested works for on prem. I’ve used it for on prem resources with entra only joined laptops.

2 Spice ups

Their are ads everywhere these days selling VPN solutions as security tools to protect your internet traffic. I sounds like your COO may have heard some.

These ads are 100% false and misleading. The products they sell could at best be called a privacy tool, but they are 100% not a security tools. All the do is shift your traffic from a partially trusted ISP to an unknown and not trusted ISP somewhere else while (coincidentally) giving the VPN provider incite into your traffic at the same time.

If you are already cloud you are far better served looking at other tools. you should get clarity from your COO on what they are looking for and why they are asking for it.

5 Spice ups

(post deleted by author)

Very much this. The ads for consumer VPN tools cause me flash back to the old airline magazines. We’d get a cold dread every time we heard a C-Level was flying somewhere - invariably there would be some glossy article calling out to them from the seat pocket within easy reach. And just as inevitably, we would get a call shortly after they landed inquiring as to why we don’t have whatever really expensive and unnecessary thing they just read about.

1 Spice up

But they don’t.

This might be a concern, but using a VPN will make things slower and Microsoft do not recommend using one to access their services. All their traffic is already encrypted and optimized, adding other layers on top makes the user experience worse.

I would suggest seeking clarity, if you’re not sure, we wont be of much help to you.

3 Spice ups

@PatrickFarrell you just made my day…does the article you posted talk about this?

Checking it now…

1 Spice up

Totally agree if your the IT go to person or director or manager then go to her office have her pull up what she is talking about go from there as others have said if you are already all Azure Entra cloud and such then …??

1 Spice up