Asking ISP for external IP range

This would appear to be what you want

inetnum: 37.228.224.0 - 37.228.255.255
netname: INFRASTRUCTURE-VM-IE
descr: Infrastructure
descr: Virgin Media Ireland
country: IE
admin-c: DH2529-RIPE
tech-c: DH2529-RIPE
status: ASSIGNED PA
mnt-by: VM-IE-MNT
created: 2017-10-27T09:19:18Z
last-modified: 2017-10-27T09:19:18Z
source: RIPE

% Information related to '37.228.224.0/19AS6830'

route:          37.228.224.0/19
descr:          NTL Ireland
origin:         AS6830
mnt-by:         AS6830-MNT
created:        2012-06-20T08:53:51Z
last-modified:  2012-06-20T08:53:51Z

I think cuddlesworth meant Virgin Media by VM, not Virtual Machine.
If you ask Virgin for a static IP they will tell you what hoops you need to jump through.
I have one for exactly the same reason from Eir - one off setup charge and no ongoing cost as far as I can see.

What kind of VM have you set up in Azure? Are you running your database tools there or from home?
Even a very basic VM could run a VPN server to get you through to the client's network from home.
Creating an IPsec tunnel back to the client's site only requires one IP to be added to their firewall
and allowing you to connect via ipsec or openvpn to your VPS gives a strongly authenticated access point for your PC.

I have a €5 a month 256MB RAM VPS doing something similar. In my case the client's connection is over satellite,
so the costs of providing a visible IP address would have been several hundred extra a month otherwise.
Their router can reach out to my VPS and I can connect to it also. I use OpenVPN rather than IPsec because the router supported it and it's easy to manage, but there are several ways of approaching it.

Do you know what router they are using at their end?

seamus wrote: »

Yeah, it's a possibility.

At the customer end it's a bit messy though because if the firewall rules are IP-based then the script has to remove the old entry and add the new one. And there may be a refractory period where you have to wait for the firewall to reapply its own rules.

Some firewalls will allow DNS-based rules so the need to update the IP is negated from the customer's side. However, DNS-based rules are slightly less secure than IP-based ones, so the company's own policy might not permit it to be used.

For a scenario where a contractor or other 3rd party does ad-hoc work not requiring a permanently open connection, then a remote access VPN solution is the best.

Thanks for the explanation.
I had wondered when writing the question (but did not include it) whether such firewalls could use the content of a variable for an IP address.
I expect not .....

(I might need something temporary like this myself at some stage so just gathering info now )

seamus wrote: »

A DNS record is a variable

Cloudflare offer free DNS hosting for a single domain. I use this and the Cloudflare API to periodically update a specific DNS record in my domain, to point to my home IP address. It's a python script running on a home server that gets the current public IP for the connection and then updates that in Cloudflare if it has changed.

I did this because I'm too cheap to pay for DDNS when I can just write it myself

Whether a firewall can use this depends on the firewall and the person administering it. DNS-based rules open a risk of cache poisoning or compromised DNS servers allowing an attacker to spoof a DNS record and get access through their firewall.

It can be mitigated against, but some companies will see it as an unnecessary risk to add.

Thanks, so it can work if both ends are amenable.

Ranjo wrote: »

I've set up a Standard_DS12_v2, 4 vcpu/28 GB RAM. I'll be doing some fairly heavy, but not massive, number crunching which is both CPU & RAM intensive. It costs 230 odd a month but will actually spend about 80-90% of the time shut down.

It's just the law of the lever. You need to apply a lot more force if you can't control where you put the fulcrum. Getting you connected through to do the work on the machine on their premises should only need 1/2 cores and 256M/512M RAM.

If it's saving your client €200 a month I'd expect they'd be eager for you to put some time into it!

Ranjo wrote: »

... I would love to set this up, but it's beyond my comfort zone. I know some bits & pieces, but not enough ot pick up & set this up without guidance. I'll see if I can google/RTFM, but if you have pointers then I'll try & attack it myself...

If you decide to give it a go, post a thread with a name like "Configuring VPS as VPN server" and I'll chip in. I suggest that putting it on the Unix forum will get much more relevant feedback, but link it from this thread if you do.

It might stretch the RAM requirements out to 1GB, but installing pfsense on the VPS (or even an old physical machine just to get comfortable with it) will give you a really good GUI as well as a choice of VPN platforms.