Back to Blog
Security 12 min read

TL;DR - VPNs provide full network access (overkill for database connections), add latency, cost $5-15/mo per user, and require client software on every device. - SSH tunnels are per-session, free, and precise — but require SSH access to a bastion host, manual setup each time, and break if the connection drops. - A static IP gateway gives you one IP to whitelist in your database firewall. No client software, no tunnel management, no full network exposure. - For browser-based database access specifically, a static IP gateway is the simplest and most secure option for most teams. - DBEverywhere combines a static IP gateway with optional SSH tunnels for private databases — $5/mo, no infrastructure to manage.

Table of Contents

VPN vs Static IP vs SSH Tunnel: Which Is Best for Database Security?

Every managed database provider — AWS RDS, DigitalOcean Managed Databases, Google Cloud SQL, Hetzner — tells you the same thing during setup: restrict access to known IP addresses. The question is how. You have three main approaches for secure remote database access: VPNs, SSH tunnels, and static IP gateways. Each has real tradeoffs in security, cost, complexity, and usability. This article compares all three across 12+ dimensions so you can pick the right secure database connection method for your situation.

This isn't theoretical. According to IBM's 2024 Cost of a Data Breach Report, the average cost of a data breach involving a database was $4.88 million, up 10% from 2023. Misconfigured access controls were a contributing factor in 28% of breaches. How you connect to your database matters.

Option 1: VPN — Full Network Access

A VPN (Virtual Private Network) creates an encrypted tunnel between your device and a remote network. Once connected, your machine behaves as if it's on that network — it can reach any host and port that the VPN configuration allows.

How It Works for Database Access

You install a VPN client (WireGuard, OpenVPN, Tailscale, or your cloud provider's solution), connect to the VPN server that sits in the same network as your database, and then connect to the database using its private IP address. Your database GUI — whether it's phpMyAdmin, DBeaver, TablePlus, or a terminal mysql client — connects through the VPN tunnel transparently.

The Case For

  • Established technology: VPNs have been the standard for remote network access for over 25 years. IT teams understand them. Compliance frameworks reference them.
  • Full network access: once connected, you can reach any resource on the network — not just the database. Useful if you also need to SSH into servers, access internal APIs, or reach monitoring dashboards.
  • Persistent connection: most VPN clients maintain the connection in the background. You don't need to re-establish it for each database session.
  • Audit logging: enterprise VPN solutions (Cisco AnyConnect, Palo Alto GlobalProtect) provide detailed connection logs for compliance.

The Case Against

  • Overkill for database access: you need to reach one host on one port. A VPN gives you access to the entire network. This violates the principle of least privilege. If a developer's laptop is compromised while connected to the VPN, the attacker has the same network access the developer does.
  • Added latency: VPN tunnels add 5-30ms of latency depending on the protocol and server location. For interactive database queries, this is noticeable — especially on paginated result sets where each page is a new round trip.
  • Client software required: every team member needs to install and configure a VPN client. On macOS, that's straightforward. On corporate-managed Windows machines, it often requires IT approval. On tablets and phones, support varies.
  • Cost: self-hosted VPN (WireGuard on a VPS) costs $5-10/mo for the server plus your time to maintain it. Managed VPN services (Tailscale, NordLayer, Perimeter 81) cost $5-15 per user per month.
  • Split tunneling complexity: without split tunneling, all your traffic routes through the VPN, slowing down everything. With split tunneling, you need to configure which traffic goes through the VPN and which doesn't — another config surface.
  • Connection drops: VPN connections drop when you switch Wi-Fi networks, wake from sleep, or change cellular towers. Depending on the client, reconnection is automatic or requires manual intervention. A dropped VPN mid-query can leave transactions in an ambiguous state.

According to a 2023 Zscaler report, 92% of organizations acknowledge that VPNs may jeopardize their ability to secure their environments, and 56% of organizations experienced a VPN-related cyberattack in the past year.

Option 2: SSH Tunnel — Precise but Manual

An SSH tunnel (also called SSH port forwarding) creates an encrypted connection from your local machine through an SSH-accessible server (bastion host or jump box) to a destination host and port. Unlike a VPN, it forwards only the specific port you specify — nothing else.

How It Works for Database Access

You run a command like this:

ssh -L 3306:db-host.internal:3306 user@bastion.example.com

This forwards your local port 3306 through the bastion host to the database's internal address. You then point your database client at localhost:3306. The connection is encrypted end-to-end via SSH.

The Case For

  • Minimal attack surface: only one port is forwarded. The bastion host doesn't need to run any additional software — just the SSH daemon it already has.
  • Free: SSH is built into every Unix system. No additional software, no subscription, no license.
  • Precise: you control exactly which host and port are accessible. One tunnel = one database connection path.
  • Key-based authentication: SSH key auth is stronger than most VPN authentication methods. Combined with AllowUsers directives, you can restrict which users can create tunnels.
  • No client software: SSH is available on macOS, Linux, and Windows 10+ natively. No VPN app to install.

The Case Against

  • Manual setup: the tunnel command is 50+ characters. Developers either memorize it, alias it, or write a script. It's easy to get the port numbers or hostnames wrong, especially when connecting to multiple databases.
  • Per-session: each tunnel is active only while the SSH connection is alive. Close the terminal, close the tunnel. Background it with -f -N, and you need to manage the process manually — find the PID, kill it when done.
  • Requires SSH access: someone needs to provision SSH keys on the bastion host for every developer who needs database access. This is manageable for a team of 3. At 20+ developers, it becomes an access management problem.
  • Not browser-compatible: SSH tunnels work for desktop clients that connect to localhost. They don't work for browser-based tools like phpMyAdmin or Adminer — you'd need to run phpMyAdmin locally and tunnel through SSH, layering two pieces of infrastructure.
  • Connection fragility: SSH connections drop on network changes just like VPNs. The tunnel dies silently, and your database client sees a "connection reset" error. autossh or ServerAliveInterval help, but they're additional configuration.
  • Firewall rules still needed: the bastion host's SSH port (usually 22) must be accessible from the developer's IP. If the developer is on a dynamic IP — coffee shop, home ISP, mobile — the bastion's firewall rules need updating or must be left open to a wide range.

Option 3: Static IP Gateway — Set and Forget

A static IP gateway is a service that runs on a fixed, published IP address. You connect to it via a browser, and it connects to your database from that static IP. You whitelist that one IP in your database firewall, and access is restricted to only connections originating from the gateway.

How It Works for Database Access

  1. Your database firewall allows connections from one IP address (the gateway's static IP).
  2. You open the gateway in a browser (e.g., dbeverywhere.com).
  3. You enter your database host, port, username, and password.
  4. The gateway connects to your database from its static IP and serves the management interface (phpMyAdmin for MySQL, Adminer for PostgreSQL and others).

Your credentials are used for the connection and are not stored unless you opt in. The connection happens server-to-server, so your local machine's IP is irrelevant.

The Case For

  • Simplest firewall configuration: one IP address, one firewall rule. Works identically across AWS RDS, DigitalOcean, Hetzner, Linode, Vultr, Google Cloud, Azure, and self-hosted databases.
  • No client software: it's a browser tab. Works on any device — laptop, tablet, Chromebook, a borrowed machine at a conference.
  • No tunnel to manage: no SSH command to remember, no VPN to connect. Open a browser, enter credentials, work.
  • IP doesn't change: unlike your home ISP, coffee shop Wi-Fi, or mobile tethering, the gateway's IP is fixed. Your firewall rules never need updating.
  • Device-agnostic: works from any network without needing SSH keys installed or VPN profiles configured.
  • Built-in HTTPS: the gateway handles TLS. Your database credentials never travel unencrypted.

The Case Against

  • Third-party trust: your database credentials pass through the gateway. You need to trust the service provider. Mitigation: choose a provider that doesn't store credentials by default (DBEverywhere only stores them if you explicitly opt in, encrypted with AES-256-GCM).
  • Limited to web tools: the gateway serves a web interface (phpMyAdmin, Adminer). You can't use it with desktop clients like DBeaver or TablePlus. For that, you'd pair it with an SSH tunnel or VPN.
  • Internet dependency: the gateway is a cloud service. If it's down, you can't access your database through it (though your database itself is unaffected). Self-hosted VPNs and SSH tunnels share this dependency on internet connectivity.
  • Monthly cost: typically $5-10/mo. More than SSH (free) but less than enterprise VPN per-user fees.

Head-to-Head Comparison Table

Dimension VPN SSH Tunnel Static IP Gateway
Network access scope Full network One host:port One host:port (via web GUI)
Principle of least privilege Violates it Follows it Follows it
Setup time (first use) 30-60 min 5-10 min per tunnel Under 1 minute
Setup time (returning) Connect VPN client Re-run tunnel command Open browser tab
Client software needed VPN app SSH client (built-in) Browser only
Works from any device No (needs VPN client) No (needs SSH client + keys) Yes
Works in restricted networks Often blocked by corporate firewalls Port 22 sometimes blocked HTTPS on port 443, rarely blocked
Latency added 5-30ms 2-10ms Minimal (server-to-server)
Connection persistence Background, auto-reconnect varies Manual or autossh Session-based, no tunnel
Firewall rule complexity Whitelist VPN server IP or range Whitelist bastion IP + user IPs for SSH Whitelist one static IP
Access management VPN user provisioning SSH key distribution Web login (email/password)
Audit trail VPN logs SSH auth logs Session logs
Monthly cost $5-15/user (managed) or $5-10 for server Free $0-5/mo
Maintenance VPN server updates, cert rotation Bastion host maintenance, key rotation None (managed)
Browser-based DB tools Works (once VPN connected) Doesn't work directly Native
Desktop DB clients Works Works Not applicable
Survives network changes Usually reconnects Drops (needs restart or autossh) No connection to maintain

Which Method for Which Scenario

Solo developer managing 1-3 databases: Static IP gateway. Lowest overhead, no infrastructure. You're not going to set up a VPN for yourself, and SSH tunnels get tedious after the first week. Open a browser, enter credentials, done.

Small team (2-10 people) with shared staging/production databases: Static IP gateway for browser-based access, SSH tunnels for developers who prefer desktop clients. The gateway's single IP simplifies firewall rules for the whole team — no need to track each developer's IP.

Team that already has a VPN for other reasons: Keep using the VPN for database access. Adding a separate solution for databases alone doesn't make sense if the VPN is already deployed, maintained, and paid for. But if you're considering setting up a VPN only for database access, a static IP gateway is cheaper and simpler.

Compliance-heavy environments (SOC 2, HIPAA, PCI): VPN with audit logging, or SSH tunnels with session recording. These environments typically require named user access, session logs, and evidence of encryption. A static IP gateway can satisfy these requirements if it provides session-level logging and encrypted connections — but verify with your auditor.

Connecting to databases behind private subnets (no public IP): SSH tunnel to a bastion host, or a gateway service that supports SSH tunnels. VPNs also work if the VPN server is in the same VPC as the database. DBEverywhere's paid tier includes SSH tunnel support — the gateway opens the tunnel from its static IP to your bastion, so you get the convenience of a static IP with the reach of an SSH tunnel.

Combining Methods: Defense in Depth

These methods aren't mutually exclusive. Many production setups layer them:

  • SSH tunnel through a VPN: the VPN gets you onto the network, the SSH tunnel restricts you to one database port. This satisfies least-privilege requirements while using the VPN for network-level authentication.
  • Static IP gateway with SSH tunnel: the gateway connects to your database through an SSH tunnel to a bastion host. You whitelist the gateway's static IP on the bastion's SSH port, and the bastion connects to the database internally. Two layers of access control.
  • VPN + firewall rules: the VPN puts you on the network, but the database firewall still restricts connections to specific private IPs — preventing lateral movement from other VPN-connected machines.

The general principle: use the least permissive method that meets your requirements. If you only need to browse data and run queries through a web interface, a static IP gateway is sufficient. If you need full network access for multiple services, a VPN makes sense. If you need to automate database connections in scripts, SSH tunnels are the right tool.

FAQ

Can I use a VPN and a static IP gateway together?

Yes. Some teams use a VPN for general infrastructure access and a static IP gateway specifically for database management. The gateway's IP is whitelisted in the database firewall regardless of the VPN. This means developers can browse database data from any network without needing the VPN connected — useful for quick checks from a phone or tablet.

Is an SSH tunnel more secure than a VPN for database access?

For database access specifically, yes — an SSH tunnel provides narrower access. A VPN exposes the entire network, while an SSH tunnel forwards only one port. However, SSH tunnels lack the centralized management, logging, and user provisioning that enterprise VPNs provide. Security isn't just about the protocol — it's about how you manage access at scale.

What if my database provider doesn't support IP whitelisting?

Most managed database providers support IP whitelisting: AWS RDS (security groups), DigitalOcean (trusted sources), Google Cloud SQL (authorized networks), Hetzner (firewall rules), Azure (server-level firewall rules). If your provider doesn't support it, you're relying entirely on database authentication — username and password — which means a static IP gateway and SSH tunnels both add a meaningful extra layer.

Does a static IP gateway work with PostgreSQL, not just MySQL?

Yes. DBEverywhere serves phpMyAdmin for MySQL/MariaDB connections and Adminer for everything else — including PostgreSQL, SQLite, Microsoft SQL Server, and Oracle. The static IP is the same regardless of which database engine you're connecting to.

What latency should I expect from each method?

VPNs add 5-30ms depending on protocol and server distance. SSH tunnels add 2-10ms (the SSH handshake is lightweight after establishment). A static IP gateway adds minimal latency because the connection is server-to-server between the gateway and your database — both typically in the same cloud region or nearby data centers. The web interface itself loads over HTTPS, so perceived latency depends mostly on your internet speed.

Conclusion

VPNs, SSH tunnels, and static IP gateways all solve the same core problem — secure remote access to a database that's behind a firewall. They differ in scope, complexity, cost, and maintenance burden.

VPNs give you full network access, which is more than you need for database management alone. They cost $5-15 per user per month (managed) and require client software on every device.

SSH tunnels give you precise, per-port access at zero cost, but they're manual, per-session, and require SSH key distribution to every team member.

A static IP gateway gives you one IP to whitelist, works from any browser, requires no client software, and costs $0-5/month. For teams that need browser-based database access without infrastructure overhead, it's the simplest path.

DBEverywhere is a static IP gateway that serves phpMyAdmin and Adminer in the browser. Free tier: 5 sessions/month with 20-minute timeouts. Paid tier ($5/mo): unlimited sessions, 8-hour timeouts, saved connections, and SSH tunnel support for databases behind private networks.

Pick the simplest method that meets your security requirements. For most teams, that's a static IP you whitelist once and forget. Try DBEverywhere free.

Try DBEverywhere Free

Access your database from any browser. No installation, no Docker, no SSH tunnels.

Get Started