Skip to content

Deployment Scenarios & Costs

SMB Ready Foundation offers four deployment scenarios, each adding network security and hybrid connectivity capabilities at increasing cost.

FeatureBaselineFirewallVPNFull
Monthly cost~$48~$336~$187~$476
Hub-spoke VNets
NSGs + Private DNS
Bastion Developer ¹
Key Vault + PE
Log Analytics + Automation
Recovery Services Vault
Azure Migrate
Governance Policies
Budget + Defender (free)
NAT Gateway
Azure Firewall + Policy
Route Tables (UDR)
VPN Gateway
Hub↔Spoke Peering
On-premises connectivity

¹ Bastion Developer is an Azure portal capability — no infrastructure is deployed. It provides browser-based SSH/RDP to VMs via the portal without a dedicated Bastion host resource.

Best for: Cloud-native workloads with no hybrid connectivity requirements. Deployment time: ~4 minutes.

  • Outbound internet via NAT Gateway (default outbound is deprecated)
  • No VPN tunnel to on-premises
  • No centralized egress filtering
  • Lowest cost starting point

Best for: Workloads requiring centralized egress control and network traffic inspection. Deployment time: ~15 minutes.

  • Azure Firewall inspects all outbound traffic
  • User-defined routes (UDR) force spoke traffic through firewall
  • Hub↔spoke peering for centralized networking
  • NAT Gateway replaced by Firewall for outbound

Best for: Hybrid workloads needing site-to-site connectivity to on-premises. Deployment time: ~25 minutes (VPN Gateway creation takes 25–45 minutes).

  • VPN Gateway with IPsec/IKEv2 tunnel
  • Gateway transit through hub↔spoke peering
  • NAT Gateway for internet-bound traffic (no firewall)
  • Requires ON_PREMISES_ADDRESS_SPACE parameter

Best for: Complete security + hybrid connectivity. Deployment time: ~45 minutes (Firewall + VPN Gateway deploy sequentially).

  • Combines Firewall and VPN Gateway
  • All egress routed through Firewall (UDR)
  • Site-to-site VPN for on-premises
  • Maximum protection, highest cost
ResourceMonthly CostScenarios
NAT Gateway + data~$35baseline, vpn
Azure Firewall (Basic)~$275firewall, full
Firewall Public IPs (×2)~$7firewall, full
VPN Gateway (VpnGw1AZ)~$140vpn, full
VPN Public IP~$4vpn, full
Log Analytics (500MB/day)~$0all (free tier)
Key Vault (PE)~$5all
Recovery Services Vault~$0all (no backups configured)
Bastion Developer~$0all (free portal feature)
Budget, Defender, Migrate~$0all (free tier)
Terminal window
# Baseline (default)
azd env set SCENARIO baseline
# Firewall
azd env set SCENARIO firewall
# VPN (requires on-prem CIDR)
azd env set SCENARIO vpn
azd env set ON_PREMISES_ADDRESS_SPACE "192.168.0.0/16"
# Full (requires on-prem CIDR)
azd env set SCENARIO full
azd env set ON_PREMISES_ADDRESS_SPACE "192.168.0.0/16"

Then deploy: azd up