Deployment Scenarios & Costs
SMB Ready Foundation offers four deployment scenarios, each adding network security and hybrid connectivity capabilities at increasing cost.
Scenario Comparison
Section titled “Scenario Comparison”| Feature | Baseline | Firewall | VPN | Full |
|---|---|---|---|---|
| Monthly cost | ~$48 | ~$336 | ~$187 | ~$476 |
| Hub-spoke VNets | ✅ | ✅ | ✅ | ✅ |
| NSGs + Private DNS | ✅ | ✅ | ✅ | ✅ |
| Bastion Developer ¹ | ✅ | ✅ | ✅ | ✅ |
| Key Vault + PE | ✅ | ✅ | ✅ | ✅ |
| Log Analytics + Automation | ✅ | ✅ | ✅ | ✅ |
| Recovery Services Vault | ✅ | ✅ | ✅ | ✅ |
| Azure Migrate | ✅ | ✅ | ✅ | ✅ |
| Governance Policies | ✅ | ✅ | ✅ | ✅ |
| Budget + Defender (free) | ✅ | ✅ | ✅ | ✅ |
| NAT Gateway | ✅ | — | ✅ | — |
| Azure Firewall + Policy | — | ✅ | — | ✅ |
| Route Tables (UDR) | — | ✅ | — | ✅ |
| VPN Gateway | — | — | ✅ | ✅ |
| Hub↔Spoke Peering | — | ✅ | ✅ | ✅ |
| On-premises connectivity | — | — | ✅ | ✅ |
¹ Bastion Developer is an Azure portal capability — no infrastructure is deployed. It provides browser-based SSH/RDP to VMs via the portal without a dedicated Bastion host resource.
When to Use Each Scenario
Section titled “When to Use Each Scenario”Baseline (~$48/month)
Section titled “Baseline (~$48/month)”Best for: Cloud-native workloads with no hybrid connectivity requirements. Deployment time: ~4 minutes.
- Outbound internet via NAT Gateway (default outbound is deprecated)
- No VPN tunnel to on-premises
- No centralized egress filtering
- Lowest cost starting point
Firewall (~$336/month)
Section titled “Firewall (~$336/month)”Best for: Workloads requiring centralized egress control and network traffic inspection. Deployment time: ~15 minutes.
- Azure Firewall inspects all outbound traffic
- User-defined routes (UDR) force spoke traffic through firewall
- Hub↔spoke peering for centralized networking
- NAT Gateway replaced by Firewall for outbound
VPN (~$187/month)
Section titled “VPN (~$187/month)”Best for: Hybrid workloads needing site-to-site connectivity to on-premises. Deployment time: ~25 minutes (VPN Gateway creation takes 25–45 minutes).
- VPN Gateway with IPsec/IKEv2 tunnel
- Gateway transit through hub↔spoke peering
- NAT Gateway for internet-bound traffic (no firewall)
- Requires
ON_PREMISES_ADDRESS_SPACEparameter
Full (~$476/month)
Section titled “Full (~$476/month)”Best for: Complete security + hybrid connectivity. Deployment time: ~45 minutes (Firewall + VPN Gateway deploy sequentially).
- Combines Firewall and VPN Gateway
- All egress routed through Firewall (UDR)
- Site-to-site VPN for on-premises
- Maximum protection, highest cost
Cost Breakdown
Section titled “Cost Breakdown”| Resource | Monthly Cost | Scenarios |
|---|---|---|
| NAT Gateway + data | ~$35 | baseline, vpn |
| Azure Firewall (Basic) | ~$275 | firewall, full |
| Firewall Public IPs (×2) | ~$7 | firewall, full |
| VPN Gateway (VpnGw1AZ) | ~$140 | vpn, full |
| VPN Public IP | ~$4 | vpn, full |
| Log Analytics (500MB/day) | ~$0 | all (free tier) |
| Key Vault (PE) | ~$5 | all |
| Recovery Services Vault | ~$0 | all (no backups configured) |
| Bastion Developer | ~$0 | all (free portal feature) |
| Budget, Defender, Migrate | ~$0 | all (free tier) |
Setting the Scenario
Section titled “Setting the Scenario”# Baseline (default)azd env set SCENARIO baseline
# Firewallazd env set SCENARIO firewall
# VPN (requires on-prem CIDR)azd env set SCENARIO vpnazd env set ON_PREMISES_ADDRESS_SPACE "192.168.0.0/16"
# Full (requires on-prem CIDR)azd env set SCENARIO fullazd env set ON_PREMISES_ADDRESS_SPACE "192.168.0.0/16"Then deploy: azd up