Cost Management
Monthly Cost by Scenario
Section titled “Monthly Cost by Scenario”| Scenario | Monthly Cost | Annual Cost | Primary Cost Driver |
|---|---|---|---|
| baseline | ~$48 | ~$576 | NAT Gateway |
| vpn | ~$187 | ~$2,244 | VPN Gateway (VpnGw1AZ) |
| firewall | ~$336 | ~$4,032 | Azure Firewall (Basic) |
| full | ~$476 | ~$5,712 | Firewall + VPN Gateway |
The $500/month budget is enforced at subscription scope with forecast and actual alerts at 80%, 100%, and 110% thresholds.
Cost Breakdown
Section titled “Cost Breakdown”Always-On Resources (All Scenarios)
Section titled “Always-On Resources (All Scenarios)”| Resource | Monthly Cost |
|---|---|
| Key Vault (Standard) | ~$5 |
| Private Endpoint | ~$3 |
| Log Analytics (500 MB/day cap) | ~$0 (free tier) |
| Automation Account (Basic) | $0 |
| Recovery Services Vault (no backups) | $0 |
| Azure Bastion Developer | $0 |
| Defender for Cloud (Free) | $0 |
| Azure Migrate | $0 |
| Subtotal | ~$8 |
NAT Gateway (baseline, vpn scenarios)
Section titled “NAT Gateway (baseline, vpn scenarios)”| Resource | Monthly Cost |
|---|---|
| NAT Gateway | ~$32 |
| Public IP (Standard) | ~$3 |
| Data processed (est. 10 GB) | ~$0.45 |
| Subtotal | ~$35 |
Azure Firewall (firewall, full scenarios)
Section titled “Azure Firewall (firewall, full scenarios)”| Resource | Monthly Cost |
|---|---|
| Azure Firewall Basic | ~$228 |
| Public IPs (2× Standard) | ~$7.30 |
| Data processed (est. 10 GB) | ~$0.10 |
| Subtotal | ~$236 |
VPN Gateway (vpn, full scenarios)
Section titled “VPN Gateway (vpn, full scenarios)”| Resource | Monthly Cost |
|---|---|
| VPN Gateway VpnGw1AZ | ~$140 |
| Public IP (Standard) | ~$3.65 |
| Subtotal | ~$144 |
Key Design Decisions Affecting Cost
Section titled “Key Design Decisions Affecting Cost”| Decision | Savings | Rationale |
|---|---|---|
| Bastion Developer vs. Basic | ~$138/month | Free tier sufficient for single-admin SMB access |
| No zone redundancy | ~$100+/month | Cost priority; accept single-zone risk |
| Log Analytics 500 MB cap | Prevents overrun | Protects against surprise ingestion bills |
| Defender Free tier | ~$15/VM/month | Basic CSPM without per-VM cost |
| Firewall/VPN optional | ~$315/month | Deploy only when connectivity is required |
Optimization Strategies
Section titled “Optimization Strategies”- Start with baseline — deploy Firewall or VPN only when the customer needs them
- Monitor ingestion — if Log Analytics stays under 500 MB/day, no additional cost
- VM SKU governance — policies restrict to B/D/E v5/v6 series, preventing expensive SKUs
- Shutdown schedules — for dev/test subscriptions, deallocate VMs outside business hours
- Reserved instances — for long-term customers, 1-year RI on VPN Gateway saves ~30%
Cost Monitoring Commands
Section titled “Cost Monitoring Commands”# Current month spendaz consumption usage list \ --query "[].{Service:instanceName, Cost:pretaxCost}" \ -o table --top 10
# Budget statusaz consumption budget list \ --query "[?name=='budget-smb-monthly'].{Name:name, Amount:amount, Spent:currentSpend.amount}" \ -o tableSee Cost Comparison for detailed pricing tables.