Skip to content

Cost Comparison

ScenarioEstimated Monthly CostPrimary Cost Driver
Baseline~$48NAT Gateway
VPN~$187VPN Gateway (VpnGw1AZ)
Firewall~$336Azure Firewall (Basic)
Full~$476Firewall + VPN Gateway
ResourceTypeMonthly Cost
Log Analytics Workspace500MB/day free tier$0
Automation Account (Basic)Included$0
Recovery Services VaultNo backups configured$0
Key Vault (Standard)Minimal operations~$5
Private EndpointInbound data~$3
Azure Bastion DeveloperFree portal feature$0
Defender for CloudFree CSPM$0
Azure MigrateFree$0
Budget (consumption)Free$0
Subtotal~$8
ResourceMonthly Cost
NAT Gateway~$32
Public IP (Standard)~$3
Data processed (est. 10GB)~$0.45
Subtotal~$35
ResourceMonthly Cost
Azure Firewall (Basic SKU)~$275
Public IP ×2 (FW + management)~$7
Data processed (est. 50GB)~$8
Subtotal~$290
ResourceMonthly Cost
VPN Gateway (VpnGw1AZ)~$140
Public IP (Standard)~$4
Data transfer (est. 50GB)~$2
Subtotal~$146
ComponentBaselineFirewallVPNFull
Always-on$8$8$8$8
NAT Gateway$35$35
Firewall$290$290
VPN Gateway$146$146
Hub↔Spoke Peering$5$5$5
NSGs + VNets$0$0$0$0
Total~$48~$336~$187~$476
  1. Start with baseline — add Firewall/VPN only when needed
  2. Deallocate VPN Gateway during off-hours if hybrid connectivity isn’t 24/7
  3. Log Analytics cap at 500MB/day prevents runaway ingestion costs
  4. Budget alerts notify at 80% and 100% of the $500 threshold
  5. Defender free tier provides CSPM without Defender for Servers cost
  6. Use /23 CIDRs instead of /16 to right-size the address space (no cost impact, but better governance)

Adding workloads to the spoke VNet incurs standard VM/service costs. The foundation infrastructure cost remains fixed regardless of workload count.

Additional VMsEstimated Additional Cost
1× B2s (Linux)~$30/mo
1× D2s_v5 (Windows)~$140/mo
1× SQL Server (B2s + 50GB)~$80/mo