Azure VPN offers a pay-as-you-go pricing model, which means you only pay for the resources you use.
The cost of Azure VPN depends on the type of VPN you choose, with Azure VPN Gateway being the most popular option.
Azure VPN Gateway pricing starts at $0.15 per hour for a basic SKU, which is suitable for small to medium-sized businesses.
You can also choose from various gateway SKUs to suit your needs, with prices ranging from $0.15 to $0.55 per hour.
Azure VPN Cost
Azure VPN Cost is a key consideration for any organization looking to extend their on-premises network to Azure or connect mobile users to a secure network.
Data egress for Site-to-Site and Point-to-Site connections are charged at regular data transfer rates. The first 5GB/month is free, and any data transfer beyond that is charged based on the following usage slab:
All inbound and outbound data is free until February 1, 2019, but after that date, charges of $0.01/GB will be applied to all data transfers connected to the same VNet from a resource in an availability zone to another resource in a different availability zone.
Azure VPN Configuration
Azure VPN Configuration can be a bit tricky, but don't worry, I've got you covered. To configure Point-to-Site, you'll need to open your Virtual Network Gateway and Configuration first, and verify that you have the Standard SKU selected.
The Standard SKU is required for Azure AD authentication, which will cost more than the Basic SKU. If you initially opted for the Basic SKU, you'll need to change it to Standard, which can take around 30 minutes to re-provision. You can convert to the newer one by re-deploying the gateway.
Here are the settings you'll need to configure for Point-to-Site:
- Address pool: 10.2.0.0/24 (within the VNet address range)
- Tunnel type: OpenVPN (SSL)
- Authentication type: Azure Active Directory
- Tenant: your Azure AD tenant ID
- Audience: Azure VPN application ID
- Issuer: https://sts.windows.net/ + Azure AD Tenant ID + trailing ‘/’
VPN Gateways and Availability Zones
Azure VPN Gateways are a crucial component of a secure and reliable virtual network. They connect on-premises networks to Azure virtual networks, and even provide redundancy with Azure Availability Zones.
You can choose from several VPN Gateway types, each with its own bandwidth and tunnel limits. The Basic VPN Gateway offers 100 Mbps bandwidth and includes up to 10 S2S tunnels and 128 P2S tunnels.
The VpnGw1 VPN Gateway, on the other hand, offers 650 Mbps bandwidth and includes up to 30 S2S tunnels and 250 P2S tunnels. However, additional tunnels incur an hourly charge.
For higher-bandwidth needs, you can opt for the VpnGw2, VpnGw3, VpnGw4, or VpnGw5 VPN Gateways, which offer 1 Gbps, 1.25 Gbps, 5 Gbps, and 10 Gbps bandwidth respectively. These gateways also have varying S2S and P2S tunnel limits.
To deploy VPN and ExpressRoute gateways in Azure Availability Zones, you can use the new Zone Redundant Gateway SKUs. These gateways are physically and logically separated into different Availability Zones, protecting your on-premises network connectivity to Azure from zone-level failures.
Here's a comparison of the different VPN Gateway types, including their zone-resilient versions:
Monthly price estimates are based on 730 hours of usage per month, so be sure to factor that into your budget.
Azure Pricing and Options
Azure offers a variety of pricing options for data transfers, including outbound data transfers, inter-virtual network data transfers, and ExpressRoute. For outbound data transfers, prices start at $0.087/GB for 5GB-10TB, decreasing to $0.07/GB for 50-150TB.
Data transfers between two VNets in Azure are charged at a flat rate of $0.035/GB for Zone 1, which includes regions like US East and Europe West. However, data charges will be applied at a rate of $0.01/GB for transfers between resources in different availability zones starting from February 1, 2019.
ExpressRoute offers two billing plans: metered and unlimited. For metered plans, outbound data transfer is charged at $0.025/GB for Zone 1, $0.05/GB for Zone 2, and $0.14/GB for Zone 3. Unlimited plans, on the other hand, offer free data transfers, but at a flat fee based on the selected port speed.
Azure Pricing
Azure Pricing offers a range of options to suit different needs and budgets. Inbound data transfers to Azure data centers from on-premises environments are free.
Data egress charges vary depending on the connection type. For example, if you have a hybrid architecture connected to Azure via a VPN or Express Route, data egress charges differ based on the connection type. Outbound data transfers are charged based on the amount of data transferred, with rates starting at $0.087 per GB for data transfers between 5GB and 10TB.
Here's a breakdown of the data transfer rates:
- 5GB-10TB: $0.087/GB
- 10-50TB: $0.083/GB
- 50-150TB: $0.07/GB
For data transfers beyond 500TB, customers should contact the Microsoft sales team to get an organization-specific deal. In some cases, like backup recovery, outbound data transfers are free.
Azure offers three availability zones in enabled regions to ensure high availability. However, data charges will be applied to all data transfers connected to the same VNet from a resource in an availability zone to another resource in a different availability zone, starting from February 1, 2019, at a rate of $0.01/GB.
Azure Virtual Network Gateways charge is based on the amount of time that gateway is provisioned and available. The pricing for VPN Gateways varies based on the type of gateway and bandwidth, with some options including free or included connections.
Here's a comparison of the VPN Gateway types:
Inter-virtual network charges are now discounted, and some options include free or included connections. The prices listed are monthly price estimates based on 730 hours of usage per month.
Service Level Agreement
When you're using Azure, it's essential to review the Service Level Agreement (SLA) for VPN Gateway, which ensures a certain level of uptime and reliability.
Azure's SLA for VPN Gateway guarantees a minimum of 99.9% uptime, which translates to at most 43 minutes of downtime per month.
Reviewing the SLA helps you understand the service's performance and availability, so you can plan accordingly.
The SLA is a legally binding agreement that outlines the service's commitment to providing a reliable and high-quality experience.
Azure's VPN Gateway SLA is a key consideration when evaluating the costs and benefits of using the service.
Azure VPN Architecture
Azure VPN Architecture is a robust solution that enables secure connectivity between your on-premises setup and Azure Virtual Network (VNet). It acts as an encryption gateway between the external cloud providers' services and your VNet in Azure.
Azure VPN Gateway provides three types of VPN connectivity: Site to Site, Point to Site, and Vnet to Vnet. These options cater to different connectivity needs and can be leveraged in various Azure offerings.
The Azure VPN Gateway also supports Express Route private connectivity with dynamic and static routes. Dynamic routes are suitable for a wide range of audiences, while static routes are used when the destination is known.
Architecture Optimization
Understanding your Azure VPN architecture is crucial to optimizing data transfer costs. Different Azure regions have varying data transfer rates that apply, so it's essential to deploy resources in regions with minimal or no data transfer charges whenever possible.
Deploying resources in regions with low or no data transfer charges can save you money, especially if you're working with large amounts of data.
Intra-Network Traffic: Peering
Intra-Network Traffic: Peering is a preferred method of connecting two Azure VNets because it helps avoid charges associated with a virtual network gateway.
It's also more secure because the traffic passes through the Microsoft backbone network. VNet peering is particularly useful in hub-spoke topologies.
The hub VNet hosts the management components and applications are segregated to different spoke VNets. These spoke VNets are connected to the Hub network through VNet peering.
Different data charges apply for VNet peering between the same Azure region and different Azure regions, otherwise known as Global VNet Peering.
Both inbound and outbound traffic incurs charges for VNet peering. VNet peering in the same region incurs an inbound and outbound data transfer charge of $0.01/GB.
Azure VNet Gateway
Azure VNet Gateway is a crucial component of Azure VPN Architecture. It acts as an encryption between external cloud providers' services or on-prem setups and Vnets in Azure.
Setting up a virtual network is free of charge, but you'll need to pay for the VPN gateway that connects to on-premises and other virtual networks in Azure. This charge is based on the amount of time the gateway is provisioned and available.
There are several types of VPN Gateways available, including Basic, VpnGw1, VpnGw2, VpnGw3, VpnGw4, and VpnGw5. Each type has a different price, bandwidth, and tunnel limit.
Here's a breakdown of the different VPN Gateway types:
For technical specifications and limitations regarding the different VPN Gateways, please refer to the VPN Gateways MSDN page.
Sources
- https://www.navisite.com/blog/data-traffic-costs-on-azure-demystified/
- https://azure.microsoft.com/en-us/pricing/details/vpn-gateway/
- https://jussiroine.com/2021/10/building-a-point-to-site-vpn-setup-to-azure-using-azure-ad-authentication/
- https://medium.com/@devopswithyoge/virtual-network-gateway-set-up-azure-vpn-p2s-with-microsoft-entra-id-f839b75d1c8d
- https://blog.denninger.at/2022/azure-vpn-bgp-to-fortigate-2isp-uplinks/
Featured Images: pexels.com