Understanding the budget impact of Azure Networking on your architecture

Introduction

Today’s post will be about “demystifying” the possible network costs you might incur when using Azure services. Once you understand the basics behind the billing model, you’ll soon find that you can tweak these to your advantage!

 

Cost Drivers

When looking towards the costs, there are several pricing pages you should visit to know the cost drivers of your architecture…

• Azure Bandwidth : https://azure.microsoft.com/en-us/pricing/details/bandwidth/
• Azure Virtual Network Peering : https://azure.microsoft.com/en-us/pricing/details/virtual-network/
• Azure VPN Gateway : https://azure.microsoft.com/en-us/pricing/details/vpn-gateway/
• Azure Express Route : https://azure.microsoft.com/en-us/pricing/details/expressroute/

Though I can feel you… It’s not always easy to understand when what is triggered.

 

Updates (!)

• 23/08 – Updated HL overview to v2.0 to include costs due to zone architecture
• 23/08 – Source files for the drawing can be found here.

 

High Level Overview

Underneath you can find an overview of the possible cost drivers. We’ll go into depth on the individual flows in this post.

 

Inner-VNET (V1) – Free

All traffic that occurs within the boundaries of a Virtual Network (VNET) is free. So if VM A talks to VM B, and they are in the same VNET, then no charges will occur!

 

Inner-VNET between zone aware services (AZ1) – Peering Charges

All traffic that occurs within the boundaries of a Virtual Network (VNET) is normally free. The exception to the rule here has been introduced with the arrival of Availability Zones. If a service has been deployed within a specific zone, then all communication with that service is charged at peering rates.

 

Inter-Region Services (S1) – Free

The same goes for services within a region. If a Webapp talks to an Azure SQL DB, and both are located in the same region. Then the traffic will not be charged. In fact, the traffic will not even leave the backbone of Microsoft, despite that both services might have a public endpoint (IP).

 

Cross-Region Services (S2) – Bandwidth Data Transfer Charges

If the services are not in the same region, then “Azure Bandwidth” costs apply. This means that all inbound traffic is free, and all outbound traffic is charged.

In case we would have a Webapp in North Europe talking to an Azure SQL DB in West Europe. Let’s say the webapp retrieves a rather large query, then this is outbound traffic for the Azure SQL and inbound traffic for the Azure Webapp. So the net result is that you’ll be charged for the traffic once.

 

Internet Traffic (I1/I2) – Bandwidth Data Transfer Charges

All internet traffic is bound to the “Azure Bandwidth” costs. So all inbound traffic is free, and all outbound traffic is charged.

This means that if we have a Webapp that hosts large files, and they get downloaded, then this traffic is charged. Though if a host would get it’s updates from a repository on the internet, then these charges are free.

 

VPN Traffic in one Region (V2) – Free (*)

Traffic between two VNETs within one region is not charged. There is one gotcha (*) on this one, where P2S VPNs within the same region will be charged.

 

VPN Traffic between Regions (V3) – Inter-VNET Data Transfer Charges (**)

When two VNETs are located accross one regions, then “Inter-VNET data transfers” apply. These are at a lower rate when compared to the bandwidth costs. The same concept applies in the end, all inbound traffic is free, all outbound traffic is paying. Though the net result is that the traffic is charged once.. As the sending VPN gateway will have outbound data transfer costs and the receiving one will not be charged for the inbound transfer.

(Update (**) ; Apparently the wording “Inter-VNET” is a bit confusing… Though I’ve aligned this blog post with the wording used on the pricing pages. So I understand that “Intra-VNET” would be more suited for this scenario.) 😉

 

VPN Traffic to the internet (I1/I2) – Bandwidth Data Transfer Charges

VPN Traffic that has a destination outside of Azure will be subjected to the internet bandwidth costs. The same concept applies in the end, all inbound traffic is free, all outbound traffic is paying.

 

ExpressRoute (ER1/ER2) – ExpressRoute Data Transfer Charges

ExpressRoute comes in two flavours… Metered & Unmetered. When you go for the unmetered plan, all data transfer charges are included in the monthly port speed fee. If you go for a metered plan, then (again) all inbound traffic is free, and all outbound traffic is charged. The tipping point in going for an unmetered plan is at about a 68% utilization (monthly average).

(I will no go into more details about ExpressRoute, as there are a variety of other options to consider here. Though the essence towards the billing is covered by the above paragraph.)

 

Peering (P1/P2) – Peering Data Transfer Charges

You can crate a low latency link between two VNETs without the use of a VPN Gateway. This can be done within the same region, and between regions (“Global VNET Peering”). The pricing model differs here from the others, where there is a charge for both the inbound and outbound traffic.

Why is this? Let’s say we talk between regions in different zones. A VNET in zone 1 (EU & US) talks to a VNET in zone 3 (Brazil). Here we notice a big difference in price, where each will pay its corresponding fee.

 

Closing Thoughts

I hope this post cleared up a lot of questions in regards to the possible (network related) costs you might have in Azure. Use this post as a guidance through your architecture design. So that you can keep the inflicted costs to a minimum by design!

 

(Updated) Comparison in Costs

I received an ask how the costs would compare. Here I was a bit hesitant as I’m unable to keep the pricing info up-to-date in this blog post. So for argument’s sake, here is a small comparison based on the current pricing snapshot for data transfers linked to Zone 1.

In the middle you can see the prices for a data transfer of 1GB for both the inbound or outbound. The “2-way” indicates if it is traffic between two Azure components. On the right you can see three scenario’s. Each where we take the gateway price and add a “2-way” bandwidth costs of 1TB/3TB/10TB to it.