Hosting applications in Azure involves careful consideration of the costs generated by three main components: computing, storage and network. IT administrators need to understand the resources associated with each category and their associated charges. While the Azure pricing calculator helps to a great extent in estimating costs, it’s also important to understand all the resources that would appear in your monthly bill and include them as inputs in the calculator.
One component that is often overlooked in such calculations is data traffic charges. When you access an application hosted in Azure, access data from a blob storage, or download files over a VPN, data traffic costs are incurred in addition to computing and storage charges. This blog will clarify the different scenarios in which a data traffic cost is involved so you can make accurate projections and avoid surprises in your monthly bill.
Data Egress Considerations
All inbound or ingress data transfers to Azure data centres from on-premises environments are free. However, outbound data transfers (except in few cases like backup recovery) incur charges. In the case of a hybrid architecture in which on-premises is connected to Azure via a VPN or Express Route, data egress charges vary according to the connection type. Even in cloud-only architectures, accessing hosted applications directly incurs charges. Let’s review the different data charges in the following common scenarios.
Azure supports Site-to-Site and Point-to-Site VPN connections from on-premises data centres. These connections terminate in a virtual network gateway created for a specific Azure Virtual Network. While a Site-to-Site VPN is used for extending an on-premises network to Azure, it can also be used to connect one Azure VNet to another. On the other hand, a Point-to-Site VPN is for mobile users or traveling users who want to connect securely to an Azure network from a public network.
Data egress for Site-to-Site and Point-to-Site connections are charged at regular data transfer rates. The first 5GB/month is free, and any data transfer beyond that is charged based on the following usage slab:
Outbound Data Transfers
For data transfers beyond 500TB, customers should contact the Microsoft sales team to get an organisation-specific deal. When a VPN is established between two VNets in Azure, an inter-virtual network data transfer rate is applied based on the zone from which the data originates. Currently, data charges are applied at a flat rate of $0.035/GB only for Zone 1. Zone 1 comprises the following Azure data centre regions: US East, US North Central, US South Central, Europe West, Europe North, France Central, and France South.
Microsoft Azure ExpressRoute offers direct connections without traversing the internet between on-premises data centres and Azure. There are two types of billing plans associated with ExpressRoute; data charges depend on the plan selected by the client. For metered plans, inbound data transfer is free, but customers are charged for outbound data transfer based on Azure data centre regions grouped as zones.
For ExpressRoute traffic, the zones are defined as follows:
Zone 1: West US, East US, North Central US, South Central US, East US 2, Central US, West Europe, North Europe, France Central, France South, Canada East, Canada Central.
Zone 2: East Asia, Southeast Asia, Australia East, Australia Southeast, Japan East, Japan West, Korea Central, Korea South, India South, India West, India Central.
Zone 3: Brazil South.
Outbound data is charged at a rate of $0.025/GB for Zone 1, $0.05/GB for Zone 2 and $0.14/GB for Zone 3. In unlimited billing plans, both inbound and outbound data transfers are free because the client must pay a flat fee based on the selected port speed.
Outbound data transfer rates apply when hosted applications or VMs are accessed directly over the Internet. Some common examples include accessing or downloading files from applications, management activities through RDP and SSH connections for VMs. The data transfer rates are the same as what was explained in the VPN section above.
Data Traffic Costs and Availability Zones
Azure offers three availability zones in enabled regions to ensure high availability. Azure places VMs in fault domain and update domains after the VMs are deployed in an availability zone. Azure availability zones are generally available now and all inbound and outbound data is free until February 1, 2019. From that date forward, charges of $0.01/GB will be applied to all data transfers connected to the same VNet from a resource in an availability zone to another resource in a different availability zone.
Intra-Network Traffic: Peering
VNet peering seamlessly connects two Azure VNets, allowing traffic to traverse the Microsoft backbone infrastructure without using a virtual network gateway. VNet peering is a preferred method of connecting two Azure VNets because it helps avoid charges associated with a virtual network gateway. It’s also more secure because the traffic passes through the Microsoft backbone network. VNet peering is particularly useful in hub-spoke topologies.
In such topologies, the hub VNet hosts the management components and applications are segregated to different spoke VNets. These spoke VNets are connected to the Hub network through VNet peering.
Different data charges apply for VNet peering between the same Azure region and different Azure regions, otherwise known as Global VNet Peering. It’s important to note that both inbound and outbound traffic incurs charges for VNet peering. VNet peering in the same region incurs an inbound and outbound data transfer charge of $0.01/GB. For Global VNet Peering, the transfer rates are dependent on the zones between which the data is being transferred. The current data transfer slabs are as follows:
Understanding and optimising the data outflow points in your architecture are key to reducing data traffic charges. For example, different Azure regions have different data transfer rates that apply. Unless mandated by compliance or security reasons, resources can be deployed to regions with minimal or no data transfer charges.
In cases when VPN data transfer charges are high, it’s worth evaluating whether using ExpressRoute might turn out to be more beneficial in the longer run. Outbound data transfer between Azure services in different regions incurs charges. When using multiple Azure services in an architecture where data transfer can occur between them, it’s a good idea to deploy them in the same Azure region.
Cost optimisation is a key focus of organisations adopting Azure. It’s wise to analyse the overall deployment architecture, identify the charges incurred by each component, and implement best practices to avoid unwanted charges, especially regarding data transfer. Enlisting a Managed Cloud Service Provider (MCSP) like Navisite can help with this process and implementing an optimal Azure architecture.
Hosting applications in Azure involves careful consideration of the cost incurred by three main components - Compute, Storage and Network. These components should be carefully analysed to understand the resources that under these categories and their associated charges. While Azure pricing calculator helps to a great extent in the cost estimation, it is also important to understand all the resources that would appear in your monthly bill and provide them as inputs in the calculator.
One component that is often overlooked in such calculations is data traffic charges. When you access an application hosted in Azure, access data from a blob storage, or download files over VPN etc., there is a data traffic cost involved in addition to the compute and storage charges.
This blog will help you understand the different scenarios where a data traffic cost is involved so that you can plan and accurately forecast the same to avoid surprises in your monthly bill.