A Guide to Azure Data Transfer Pricing

rw-book-cover

Icon for Microsoft rank
Understanding Azure networking charges is essential for businesses aiming to manage their budgets effectively. Given the complexity of Azure networking pricing, which involves various influencing factors, the goal here is to bring a clearer understanding of the associated data transfer costs by breaking down the pricing models into the following use cases:

Please note this is a first version, with a second version to follow that will include additional scenarios.

Disclaimer:

1. VM to VM

1.1. VM to VM, same VNet

Data transfer within the same virtual network (VNet) is free of charge. This means that traffic between VMs within the same VNet will not incur any additional costs. Doc.

Data transfer across Availability Zones (AZ) is free. Doc.

1.2. VM to VM, across VNet peering

Azure VNet peering enables seamless connectivity between two virtual networks, allowing resources in different VNets to communicate with each other as if they were within the same network. When data is transferred between VNets, charges apply for both ingress and egress data. Doc:

VM to VM, across VNet peering, same region


VM to VM, across Global VNet peering

Azure regions are grouped into 3 Zones (distinct from Avaialbility Zones within a specific Azure region). The pricing for Global VNet Peering is based on that geographic structure. Data transfer between VNets in different zones incurs outbound and inbound data transfer rates for the respective zones.

When data is transferred from a VNet in Zone 1 to a VNet in Zone 2, outbound data transfer rates for Zone 1 and inbound data transfer rates for Zone 2 will be applicable. Doc.


1.3. VM to VM, through Network Virtual Appliance (NVA)

Data transfer through an NVA involves charges for both ingress and egress data, depending on the volume of data processed.

When an NVA is in the path, such as for spoke VNet to spoke VNet connectivity via an NVA (firewall...) in the hub VNet, it incurs VM to VM pricing twice.



The table above reflects only data transfer charges and does not include NVA/Azure Firewall processing costs.

2. VM to Private Endpoint (PE)

Private Endpoint pricing includes charges for the provisioned resource and data transfer costs based on traffic direction. For instance, writing to a Storage Account through a Private Endpoint incurs outbound data charges, while reading incurs inbound data charges. Doc:

2.1. VM to PE, same VNet

Since data transfer within a VNet is free, charges are only applied for data processing through the Private Endpoint.



Cross-region traffic will incur additional costs if the Storage Account and the Private Endpoint are located in different regions.

2.2. VM to PE, across VNet peering

Accessing Private Endpoints from a peered network incurs only Private Link Premium charges, with no peering fees. Doc.

VM to PE, across VNet peering, same region


VM to PE, across VNet peering, PE region != SA region


2.3. VM to PE, through NVA

When an NVA is in the path, such as for spoke VNet to spoke VNet connectivity via a firewall in the hub VNet, it incurs VM to VM charges between the VM and the NVA. However, as per the PE pricing model, there are no charges between the NVA and the PE.



The table above reflects only data transfer charges and does not include NVA/Azure Firewall processing costs.

3. VM to Internal Load Balancer (ILB)

Azure Standard Load Balancer pricing is based on the number of load balancing rules as well as the volume of data processed. Doc:

3.1. VM to ILB, same VNet

Data transfer within the same virtual network (VNet) is free. However, the data processed by the ILB is charged based on its volume and on the number load balancing rules implemented. Only the inbound traffic is processed by the ILB (and charged), the return traffic goes direct from the backend to the source VM (free of charge).


3.2. VM to ILB, across VNet peering

In addition to the Load Balancer costs, data transfer charges between VNets apply for both ingress and egress.


3.3. VM to ILB, through NVA

When an NVA is in the path, such as for spoke VNet to spoke VNet connectivity via a firewall in the hub VNet, it incurs VM to VM charges between the VM and the NVA and VM to ILB charges between the NVA and the ILB/backend resource.



The table above reflects only data transfer charges and does not include NVA/Azure Firewall processing costs.

4. VM to internet

4.1. Data transfer and inter-region pricing model

Bandwidth refers to data moving in and out of Azure data centers, as well as data moving between Azure data centers; other transfers are explicitly covered by the Content Delivery Network, ExpressRoute pricing, or Peering. Doc:


4.2. Routing Preference in Azure and internet egress pricing model

When creating a public IP in Azure, Azure Routing Preference allows you to choose how your traffic routes between Azure and the Internet. You can select either the Microsoft Global Network or the public internet for routing your traffic. Doc:


See how this choice can impact the performance and reliability of network traffic:


By selecting a Routing Preference set to Microsoft network, ingress traffic enters the Microsoft network closest to the user, and egress traffic exits the network closest to the user, minimizing travel on the public internet (“Cold Potato” routing).

On the contrary, setting the Routing Preference to internet, ingress traffic enters the Microsoft network closest to the hosted service region. Transit ISP networks are used to route traffic, travel on the Microsoft Global Network is minimized (“Hot Potato” routing).

Bandwidth pricing for internet egress, Doc:


4.3. VM to internet, direct

Data transferred out of Azure to the internet incurs charges, while data transferred into Azure is free of charge. Doc.

It is important to note that default outbound access for VMs in Azure will be retired on September 30 2025, migration to an explicit outbound internet connectivity method is recommended. Doc.


4.4. VM to internet, with a public IP

Here a standard public IP is explicitly associated to a VM NIC, that incurs additional costs. Like in the previous scenario, data transferred out of Azure to the internet incurs charges, while data transferred into Azure is free of charge. Doc.


4.5. VM to internet, with NAT Gateway



In addition to the previous costs, data transfer through a NAT Gateway involves charges for both the data processed and the NAT Gateway itself, Doc:

5. Hybrid connectivity

Hybrid connectivity involves connecting on-premises networks to Azure VNets.

The pricing model includes charges for data transfer between the on-premises network and Azure, as well as any additional costs for using Network Virtual Appliances (NVAs) or Azure Firewalls in the hub VNet.

5.1. H&S Hybrid connectivity without firewall inspection in the hub

For an inbound flow, from the ExpressRoute Gateway to a spoke VNet, VNet peering charges are applied once on the spoke inbound. There are no charges on the hub outbound.

For an outbound flow, from a spoke VNet to an ER branch, VNet peering charges are applied once, outbound of the spoke only. There are no charges on the hub inbound. Doc.



The table above does not include ExpressRoute connectivity related costs.

5.2. H&S Hybrid connectivity with firewall inspection in the hub

Since traffic transits and is inspected via a firewall in the hub VNet (Azure Firewall or 3P firewall NVA), the previous concepts do not apply.

“Standard” inter-VNet VM-to-VM charges apply between the FW and the destination VM : inbound and outbound on both directions. Once outbound from the source VNet (Hub or Spoke), once inbound on the destination VNet (Spoke or Hub).



The table above reflects only data transfer charges within Azure and does not include NVA/Azure Firewall processing costs nor the costs related to ExpressRoute connectivity.

5.3. H&S Hybrid connectivity via a 3rd party connectivity NVA (SDWAN or IPSec)

Standard inter-VNet VM-to-VM charges apply between the NVA and the destination VM: inbound and outbound on both directions, both in the Hub VNet and in the Spoke VNet.

5.4. vWAN scenarios

VNet peering is charged only from the point of view of the spoke – see examples and vWAN pricing components.

Next steps with cost management

To optimize cost management, Azure offers tools for monitoring and analyzing network charges. Azure Cost Management and Billing allows you to track and allocate costs across various services and resources, ensuring transparency and control over your expenses.



By leveraging these tools, businesses can gain a deeper understanding of their network costs and make informed decisions to optimize their Azure spending.