🔥 How to Stop Burning Cash on Azure Network Traffic

July 7, 2025

Structure of this Article

Introduction
- Scope
- Not in scope
Concept: How Azure Meters Network Costs
Billing Scenarios
Conclusion
Annex – Further documentation on cost management in azure
- General introduction to cost management in the azure portal
- Cost management API(#api)
- Cost Management via Azure CLI(#az-cli)
- Cost Management via Powershell(#powershell)

Introduction to network cost optimization in Azure

Cost Management in Azure can be a straight forward topic. Assume a resource has a fixed cost billed per instance, along with a dynamic cost component that depends on usage.

When it comes to network costs the situation gets confusing. Nearly all Azure operations include data transfer over the network, but not all traffic incurs charges.

But, when you skim the documentation for this topic you will mostly read that incoming traffic is free and Azure outgoing traffic costs 0.036 €/GB (at the time of creation) with 100GB free monthly.

Unfortunately it gets way more complex once you look into the details. This blog article shall make some of the details easier to understand by calculating cost examples using sample scenarios. After that, it also should help you to optimize your network costs in Azure.

Scope

This article covers regional and multi regional scenarios taking place in one Zone (Zone 1). Further, I will only analyze data transfer costs. For clarity considerations up front costs for resources are neglected.

Not in scope

When it comes to intercontinental traffic the cost structure is even more complex. This is not a part of this article though.

Concept: How does Azure meter network incurred costs

There are two types of network related costs. vNet Peering / Bandwidth charges and Data processed charges.

Network transfer costs arise whereever your traffic traverses parts of the azure infrastructure. So one request can generate network-based costs in various places.

In the subsequent chapters scenarios are described that shall help to identify when which type of network related costs are triggered.

Microsoft published a network pricing overview which is based on a virtualWan enabled network here.

Service Bandwidth

Bandwidth describes the traffic leaving the regional Azure premises or the traffic routed to the Internet.

The service name “Bandwidth” consists of following meter subcategories

Outbound Data Transfer (Internet egress)
- “Rtn Preference: MGN” -> uses Microsoft global network – billed per GB
- “Rtn Preference: ISP” -> uses your ISPs breakout – billed per GB
Bandwidth Inter-Region , Data transfers between different Azure regions ( traffic that stays in the azure premises)

There are 2 routing options for internet destined traffic:

MGN – Microsoft Global Network – Traffic will use the microsoft backbone until it exits over the microsoft network edge pop closest to the destination. (more costly)
ISP – The traffic will leave microsoft premises by the next pop and travels to the destination via the public internet. (a bit less costly)

https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/routing-preference-overview
Azure then bills the charges under one of the following meters.

Standard Data Transfer Out
Intra Continent Data Transfer Out
Inter Continent Data Transfer Out – NAM or EU To Any (Intercontinental)
Standard Data Transfer In (usually free)

Service Virtual Network

Do not confuse the service “Virtual Network” with the resource Virtual Network. The costs for the service virtual network are assigned to each resource that generate them. (VMs, VM Scale Sets, AKS)

Virtual Networks are free so you will never find them in your cost analysis. All network related costs are assigned to the resources and services that generate them.

Service: Virtual Network Meter Subcategory: Virtual Network Peering

In this subcategory you will find the traffic costs generated by VMs accessing Services though the vNet

Intra-Region Ingress
Intra-Region Egress

Meter Subcategory Virtual Network-Private Link

This subcategory gathers all costs generated by private endpoints.

Standard Private Endpoint (Instance costs for the private endpoint billed by hour)
Standard Data Processed Egress
Standard Data Processed Ingress

A private endpoint enables access to a Platform-as-a-Service (PaaS) resource from within a virtual network instead of over the public internet. Further Reading on private endpoint

Service Express Route

In this article we assume a metered Express Route of sku standard, which costs are described by the following metres:

Standard Metered Data – Fixed costs for the Express Route provisioning / month
Metered Data – Data Transfer Out – Billed / GB
Data Transfer In – Usually Free

Service vWan, Firewall, Application Gateway, Loadbalancer

These are all network related ressources which costs are connected to the amount of traffic they process. No matter if its ingress or egress.

Billing Scenarios

VM to Internet via Firewall

First, a VM initiates a connection; then, it accesses a service that is provided via the internet.

(1) Firstly a VM generates Traffic (In this example 1 TB). The data traffic is forwarded via the virtual network peering to the vNet in which the firewall is located.

Important! In this scenario the traffic is routed via the existing vNet Peering (the red line). It is not routed via the vWWan Hub.

(2) Then traffic ingresses in the vNet.

(3) The firewall processes the incmoming data.

(4) The traffic egresses to the internet via the firewall by traversing the Microsoft Global Network. (Routing Preference: MGN)

Cost breakdown for this scenario #1

Waypoint	Amount billed	Cost descrtiption
1.	18,12 €	VNET Peering Egress
2.	18,012 €	VNET Peering Ingress
3.	14,40 €	Firewall Data Processed
4.	69,28 €	Bandwidth Internet Egress “Rtn Preference: MGN”
—	120,02	Total Cost for 1TB (1024 GB)

💡Find the scenario in the azure cost calculator here.

💡 Summary: Traffic leaving the region or going to the internet is billed per GB. Intra-region traffic within Azure is also billed. Bandwidth costs depend on routing preference and target location.

VM to Private Endpoint PaaS

A VM accesses a storage account that has a private endpoint enabled (this can be any service with a private endpoint, such as a database, Key Vault, or cache)

(1) The traffic traverses the vNet-Link peering to the vHub.

(2) The vHub processes (routes) the traffic.

(3) The traffic leaves the vHub to the Ressource via the vNet -Link Peering.

(4) The requests then reach the network interface of the private Link enabled PaaS.

💡 Note: A private endpoint enables access to a Platform-as-a-Service (PaaS) resource from within a virtual network instead of over the public internet.

Waypoint	Amount billed	Cost description
1.	18,12 €	vNet Link Peering Egress
2.	18,12 €	vHub Processing
3.	18,12 €	vNet Link Peering Ingress
4.	9,06 €	private Endpoint processing costs (inbound)
—	63,42	Total Cost for 1TB (1024 GB)

On-Prem VM to Load Balanced Azure VM (Interregion)

A VM on premises accesses a service that is provided by VMs that are behind a loadbalancer in azure. The on-premises datacenter connects to Azure through an ExpressRoute circuit.

(1) Express Route ingress traffic into Azure is free.

Note: It is likely though that the ISP provising the link for the ExpressRoute will charge traffic fees.

(2) The traffic then flows through the source regional vHub, resulting in associated costs.

(3) The traffic is routed to the vWan Hub in the destination region through the microsoft backbone which is billed accordingly.

(4) The destination vHub routes the traffic which incurs costs.

(5) The ingressing traffic is billed again in the destination vNet in which the lb and the vm reside.

(6) Finally, the Standard Load Balancer processes the traffic based on the configured load balancing rules, which results in costs.

Cost Breakdown for Scenario #3

Waypoint	Amount billed	Cost description
1.	0,00 €	ingress trafic enetering Azure free, might be subject to Internet provider billing
2.	18,12 €	vHub Processing (EU Region-1)
3.	18,03 €	Bandwidth Inter Region, Intra Continent Data Transfer Out
4.	18,12 €	vHub Processing (EU Region-2)
5.	18,12 €	vNet Peering Ingress
6.	4,53 €	LB, SKU Standard Data Processed
—	76,92	Total Cost for 1 TB

💡 Find the scenario in the azure cost calculator here.

💡 Summary: Traffic between two regions inside a virtual wan casuses bandwidth costs. Also processing costs for the virtual wan hubs in the regions are billed.

Conclusion

🔄 Evaluate if service-providing resources (such as a frontend application gateway, VM, or database) can reside in the same vNet to minimize network-induced costs. Spreading them across different vNets or regions increases those costs.”

🔄 The management of a meshed hub and spoke network architecture can be complex and costly. A virtualWan offers a centrally managed full mesh hub and spoke architecture out of the box. Compare these two costs!

-> 🔄 It makes sense to evaluate different network designs with a focus on costs.

Minimize Data Transfer Costs:

✅ Keep resources within the same region to avoid supra-regional or even intercontinental data transfer fees.

✅ Monitor network traffic and the processing load of network related ressources. Use this data to adjust sizing of your core network components.

⚠️ Do not overprovision infrastructure components as virtual wan hubs, express routes or application gateways.

💸 When Load testing your applications do consider to not route the traffic through your azure firewall each time. As it might be feasible to test the interplay of all components once it is most likely not required to route the load testing traffic through the firewall each time as it can generate significant costs.

Take all deisgn options into consideration if you want to optimize network costs in azure. There is often no sinlge optimal solution. A trade off between costs and managebility has to take place.