Demystifying Azure VPN Pricing & Affordable Alternatives
by Stuart Loh

Demystifying Azure VPN Pricing & Affordable Alternatives

What is Azure VPN?

Microsoft Azure VPN Gateway (or Azure VPN for short) is a managed service offered by Microsoft that allows organizations to establish secure connections between devices and private networks over the public internet. Azure VPN is offered as an easier way to deploy a VPN for use with Azure virtual networks (VNs) than having to manually manage the procurement, installation, configuration, and operation of VPN server software.

Although Azure VPN may be technically easier to implement than a traditional VPN, the way Microsoft prices Azure VPN is complex. Azure VPN’s pricing is dependent on a myriad of variables which makes the process of estimating how much it will cost quite confusing.

To complicate things further, Azure VPN has two different service types: point-to-site (P2S) and site-to-site (S2S). The P2S VPN is designed to enable secure communication tunnels to be established between remote workers’ devices and resources on private networks (in this case, an Azure VN that is used as a private network). These tunnels are temporary and are established on demand by workers when they sign into the remote network.

S2S VPNs are designed to connect two different private networks (in this case, they could be used to securely connect two Azure VNs, or an Azure VN with an on-premises network). These tunnels are typically always active and are set up to handle large amounts of traffic.

Microsoft prices its VPN Gateway service differently depending on whether you are using it for S2S tunnels or P2S tunnels. In this article, we will focus on demystifying Azure VPN’s P2S pricing model by deconstructing exactly how it works, providing a convenient cost calculator, and reviewing some alternatives to Azure VPN.

How Azure VPN Pricing Works

The costs for Azure VPN come from 3 components:

  • VPN Gateway charge (time-based)
  • Number of P2S tunnel connections used (time-based)
  • Data transfer charges for egress data (usage-based)

Let’s examine each in turn.

VPN Gateway Charge

Microsoft charges for each VPN gateway that you provision in an Azure VN. A fixed hourly fee is charged for the time a VPN gateway is provisioned and available. The amount of that fee depends on two factors:

1. VPN Gateway Type: Various gateway types are offered (Basic, VpnGw1, VpnGw2, VpnGw3, VpnGw4, and VpnGw5), with more powerful gateways able to support higher bandwidth throughput and more concurrent P2S tunnels (at greater cost). Additionally, “high availability” zone redundant versions of each gateway type are available. These gateways support Azure Availability Zones and provide more resiliency in the event of zone-level failures (also at greater cost).

2. VPN Gateway Region: The Azure region in which a gateway is located also impacts the hourly fee. While these fees are largely the same around the world, gateways hosted in Azure Government regions in the U.S. are priced higher.

  • Each VPN Gateway: $0.04 to $5.247 per hour

P2S Tunnel Connection Charges

Microsoft charges for the number of P2S tunnels established to a VPN gateway on a time and use basis. In general, all VPN gateway types support 128 P2S tunnels at no extra cost, but each tunnel in excess of 128 is charged an hourly fee. The amount of that fee depends on what region the gateway is in.

  • Each P2S tunnel connection in excess of 128: $0.01 to $0.013 per hour

Egress Data Transfer Charges

Microsoft charges data transfer fees for data exiting an Azure VN to the internet via a P2S VPN connection on a bandwidth-used basis (per GB). The per GB data transfer charge depends on two factors:

1. VPN Gateway Region: The region of the VN from which the traffic is exiting determines the applicable bandwidth charges, with each region having its own pricing table.

2. Aggregate Monthly Bandwidth Use: Each region’s pricing table is tiered, with the per GB price decreasing if you use more bandwidth during a month. The first 100GB of data transfers each month is free.

  • Amount of egress data transferred: $0.04 to $0.181 per GB (after first 100 GB)

Data transfer charges may add significant bandwidth costs if you are running your VPN clients in full tunnel mode, which sends all network traffic destined for the public internet through an Azure VPN gateway and its VN.

Azure VPN Pricing Calculator

Because there are a lot of variables to crunch when working out pricing, to help you estimate Azure VPN Gateway fees, we’ve made this handy Azure VPN Pricing Calculator.

Azure VPN Pricing Calculator
Azure VPN Pricing Calculator

We note that pricing changes from time to time. The information in this article is accurate to the best of our knowledge at the date of writing, but you should check the Azure website for the most up to date pricing.

Summary

In summary, the charges you can expect to pay include:

  • Hourly fees for each Azure VPN Gateway, based on the gateway type and region
  • Hourly fees for each concurrent P2S tunnel connection over 128, based on the gateway region
  • Bandwidth fees for egress traffic from your VN (representing an additional charge for full tunnel traffic that otherwise wouldn’t need to flow through your VN), based on the gateway region

Alternatives to Azure VPN Gateway

If you want to enable secure remote access to your Azure VNs, there are options apart from Azure VPN.

Azure Marketplace Products

The Azure Marketplace features a large number of third party products that integrate with Microsoft Azure. Some vendors offer their own VPN solutions that work within an Azure VN, and each of these products comes with its own pricing model. For example, SoftEther offers a VPN solution that is licensed on a time-based model, which is additional to the infrastructure usage costs that Azure charges. Administratively, fees for these third party products can sometimes be charged via Azure, so you can benefit from consolidated billing.

Manually Installed Products

It’s also possible to manually install and configure an open source solution like OpenVPN within your Azure VN environments. Although there are no ongoing subscription fees associated with this route, it does require a lot more effort and expertise in terms of setup and maintenance. Additionally, support is not provided, so you may have to seek third party help if you run into problems (either paid, or from free sources like community forums). Azure infrastructure usage costs still apply as well.

Zero Trust Alternative

If you are ultimately looking for a remote access solution, you should also consider Zero Trust Network Access products that aren’t based on VPN technology, such as Twingate. Twingate can be installed in an Azure VN with a single line of code. Additionally, deployment can be automated in a variety of ways. Twingate is also available on the Azure Marketplace.

Another advantage of Twingate is that, unlike VPN technologies, there’s no concept of setting up site-to-site VPN tunnels to establish connectivity to your various network subnets. That reduces deployment complexity, as well as pricing complexity. (As mentioned above, Azure S2S comes with a different pricing model than P2S.)

Zero Trust solutions have distinct security advantages over VPNs as well.

Twingate’s Pricing Model

A key benefit of using Twingate to secure remote access to your Azure environment is that the pricing model is straightforward. Twingate’s pricing is based on a per user flat fee model. That means costs are predictable - and you don’t need a spreadsheet to work them out!

The only variables that impact Twingate’s pricing are the number of users you have, the months or years you subscribe to the service (depending on whether you are billed monthly or annually), and the Twingate plan you select (Teams, Business or Enterprise). Twingate does not charge for bandwidth used or time connected. We even offer a free Starter plan if you want to try us out or if you only have a limited amount of infrastructure you need to secure.

If you use Twingate with non-Azure environments, support for Azure comes at no extra cost. In fact, Twingate secures access to all major types of environments (AWS, GCP, Azure, and on-premises) you may have for the same fee, and the setup process is similar for each environment.

Simplify Your Azure Secure Remote Access Needs

Twingate aims to provide the security benefits of a non-VPN Zero Trust solution while making deployment and management of that solution as simple as possible. Part of this is providing a simple to understand pricing model that won’t unexpectedly blow out your budget.

Contact us to learn more about how easy and cost effective implementing a modern zero trust solution can be.


Featured Articles