Just started a job as an Azure admin/engineer and one of the first issues i got to face is the fact that VPN (gateway) cost is really high. I heard some things about VPN being around 40% of the cost, but in our case it’s almost 65%. One thing to mention is that our compute workload and storage demands are pretty low, so the comparison is relative, of course.
Some details about my infrastructure
Customers have on-site industrial devices, TCP/IP communication goes through S2S VPN to VMs in Azure.
S2S VPN termination is made by dedicated firewall devices (on-site at customer location)
S2S VPN initiation is made by Azure VPN gateway inside a customer vnet that’s peered to the mgmt vnet.
Everything is in the same geography/region.
We have the cheapest basic VPN plan that’s billed hourly, traffic is in the lower KBytes/s but it is constant.
The server and machinery are running proprietary industrial applications, so re-engineering them to not need VPN (something like REST calls secured with TLS) is out of the question atm.
I thought about deploying a pfsense VM that does all the VPN lifting, so the traffic can be metered by amount of data instead of time. That results in some more mgmt overhead for me of course, but it’s something to check out i guess? Would that work maybe?
Are there any other approaches you guys did to avoid high VPN costs? Any input is appreciated! Thank you!!
Keep in mind you pay more for uptime not so much data on the Firewall/VPN SKUs. These are HA SaaS network appliances, you should be comparing them to enterprise HA solutions not small office Firewalls. Both the Azure Firewall and Azure VPN are HA just by turning them on. If you want to save money I would see if you could downgrade the SKU, try to determine if you actually need the SKU you’re using. A lot of my clients think the Fortigate/Palo cloud appliances are cheaper but it’s because they are far lesser solutions IMO. The native Azure stuff is top of the line.
Is using a single or multiple central VPN gateways an option? You get up to 10 s2s connections on the basic SKU. Do you manage / deploy the customers firewall? Maybe p2s connections are possible?
I’ve ran in to a similar issue. S2S VPN gateways are pretty expensive, especially if you spin up many of them
For a cheaper option, you will most likely need to slim down to less VPN gateways, or adjust the SKUs.
Second option, is using NVAs instead, those will have some more flexibility and should be much cheaper. If you can set them up with HA you should get similar results for a cheaper price. You will be sacrificing the reliability of the HA of Azure VPNGW and management overhead for lower costs though.
we pretty much have non stop traffic running through our tunnels. just a few kbit/s.
that caps out around 360$ + 360.4$ per year which still is 720. to compare, the per-customer VM runs about 200-250$ per year.
my idea about self managing the VPN initiatior is to shift billing to consumption instead of time. the total egress traffic a customer VPN tunnel sees in a year is usually below 200MB (!!!)
yes we do! since we’re in the industrial sector developments take a little longer. i’d be very open to restructure communications to more of a microservice/mesh architecture, but i don’t wanna rush that.
that’s actually a great idea with using one VPN gateway for 10 devices. we manage and deploy the firewalls, so that is possible. still gotta check about compliance. do you per chance know if azure VPN GW supports splitting up / isolating the ingress traffic into different VNets (maybe with UDR)?
two really good ideas. i need to check about policy/compliance when using one gateway to multiple sites. do you per chance know if azure VPN GW supports splitting up the ingress traffic into different VNets (maybe with UDR)?
using NVAs ist also a good point, especially since using pfsense in a VM may be a little too hacky. gonna look into this.
Are you factoring two virtual machines, load balancer, and public IP? Azure VPN already provides a high availability pair of VPN instances. There also the cost of an engineer to perform maintenance operations. These could include verifying backups, applying updates, and testing disaster recovery. The total cost of ownership is more than just the Azure resources.
In my opinion sometimes the extra money is worth less human interaction. I understand cost is a huge consideration and I not saying to ignore the cost. However, there only so many hours in a day to do things.
You can set a UDR, but you’ll need an NVA to route the traffic. You may also need to configure BGP for the route to properly be advertised. It’s been a while since I configured it, so I could be wrong.
that’s absolutely correct concerning mgmt overhead and TCO, but in our case, the VPN costs are almost excessive compared to anything else we’re consuming with azure. i still want to encourage my higher ups and customers that cloud deployments are the way forward, but the cost is really something else.
thankfully we have enough personnel - we’re actually investing in more azure personnel atm to at least go test some other deployments
thanks for the tip! we have around 20 edges right now, all with their own tunnel and physical firewall on the customer edge. just one vm on the provider/cloud edge.
gonna watch the video and keep that in mind! havent thought of using an overlay NW solution