Changes were made recently to the pricing structure of Azure DDoS Protection Standard which amount to both less cost and more simplicity in understanding and estimating charges. In this post, we will discuss what specifically changed and refresh your understanding of how pricing is calculated.
We removed the data egress charge for DDoS Protection Standard. This charge could be difficult to understand, and even more difficult to estimate across an environment protected by DDoS Protection Standard. Even though the data charges only accounted for a small percentage of most customers’ costs, they tended to create an unnecessary hassle for cost management.
The old pricing model is pictured below:
The new, simpler model follows:
Azure DDoS Protection Standard consists of the following direct and related components, which you should take some time to understand:
It is always helpful to have a refresher for how to calculate costs before provisioning a DDoS Protection Plan and attaching it to VNets to start protecting resources.
The first step in cost calculation is to understand how many public IP addresses are associated to each protected VNet. Of course, public IP addresses do not exist on private virtual networks, but for eligible resources they are associated to other resources which are attached to the VNet.
Eligible public IP addresses include those attached to Application Gateways, Bastions, Load Balancers, Azure Firewalls, VPN Gateways, VMs, and virtual appliances. Unsupported resources include some PaaS services like API Management, Logic Apps, Event Hub, and App Service Environments.
Some examples include:
An added benefit of the last scenario mentioned is that when Application Gateway with WAF is deployed in a DDoS protected VNet, there are no additional charges for WAF - you pay for the Application Gateway at the lower non-WAF rate.
Another key point to make is that billing is calculated hourly, not monthly. In other words, you can turn the service on for testing and pay only for what you use, not the whole month. For production deployments, it is best to leave the service active at all times due to its adaptive tuning.
Now that you have a sense of what counts as a protected IP address, and you know what the charges are (~$3,000/month for up to 100 protected IPs plus $30/month for each IP over 100), let’s consider some simple examples:
Tenants |
Plans Required |
Subscriptions |
VNets |
Protected IP Addresses |
Cost/month |
Math |
1 |
1 |
10 |
50 |
25 |
$2944 |
|
1 |
1 |
150 |
400 |
100 |
$2944 |
|
1 |
1 |
150 |
400 |
150 |
$4444 |
2944 + (30 x 50) |
2 |
2 |
100 |
200 |
100 (50 per tenant) |
$5888 |
2944 x 2 |
2 |
2 |
150 |
300 |
150 (125/25) |
$6638 |
2944 + (2944 + (25 x 30)) |
We hope this pricing change helps simplify the exercise of cost planning for a DDoS Protection Standard deployment.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.