Share via

Cost Implications of Azure Key Vault with Diagnostic Settings and High Volume of Secrets

Subhash Kumar Mahato 100 Reputation points
2024-05-29T15:40:03.97+00:00

Hi,

I have a specific use case for Azure Key Vault and need some clarification on cost implications. Here are the details of my scenario:

  1. Diagnostic Settings: I aim to enable diagnostic settings for Azure Key Vault and store the logs in Log Analytics. My plan is to have an interactive log retention period of 90 days and an archive log retention period of 2 years.
  2. Usage Pattern: I will be using Azure Key Vault exclusively for storing secrets; no keys or certificates will be stored.
  3. Scale: I am planning to deploy 1,000 Key Vaults and store a total of 10,000 secrets across them.

Given this context, my questions are:

  1. Log Analytics Costs: How will the costs be impacted by enabling diagnostic settings with the specified log retention periods?
  2. Key Vault Costs: Will the costs be influenced by the number or size of the Key Vaults, or are they primarily determined by the operations (such as retrieval and storage of secrets) performed within the Key Vaults?

I would appreciate detailed insights on how these factors might affect the overall cost, including any potential hidden costs I should be aware of.

Thank you!

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,167 questions
Accepted answer
  1. Stanislav Zhelyazkov 21,851 Reputation points MVP
    2024-05-30T07:17:39.32+00:00

    Hi,

    Actual cost cannot be calculated exactly. If you enable AllMetrics they are mainly the same size every hour. Same can be said for Azure Policy Evaluation details. That will depend on the number of Key Vault specific Azure policies you have enabled. Most cost will come from Audit logs. Those solely depends on the number of operations on the secrets/keys. etc. For example even if you have 1000 secrets if nobody is accessing the secret you will not get much logs. If you have even 10 secrets but those are accessed constantly those 10 secrets will generate higher volume of logs compared to those 1000.

    My suggestion is to enable the logs for one day and calculate the size of the logs so you can calculate the cost. That day of course should be normal working day instead of enabling them on Saturday or Sunday where usually the activity for most organization is not high. Usage can be calculated for logs. Of course there could be some periods where you have higher or lower cost but it should be sufficient for having some rough estimation.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest