Data Transfer Out charges from both Bandwidth and NAT Gateway.

Question

Hello Team,

I have a two questions regarding NAT Gateway and Azure Firewall.

Question 1)

I had deployed NAT Gateway for explicit outbound connectivity with a VM.
However, from the usage, I found out that Bandwidth Outbound usage was generated as well.

Only way out from the VM traffic goes from the NAT GW, and NAT GW already charges for data processed - data transfer. But, Azure is charging for bandwidth as well. From below information from public-facing doc., it also says that outbound traffic goes from NAT GW which implies that if user connects VM with NAT GW, then all outbound traffic goes from NAT GW and NAT GW charges the data processed already.

https://learn.microsoft.com/en-us/azure/virtual-network/nat-gateway/nat-gateway-resource#nat-and-vm-with-an-instance-level-public-ip

It would be great if you could help to share why Azure charges for both NAT Gateway and Bandwidth for VM - NAT GW environment.

Question 2)
I am currently comparing NAT Gateway expenses and Azure Firewall expenses.
From question 1), if from NAT GW environment, Azure charges data transfer out for bandwidth as well as NAT Gateway, then should I expect the same with Azure Firewall as well?
For Azure Firewall environment, I would get charged for data transferout from Bandwidth and Azure Firewall data processed. Is this correct?

Answer 1

Hello @Sarah Yoon ,

I understand you have some questions regarding NAT Gateway and Azure Firewall pricing. I have answered them below:

I had deployed NAT Gateway for explicit outbound connectivity with a VM. However, from the usage, I found out that Bandwidth Outbound usage was generated as well. It would be great if you could help to share why Azure charges for both NAT Gateway and Bandwidth for VM - NAT GW environment.

From your usage screenshot, I can say that NAT gateway is only charging for the gateway and data processed. The bandwidth charges are separate and they are expected.

Just to clarify here: Data processing and Data transfer out are 2 different concepts.

• Data processing means any data which is processed within the NAT gateway and formatted before sending it out. This includes Network Address Translation (NAT) performed by the NAT gateway.
• Data transfer Out means any data moving in and out of Azure data centers, as well as data moving between Azure data centers.

So, once the data is processed by the NAT gateway and goes out of our data center, bandwidth charges are applied depending upon the type of data transfer (Inter-continent or Intra-continent).

If from NAT GW environment, Azure charges data transfer out for bandwidth as well as NAT Gateway, then should I expect the same with Azure Firewall as well? For Azure Firewall environment, I would get charged for data transfer out from Bandwidth and Azure Firewall data processed. Is this correct?

Yes, this is correct. As I mentioned bandwidth charges are different from data processing charges and any traffic leaving our data centers will be charged as per the bandwidth pricing, independent of data processing charges of any individual service.

Kindly let us know if the above helps or you need further assistance on this issue.

---

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Hi,

I will suggest you to review this Pricing Page for VNET and Nat Gateway data transfer costs and if you have further queries I will suggest you to raise a billing query support case with Microsoft using this link.

Hope this helps.
JS

==
Please Accept the answer if the information helped you. This will help us and others in the community as well.