Share via

Azure vpn gateway is too expensive

reza admin 140 Reputation points
2026-03-30T15:20:11.4466667+00:00

Hello,

  1. We created an Azure file storage ( Azure file) for our employees to use with their Desktop software called Tableau
  2. Because the Azure file storage was available via public, we created a virtual network and moved our file storage to that VN to create a private link for it
  3. We then had to create a point to site azure vpn for our employees, some of whom work from home, to access the file storage via azure vpn client
  4. Now we noticed that while the cost of file storage for the last 30 days has been in $30 range, the cost of Azure vpn gateway is in a few $100 range.

Why is that?

Is there anyway to lower the cost of Azure vpn gateway? (Note: The azure vpn gateway type is VpnGw3AZ)

Thanks

Azure VPN Gateway
Azure VPN Gateway

An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.

0 comments

Answer accepted by question author

  1. TP 156.6K Reputation points Volunteer Moderator
    2026-03-30T15:52:17.11+00:00

    Hi,

    Base cost of VpnGwAZ3 SKU is over $1,000/month. Are you sure that is the VPN Gateway SKU you are using? Below screenshot is from VPN Gateway pricing page:

    User's image

    Are you able to switch to a lower VPN Gateway SKU?

    Another alternative would be to set up open source VPN server in a VM and have your users connect to that instead. Downside is higher administrative overhead (for managing VM), and if you only use one VM there will be more downtime if there is any issue.

    Thanks.

    -TP

    Was this answer helpful?

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vallepu Venkateswarlu 9,325 Reputation points Microsoft External Staff Moderator
    2026-03-30T17:10:40.4833333+00:00

    Hi @ reza admin,

    Welcome to Microsoft Q&A Platform.

    It looks like your Azure VPN gateway bill is outpacing your Azure Files cost because a VPN gateway is a provisioned compute resource that you pay for 24/7 (plus any egress charges), whereas file storage is billed per GB used.

    Here’s why you’re seeing a few‐hundred‐dollar VPN bill versus ~$30 for files:

    • Hourly compute cost: VpnGw3AZ runs at a higher compute SKU (~2.5 Gbps throughput, zone-redundant) and is priced accordingly.
    • Always-on resource: You pay the gateway price for every hour it’s provisioned, even if no one is actively connected.
    • Data egress (if any): Traffic leaving Azure (or between regions) adds data transfer charges.

    Ways to lower your VPN gateway cost

    • Right-size your SKU – If you don’t need 2.5 Gbps or zone redundancy, switch to a smaller SKU (for example VpnGw1AZ or VpnGw2AZ) or even the non-AZ variant (VpnGw1–3). – You can also consider the Basic SKU if your connection count and throughput needs are very small.
    • Gateway consolidation – If you have multiple spoke VNets, use hub-and-spoke with gateway transit so one gateway serves many VNets instead of deploying one per VNet.
    • Alternative connectivity for Azure Files – If your goal is purely secure SMB access to Azure Files, you can use a Private Endpoint for the storage account. That lets you map the file share over your corporate network without needing an Azure VPN gateway for every remote user. – Another pattern is Azure File Sync on an on-premises file server that your users already access via your corporate VPN or network.
    • Monitor and adjust – Keep an eye on actual P2S connection counts and throughput metrics. Scale up only when you hit capacity limits.

    References:
    Azure VPN Gateway pricing details: and     VPN Gateway SKUs and capabilities

    Please210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    Was this answer helpful?

    0 comments
  2. Q&A Assist
    2026-03-30T15:20:33.3566667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Azure VPN Gateway is billed very differently from Azure Files, which is why the VPN cost can easily exceed the storage cost.

    1. Why the VPN Gateway is so expensive

    Azure VPN Gateway charges have two main components:

    • Hourly compute cost for the gateway SKU
      Each virtual network gateway has a fixed hourly price based on the gateway SKU (for example, VpnGw3AZ). This charge runs 24x7 as long as the gateway exists, regardless of how many users are connected or how much traffic flows. Higher SKUs (like VpnGw3) are significantly more expensive than lower SKUs.
    • Data transfer (egress) costs
      You also pay for egress data leaving the virtual network gateway (for example, traffic going from Azure to users over the VPN). Depending on your usage, this can add to the cost, but for many scenarios the dominant cost is the hourly compute for the gateway itself.

    By contrast, Azure Files is primarily billed on capacity and operations, and in many typical scenarios stays relatively low (like the ~$30 observed), while a mid/high-tier VPN gateway SKU can easily reach a few hundred dollars per month because of the always-on hourly compute charge.

    References for this behavior:

    • VPN Gateway pricing model: hourly compute per SKU + egress data transfer.
    • VPN Gateway is listed as a separate Virtual Network billing component with its own hourly compute + data transfer charges.
    1. Ways to lower Azure VPN Gateway cost

    Within the constraints of using Azure VPN Gateway, cost can be reduced mainly by:

    1. Right-sizing the VPN Gateway SKU
      • Gateway SKUs have large price differences. Using a high SKU like VpnGw3AZ when only light/medium traffic is needed can be overkill.
      • Guidance is to right-size VPN gateways based on actual throughput requirements rather than over-provisioning for peak capacity. Start with a lower SKU and scale up only if required.
      • For example, moving from a higher SKU (like VpnGw3AZ) to a lower SKU (such as a smaller VpnGw SKU) can substantially reduce the hourly compute cost.
      • Note: Do not use the Basic SKU if IKEv2 or certain features are needed; documentation explicitly advises against Basic for IKEv2 scenarios.
    2. Avoid unnecessary gateways / consolidate gateways
      • If there are multiple VNets with their own VPN gateways, costs multiply.
      • Cost optimization guidance recommends sharing VPN gateways across multiple virtual networks using gateway transit in a hub-and-spoke topology instead of deploying a gateway in every VNet.
      • In that model, a single hub VNet with one VPN gateway serves multiple spoke VNets via VNet peering with gateway transit enabled, so only one gateway hourly charge is paid instead of several.
    3. Monitor and validate actual needs
      • Monitor VPN Gateway metrics (throughput, connections) to see if the current SKU is underutilized. If utilization is low, a smaller SKU is likely sufficient.
    4. Understand that always-on cost is inherent
      • As long as a VPN Gateway resource exists, the hourly compute charge applies. There is no “pay only when users connect” mode. Reducing cost therefore means using a smaller SKU or alternative connectivity patterns, or consolidating gateways.

    Summary: The VPN Gateway is more expensive because it is an always-on, compute-based network appliance billed per hour by SKU plus egress data, whereas Azure Files is mainly storage-capacity based. To reduce cost, use a lower VPN Gateway SKU that still meets performance/feature needs and consolidate gateways where possible using hub-and-spoke with gateway transit.

    References:

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.