Cost governance for Azure Arc-enabled servers

Cost governance is the continuous process of implementing policies, to control the costs of services you are using on Azure. This document will walk you through the various cost governance considerations and recommendations, when using Azure Arc-enabled servers.

How much does Azure Arc-enabled servers cost?

Azure Arc-enabled servers provide two types of services:

  • Azure Arc control plane functionality, which is provided at no extra cost includes:

    • Resource organization through Azure management groups and tags.
    • Searching and indexing through Azure Resource Graph.
    • Access control through Azure role-based access control (RBAC) at subscription or resource group level.
    • Environments and automation through templates and extensions.
  • Azure services used in conjunction with Azure Arc-enabled servers (but not limited to), which incur costs according to their usage includes:

    • Azure Monitor
    • Microsoft Defender for servers
    • Microsoft Sentinel
    • Azure Update Manager
    • Azure Policy machine configuration
    • Azure Automation State Configuration, change tracking, and inventory
    • Azure Automation hybrid runbook workers
    • Azure Key Vault
    • Azure Private Link

Design considerations

  • Governance: Define a governance model for your hybrid servers that translates into Azure policies, tags, naming standards, and least-privilege controls.

  • Azure Monitor: Azure Monitor includes functionality for the collection and analysis of log data of your Azure Arc-enabled servers (billed by data ingestion, retention, and export), collection of metrics, health monitoring, alerts, and notifications. Features of Azure Monitor that are automatically enabled are provided at no cost - such as the collection of standard metrics, activity logs, and insights.

  • Microsoft Defender for Cloud (formerly known as Azure Security Center): Microsoft Defender for Cloud is offered in two modes:

    Without enhanced security features (Free) - Defender for Cloud is enabled for free on all your Azure subscriptions when you visit the workload protection dashboard in the Azure portal for the first time, or if enabled programmatically via API. Using this free mode provides the secure score and its related features: security policy, continuous security assessment, and actionable security recommendations to help you protect your Azure resources.

    Defender for Cloud with all enhanced security features (Paid) - enabling Microsoft Defender for Cloud enhanced security extends the capabilities of the free mode to workloads running in private and other public clouds, providing unified security management and threat protection across your hybrid cloud workloads.

  • Microsoft Sentinel: Microsoft Sentinel provides intelligent security analytics across your enterprise. The data for this analysis is stored in an Azure Monitor Log Analytics workspace. Microsoft Sentinel is billed based on the volume of data ingested for analysis in Microsoft Sentinel, and stored in the Azure Monitor Log Analytics workspace for your Azure Arc-enabled servers.

  • Azure Update Manager: Azure Update Manager is a unified service to help manage and govern updates for all your machines. You can monitor Windows and Linux update compliance across your deployments in Azure, on-premises, and on other cloud platforms from a single dashboard. Azure Update Manager is billed per server per day.

  • Azure Policy machine configuration: Azure Policy machine configuration can audit and enforce operating system and application settings across your fleet of servers. Azure Policy machine configuration is billed per server per month, and includes usage rights for Azure Automation State Configuration, change tracking, and inventory.

  • Azure Automation configuration management: Azure Automation configuration management includes software Change Tracking and Inventory for your servers, as well as state configuration to configure your servers at-scale with PowerShell Desired State Configuration. Azure Automation configuration management is billed per server per month, and includes usage rights for Azure Policy machine configuration.

  • Azure Key Vault: The Azure Key Vault VM extension allows you to manage the certificate lifecycle on Windows and Linux Azure Arc-enabled servers. Azure Key Vault is billed by the operations performed on the certificates, keys, and secrets.

  • Azure Private Link: You can use Azure Private Link, to ensure data coming from your Azure Arc-enabled servers are only accessed through authorized private networks. Azure Private Link is billed by endpoint and inbound/outbound data processed.

Design recommendations

Here are some general design recommendations for Azure Arc-enabled servers cost governance:


In this section, pricing information described in the provided screenshots are examples and provided to allow demonstrating the usage of the Azure Calculator and do not reflect the actual pricing information you might be seeing in your own Azure Arc deployments.


  • Ensure that all Azure Arc-enabled servers follow proper naming and tagging conventions.
  • Use least privilege Azure RBAC by assigning Azure Connected Machine Onboarding role to only administrators who onboards Azure Arc-enabled servers to avoid unnecessary costs.
  • Use least privilege Azure RBAC by assigning Azure Connected Machine Resource Administrator to only administrators who need to read, write, delete, and re-onboard Azure connected machines.

Azure Monitor

Screenshot that shows the Azure pricing calculator.

Screenshot that shows Azure pricing calculator for Azure Monitor.

Screenshot that shows Azure Cost Management and Billing.

Screenshot that shows Log Analytics insights.

  • Evaluate possible data ingestion volume reducing. Refer to Tips for reducing data volume documentation, to help configure data ingestion properly.
  • Consider how long you want to retain data on Log Analytics. Data ingested into Log Analytics workspace can be retained at no additional charge, up to the first 31 days. Consider general aspects to configure the Log Analytics workspace level default retention and specific needs to configure data retention by data type, that can be as minimal as four days. Example: performance data doesn't usually need to be retained for long periods, but security logs may need to be retained for extended periods.
  • To retain data longer than 730 days, consider using Log Analytics workspace data export.
  • Consider using commitment tier pricing based on your data ingestion volume.

Microsoft Defender for Cloud (formerly Azure Security Center)

Review the recommendations for security and compliance and Microsoft Defender for servers pricing.

Microsoft Sentinel (formerly Azure Sentinel)


These images show pricing examples only.

Screenshot that shows and example Microsoft Sentinel costs.

Screenshot that shows Microsoft Sentinel cost analysis.

Azure Update Manager

Azure Policy machine configuration

  • Review the recommendations for governance and compliance and Azure Policy machine configuration pricing.
  • Use Azure Cost Management + Billing to understand the Azure Policy machine configuration costs by filtering the Microsoft.HybridCompute/machines resource type.
  • All built-in machine configuration policies include a parameter that controls whether the policy will be assigned to Azure Arc-enabled servers machines. Review your policy assignments and set this parameter to "false" for policies that do not need to be evaluated on your hybrid servers.

Screenshot that shows an example of Azure Policy costs.

Azure Automation configuration management

Review recommendations for automation and Azure Automation pricing.

Azure Key Vault

Screenshot that shows Azure Key Vault insights.

Screenshot that shows an example of Azure Private Link costs.

Next steps

For more guidance for your hybrid cloud adoption journey, review the following resources: