The Azure SKUs That Quietly Torch Budgets

By ResourcePulse Team · · 6 min read

You deploy a resource. The config looks reasonable. Maybe you even checked the pricing page.

Then the invoice arrives.

The number is wrong. Not wrong like "a few dollars off." Wrong like "who approved this?" wrong.

Azure pricing catches teams because the cost of a resource rarely lives in one obvious place. It hides in SKU tiers, redundancy flags, retention defaults, and "always on" billing models that charge whether you send traffic or not.

This post walks through the services that create the most budget pain, with real numbers and real examples.

NAT Gateway

NAT Gateway is the poster child for quiet Azure costs. You add it for reliable outbound connectivity. It works great. It also bills every hour it exists, plus every gigabyte it processes.

The math at idle: ~$32/month just for existing. Add moderate outbound traffic and you're looking at $80 to $150/month per gateway.

Teams often deploy one per subnet "for best practice." Three subnets? That's $100/month before a single user hits your app.

What to watch for. Any Bicep file adding Microsoft.Network/natGateways. Ask yourself if the workload actually needs dedicated outbound, or if the default outbound path works fine for dev and test environments.

Azure Firewall

Azure Firewall starts at roughly $912/month for the Standard SKU. The Premium SKU runs about $1,460/month. That's the baseline. You pay that even with zero rules and zero traffic.

On top of that, data processing adds $0.016 per GB. A busy environment pushing 10 TB/month adds another $160.

The real surprise comes when teams deploy Azure Firewall in dev environments "to match production." One dev firewall costs the same as the prod one. Most teams don't need it outside of production.

What to watch for. The Microsoft.Network/azureFirewalls resource type in any non production Bicep template. Also watch for the tier property flipping from Standard to Premium in a PR that looks like a small config change.

Application Gateway with WAF v2

Application Gateway pricing depends heavily on the SKU. The Standard v2 starts around $246/month. WAF v2 jumps to roughly $360/month. Both charge capacity units on top of the base price.

The trap here is capacity units. Each unit bundles compute, connections, and throughput. If your traffic spikes, capacity units multiply fast. A single Application Gateway handling moderate production traffic can land between $400 and $800/month.

Teams also tend to deploy one per environment. That WAF v2 in staging "for testing security rules" costs the same as production.

What to watch for. SKU changes from Standard_v2 to WAF_v2. Also watch minCapacity on autoscale settings. Bumping the minimum from 1 to 3 triples your baseline cost overnight.

VPN Gateway and ExpressRoute Gateway

VPN Gateways range from $27/month (Basic) to over $4,000/month (ErGw3AZ for ExpressRoute). The problem is that "upgrading for better performance" often means jumping several tiers in cost.

A common pattern: someone changes vpnGatewayGeneration from Generation1 to Generation2 or bumps the SKU from VpnGw1 to VpnGw3. That single line change can move your gateway cost from $140/month to $560/month.

ExpressRoute circuits add their own billing on top of the gateway. The gateway is just the door. The circuit is a separate monthly charge based on bandwidth and peering location.

What to watch for. Any SKU change on Microsoft.Network/virtualNetworkGateways. Translate the SKU name into actual pricing before approving the PR.

SQL Database in Business Critical tier

Azure SQL Database pricing varies wildly by tier. A General Purpose database with 4 vCores costs roughly $370/month. Move the same database to Business Critical and it jumps to about $1,200/month.

The Business Critical tier gives you local SSD storage and a built in read replica. Great for production workloads that need low latency. Expensive overkill for a reporting database or a dev environment.

Teams trigger this by changing the requestedServiceObjectiveName or sku.tier property in Bicep. The diff shows one line changed. The bill shows $800/month more.

What to watch for. The tier property changing to BusinessCritical or Premium. Also watch maxSizeBytes and zoneRedundant, which both add cost in higher tiers.

Log Analytics workspace retention

Log Analytics charges $2.76 per GB ingested. That's well known. The surprise is retention.

The first 31 days of retention are free (on the per GB tier). After that, each additional month of retention costs $0.12 per GB per month. A workspace ingesting 100 GB/day with 90 days retention pays roughly $700/month just for the extra 59 days of stored data.

Teams set retentionInDays: 365 in Bicep because "compliance requires it." Sometimes it does. Often it doesn't. And nobody revisits the setting after the initial deploy.

What to watch for. The retentionInDays property on Microsoft.OperationalInsights/workspaces. Any value above 31 adds cost. Any value above 90 adds serious cost.

Azure Bastion

Bastion Standard SKU costs roughly $277/month per host. It runs 24/7 because it provides persistent connectivity to your VNet.

Teams deploy Bastion for "secure VM access" in every environment. Four environments with Bastion? That's over $1,100/month for SSH access you probably use twice a week.

The Developer SKU (preview in some regions) runs cheaper but still charges hourly. The Basic SKU sits around $139/month.

What to watch for. Microsoft.Network/bastionHosts in non production templates. For dev and test, consider just in time VM access through Defender for Cloud instead of a dedicated Bastion host.

Premium load balancing

Standard Load Balancer itself is relatively cheap (about $18/month for the first 5 rules). The cost trap is what goes behind it.

When teams pair a Standard Load Balancer with zone redundant backends, they often need multiple VMs across availability zones. Each VM has its own compute cost, and the zone redundant architecture requires a minimum of two or three instances.

Cross region Load Balancer adds another layer. The service charges for data processed plus an hourly rate. Pairing it with Traffic Manager or Front Door creates overlapping costs that compound fast.

What to watch for. The combination of Microsoft.Network/loadBalancers with zones properties on backend VMs. The load balancer is cheap. The architecture it implies is not.

How ResourcePulse catches these

Every example above follows the same pattern. A small Bicep change creates a large cost impact. The diff doesn't show dollar signs. The reviewer doesn't memorize Azure pricing tables.

ResourcePulse reads your Bicep PRs and flags exactly these patterns. It identifies SKU tier changes, always on resources, parameter flips that affect cost, and networking components with hourly billing. One PR comment shows the governance issues and cost risk before anyone clicks approve.

You don't need to memorize pricing. You need a review step that catches what people skip.