Azure Networking Hidden Costs UK 2026

NAT Gateway: The Always-On Trap

Here is the fact that surprises nearly every Azure engineer who deploys NAT Gateway for the first time: there is no stop or pause state. Unlike a virtual machine that you can deallocate, or an application gateway you can scale to zero, a NAT Gateway charges every single hour from the moment it is created until the moment it is deleted. Nothing in between stops the billing.

At UK South rates, an idle NAT Gateway — one with no traffic passing through it whatsoever — costs approximately £33.40/month (£0.0449/hr × 744 hours). Engineers frequently report discovering charges on workloads that were "shut down for the weekend" or on test environments they forgot to clean up. Three months later: ~£100 for a gateway that served no traffic.

Why can't you pause it?

NAT Gateway is a zone-redundant, regional resource. It maintains a pool of outbound ports and SNAT mappings for all resources in the associated subnet. Pausing it would drop all active connections and require SNAT port re-allocation when resumed. Microsoft made the architectural decision that the complexity of a stopped state wasn't worth it for a component priced at this level.

The billing model

• Gateway charge: ~£0.0449/hr, regardless of traffic. Always billed.
• Data processing charge: ~£0.0449/GB of data processed through the gateway.

The data processing charge is separate from egress charges. You pay once for the outbound internet transfer (via the Bandwidth service) and again for the NAT Gateway processing the same bytes.

When is NAT Gateway worth it?

NAT Gateway is genuinely the right choice when you have many resources in a subnet that need outbound internet access and you want a predictable, static set of outbound IP addresses (for whitelisting). For development/test environments that run part-time, consider using service endpoints or outbound rules on a load balancer instead — both avoid the always-on charge.

VNet Peering: What's Free and What Isn't

The fact that surprises engineers here: inter-Availability Zone transfer within UK South has been free since 2023. Many cost estimates built before that change are now overstating networking costs. If your workload keeps traffic within the same Azure region across different AZs, that specific transfer is £0.

What is charged:

• Same-region VNet peering (two VNets both in UK South): charged in both directions at approximately £0.015/GB per side. A 100 GB bidirectional workload costs £0.015 × 200 GB = £3/month.
• Global VNet peering (UK South to another region): charged at approximately £0.0263/GB ingress + £0.0263/GB egress. A 100 GB bidirectional global peering workload costs £0.0263 × 200 GB = £5.26/month.

The hub-spoke double-charge trap

If you're running a hub-spoke topology with a Network Virtual Appliance (NVA) routing traffic, VNet peering charges double. Here's why: traffic from a spoke VNet to another spoke VNet flows through the hub. That means:

1. Spoke A to Hub: peering charge (outbound from Spoke A)
2. Hub to NVA to Spoke B: peering charge (inbound to Spoke B)

The same bytes are charged twice. If your topology routes 500 GB/month through the hub, your actual peering cost is based on 1,000 GB of peering data. The Networking Calculator on this site will warn you when both NAT Gateway and VNet peering are enabled together, which is a common indicator of a hub-spoke setup.

How to check your actual peering costs

In Azure Cost Management, filter by Meter Category = "Virtual Network" and Meter Sub-category = "Peering". This will break down same-region vs global peering charges separately. Many engineers are surprised to find this is their second-largest networking line item after egress.

Public IP: After Basic SKU Retirement

Basic SKU Public IPs were retired on 30 September 2025. All new Public IP addresses must use Standard SKU. If you created Public IPs before September 2025, they have been automatically migrated or need manual migration — check your Azure portal if you haven't done this yet.

Standard SKU pricing (UK South, GBP)

• Static Public IP: £0.0038/hr → approximately £2.83/month (£0.0038 × 744)
• Dynamic Public IP (attached to running resource): First one is free. Additional ones charged at the same hourly rate.
• Dynamic Public IP (unattached/idle): Charged at the static rate — £0.0038/hr. An unused Public IP that you forgot to delete costs ~£2.83/month.

Global and Anycast Public IPs

Azure Front Door and Traffic Manager use Global SKU Public IPs (£0.0075/hr). These are separate from standard Public IPs and are provisioned automatically when you create those services — they appear as a separate line item in your bill.

DDoS Protection: IP vs Network

Azure DDoS Protection comes in two tiers with very different pricing models:

IP Protection (per public IP)

At approximately £152.6/IP/month (£0.2051/hr × 744), IP Protection protects individual public IP addresses. It's suitable for small deployments with 1–10 protected IPs. The per-IP model makes costs predictable: 3 protected IPs = ~£457.8/month.

Network Protection (flat monthly)

At approximately £2,257/month (£3.0339/hr × 744), Network Protection is a flat-rate plan covering your entire subscription and up to 100 public IPs, plus:

• DDoS Rapid Response team access
• Cost protection guarantee (credit back if you scale out during an attack)
• Attack analytics and telemetry
• Azure WAF integration at no additional cost

Break-even calculation

Network Protection becomes cheaper than IP Protection when you're protecting more than approximately 15 public IPs (£2,257 ÷ £152.6/IP ≈ 14.8). If you have fewer than 15 exposed endpoints, IP Protection is usually the more cost-effective choice. If you need the Rapid Response team or Cost Protection guarantee, Network Protection may be worth it regardless of IP count.

Estimate Your Networking Costs

Built and verified by an independent Azure engineer. See methodology →