Getting data into Azure is free. Getting data out is not.
That sounds simple. But "data out" doesn't just mean downloading files. It means cross-region transfers, VNet peering traffic, storage account reads, database query results, API responses, backup replication, log shipping, container image pulls. Every time data moves out of where it's sitting, there's a charge — scattered across so many services that they're almost impossible to track without deliberate effort.
Bandwidth is the tax on everything in Azure. It's not the biggest line item, but it touches every other one. And nobody budgets for it properly.
The Pricing Model
Data ingress: free. Data egress to internet: first 100GB/month free, then roughly 7p/GB for the first 10TB, declining at higher volumes. Those rates sound manageable in isolation. The problem is they exist across every service, every region, every connection.
It's Not Just Internet Egress
Cross-region transfer is billed at roughly 2p/GB. Any data moving between Azure regions — both sides incur charges.
VNet peering costs about 1p/GB same-region, 3.5p cross-region. We've covered this in our VNet peering costs post.
ExpressRoute data processing adds charges on top of circuit costs, depending on your plan.
VPN Gateway charges for outbound data through VPN connections.
CDN and Front Door have their own egress pricing — often cheaper than direct storage egress, but still charges.
Storage account egress applies every time a client reads from blob storage or downloads from a file share.
SQL Database egress applies when query results leave Azure — external reporting tools, on-premises apps, third-party integrations all generate charges.
Where Bandwidth Costs Hide
Backup replication between regions. Geo-redundant backups and DR replication generate continuous cross-region transfer. Hundreds of gigabytes per day, all billed at cross-region rates.
DR testing. Failovers, validation runs, and health checks all generate traffic between regions. If you're testing DR properly, budget for the bandwidth.
CI/CD artifacts. Build pipelines downloading packages, pulling container images, fetching dependencies. Build agents in a different region from your container registry multiply this with every build.
Application file downloads. Anything serving files from blob storage to users generates egress. For heavy download traffic, storage egress can outpace capacity cost.
API responses to external clients. High-volume APIs serving large payloads generate significant bandwidth costs buried in networking charges.
Logs shipped to external SIEM. Third-party security platforms outside Azure = egress on every log entry. Given modern telemetry volumes, this adds up.
Database geo-replication. Active geo-replication sends data between regions continuously — every write generates replication traffic. This isn't a one-off cost.
The CDN Play
Serving static content directly from blob storage means full egress rates on every request. CDN changes this: lower per-GB rates plus caching reduces total volume. For frequently requested content — images, scripts, documents — cache hit ratios dramatically cut actual storage egress.
For any meaningful static content volume, CDN in front of blob storage isn't just performance — it's genuine cost reduction.
The Private Link Benefit
Private Link accesses PaaS services over a private endpoint within your VNet. Traffic over Private Link within the same region doesn't incur VNet peering charges. If you're routing through a hub VNet to reach PaaS services, Private Link endpoints in spoke VNets can eliminate that peering traffic.
Private Link has its own charges, but for high-traffic PaaS access patterns, the maths often works out.
Where to Start
- Check Azure Cost Management for "Bandwidth" as a service category. The aggregate number is often larger than expected.
- Implement CDN for static content. The savings are almost always worthwhile.
- Audit cross-region replication. Is all geo-redundant replication necessary? If you haven't tested DR in years, you're paying bandwidth for unvalidated protection.
- Co-locate services. Cross-region costs roughly double same-region. If services communicate frequently across regions without architectural reason, consolidate.
- Review external integrations. Every system outside Azure pulling data generates egress — monitoring tools, on-premises apps, third-party APIs.
The Bigger Picture
The ingress-free, egress-charged model isn't accidental. It creates friction around leaving. The more data in Azure, the more it costs to move. That's not a reason to avoid Azure — the services are good and total cost of ownership works for most workloads. But it's a reason to be deliberate about data movement patterns. Every architectural decision creating cross-region or cross-boundary data flow carries a bandwidth cost that persists for as long as that architecture runs.
Not sure where your cloud cost management stands? Take our 2-minute FinOps maturity test — 10 questions, instant results, no sign-up required.
Want to know exactly how much bandwidth is costing you? Get a free FinOps assessment — we'll break down your egress charges.