Understanding Outbound Data Transfer for Azure App Service Plan

2
votes

For the purpose of migrating a very small business web application from on-premise to Azure PAAS service environment, We have identified the below tentative solution..

  • Use Azure Storage Account to Host the front end (Angular SPA).
  • Use App Service Plan to run the Back-End Spring Boot Application.
  • Use Application Gateway V2 (with WAF) as public end point which will re-route traffic to both Storage account and App Service (SSL will be hosted in Gateway as it is the public endpoint)
  • Use Azure SQL Server as database.
  • Use VPN gateway Site to Site connection from Azure service to on-premise for out going SFTP file transfer.(very small in size).

But it seems App Service Plan will not be placed within the Application VNET, and hence a VNET integration from Azure service to Application VNET is first required to enable the VPN connectivity. Ours is a very small application with no HA or other multi zone/region requirements, hence using dedicated ASE (Azure Service Environment) is not feasible for us. Since the communication with App Service is not going to be local to application VNET, we are trying to under stand the concept of term 'Out bound data transfer (specifically which are charged and not)' in Azure networking, with respect to the above PAAS services.

  1. Does the traffic from Application Gateway (in Application VNET) to Azure Service (Plan) are considered outbound data transfer?
  2. If there a VNET integration is in place from Azure Service to application VNET, does the traffic going out of Azure service to application VNET is considered outbound data transfer?
1
azureazure-virtual-networkazure-app-service-plansazure-application-gatewayazure-service-plan

1 Answers

1
votes

From this article, we know that

Outbound data transfer: The first 5 GB per month of outbound data transfer is free for all Azure zones, but following that the Azure pricing tiers will kick in based on various slabs (5–10 TB, then 40TB, 100TB, 350TB, and then everything above 500 TB).

This charge should be considered if the applications deployed in Azure are accessed over the internet. For example, when downloading data from Azure storage accounts or websites, accessing VMs over RDP and SSH will incur charges as data is being transferred out of an Azure data center.

Another scenario where these charges will be applied is with hybrid connectivity through VPN or ExpressRoute. For VPNs, the outbound data from the VPN Gateways will be billed at outbound data charge rates. For ExpressRoute, outbound data transfers are chargeable for metered data plans, and the cost will vary based on the selected plan.

To your questions:

  1. The traffic from Application Gateway (in Application VNET) to Azure Service (Plan) would be considered outbound data transfer

because if the backend pool is a public endpoint (azure app service), the application gateway uses its frontend public IP to reach the server. If there isn't a frontend public IP address, one is assigned for the outbound external connectivity. Read How an application gateway routes a request. Also, it would be charged if you have an application getaway and app service plan in different regions.

  1. With VNet integration, the app service is connected to both a VNet and the Internet. The traffic going out of Azure service to application VNET would not be considered outbound data transfer

because the traffic usually goes over the Azure backbone network and the VMs that hosting your web app is assigned a private IP address from that integrated subnet. These IP addresses are used for outbound connectivity. You would also be charged if deployed all resources across regions(for this, you may use gateway-required VNet integration).

If you're interested, you could read that other Azure services can reduce your cloud costs.