AzureAzure BastionNetworking

azurerm_bastion_host cost estimation

Managed, browser-based RDP/SSH access to VMs without public IPs. Priced per gateway-hour by SKU, plus outbound data transfer and scale-unit hours.

An azurerm_bastion_host gives secure RDP and SSH into your VMs straight from the Azure portal, with no public IP on the VMs and no jump box to maintain. It's a per-hour managed service, and the rate depends on the SKU: Basic, Standard, or the newer Developer/Premium tiers. The host runs continuously once deployed, so the gateway hour is a standing cost whether or not anyone connects.

Basic is the entry SKU at roughly $0.19/hour (about $139/month). Standard adds features (host scaling, native client support, IP-based connection) and bills the base gateway hour plus additional scale-unit hours above the included two. So a Standard host with extra scale units costs more than the base rate implies.

c3x reads the sku and prices the base gateway hour at 730 hours/month. Additional scale units and outbound data transfer are usage-based dimensions. Because Bastion is always-on, the common surprise is that a rarely-used bastion still costs ~$139+/month; seeing that before apply is exactly the point of estimating.

Terraform example

A minimal but realistic configuration that C3X can estimate.

resource "azurerm_bastion_host" "admin" {
  name                = "admin-bastion"
  resource_group_name = azurerm_resource_group.net.name
  location            = "eastus"
  sku                 = "Standard"
  scale_units         = 2

  ip_configuration {
    name                 = "configuration"
    subnet_id            = azurerm_subnet.bastion.id
    public_ip_address_id = azurerm_public_ip.bastion.id
  }
}

Pricing dimensions

What you actually pay for when you provision azurerm_bastion_host.

DimensionUnitWhat's being charged
Gateway hoursper hourBase rate for the Bastion SKU, billed continuously. c3x assumes 730 hours/month.
$0.19/hour (Basic), $0.29/hour (Standard base)
Scale-unit hoursper scale-unit-hourStandard SKU includes two scale units; additional units bill per hour. Usage/config-based on scale_units above two.
$0.154/scale-unit-hour
Outbound data transferper GBData egressing through the bastion. Usually small for admin sessions; usage-based.

Sample C3X output

Example output from c3x estimate for the Standard host above:

azurerm_bastion_host.admin
└─ Gateway (Standard, base)           730  hours      $211.70

OVERALL TOTAL                                         $211.70
(extra scale units & egress usage-based)

Optimization tips

Common ways to reduce azurerm_bastion_host cost without changing the workload.

Use Basic SKU unless you need Standard features

~35%

Standard adds host scaling, native client, and IP-based connections. If you only need browser RDP/SSH to VMs in the same VNet, Basic is roughly 35% cheaper.

Share one bastion across a VNet, not one per workload

Per duplicate host

A single Bastion host serves every VM reachable in the peered VNet topology. Deploying one per subscription or per app multiplies the always-on cost needlessly.

Consider the Developer SKU for non-production

Most of the base cost

The Developer SKU offers free or very low-cost bastion access for dev/test scenarios with limited concurrency, avoiding the always-on Standard charge.

FAQ

How does c3x estimate Azure Bastion cost?

It reads the sku and prices the base gateway hour at 730 hours/month. Additional scale units (Standard SKU above two) and outbound data transfer are usage-based and added when you supply them in c3x-usage.yml.

Why does an idle bastion still cost over $139/month?

Bastion is an always-on managed gateway. The hourly rate applies continuously once deployed, regardless of how many RDP/SSH sessions you open, so even a rarely-used bastion has a real monthly floor.

Does the SKU change the price much?

Yes. Basic is the cheapest always-on option; Standard costs more for its base plus scale-unit model; Developer is aimed at low-cost dev/test access. c3x applies the rate for the sku in your Terraform.

Is the public IP included?

No. Bastion requires an azurerm_public_ip, which c3x prices as its own resource (a Standard static IP is about $3.65/month).

Can one bastion serve multiple VNets?

Yes, across peered VNets, which is the cost-efficient pattern. c3x prices each azurerm_bastion_host you declare, so consolidating to one host directly reduces the estimate.

Related resources

Azure
azurerm_public_ip

Required by the bastion host and billed separately

Azure
azurerm_linux_virtual_machine

The VMs the bastion provides secure access to

Azure
azurerm_firewall

Network egress control often deployed alongside Bastion

Estimate this resource in your own Terraform

Free, open source, no API key. C3X parses your Terraform and shows line-item cost for every resource, including azurerm_bastion_host.

Get StartedStar on GitHub
← Browse all Azure resources