AzureAzure Private LinkNetworking

`azurerm_private_endpoint` cost estimation

A private IP into a PaaS service over Private Link. ~$0.01/hour per endpoint (~$7.30/month) plus $0.01/GB processed — small individually, large in aggregate.

An azurerm_private_endpoint gives a PaaS service (storage account, SQL database, key vault, etc.) a private IP inside your VNet so traffic never traverses the public internet. Each endpoint is cheap on its own — about $0.01/hour, ~$7.30/month — but the cost is sneaky because it scales with how many you create, and security-conscious teams create a lot of them.

There are two charges: the endpoint hour ($0.01/hr, the first 6 months free per subscription) and data processed in and out ($0.01/GB each direction). A single endpoint moving 100 GB/month is $7.30 + $1.00 = $8.30. That's nothing. But a landing-zone pattern that puts a private endpoint on every storage account, every key vault, and every SQL server across 40 subscriptions is hundreds of endpoints — $3,000+/month in endpoint hours before any data, for a line item nobody owns.

The data-processing fee is symmetric and easy to forget: both inbound and outbound count, so a chatty app reading 500 GB/month from a private-endpoint'd storage account pays for the full 500 GB. Over a private endpoint this is usually still cheaper and safer than the public path, but it isn't free.

c3x prices the endpoint hours from the resource directly and treats data processed as usage-based — add monthly_data_processed_gb to c3x-usage.yml to include it. The meters aren't exposed in the upstream catalogue, so c3x uses the published static rates.

Terraform example

A minimal but realistic configuration that C3X can estimate.

resource "azurerm_private_endpoint" "sql" {
  name                = "sql-private-endpoint"
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name
  subnet_id           = azurerm_subnet.private.id

  private_service_connection {
    name                           = "sql-connection"
    private_connection_resource_id = azurerm_mssql_server.main.id
    subresource_names              = ["sqlServer"]
    is_manual_connection           = false
  }
}

Pricing dimensions

What you actually pay for when you provision azurerm_private_endpoint.

Dimension	Unit	What's being charged
Endpoint hours	per hour	Flat per-endpoint charge while it exists. The first 6 months are free per subscription, then it bills continuously. $0.01/hour ≈ $7.30/month
Data processed	per GB	Inbound and outbound each billed at $0.01/GB. Add expected volume to c3x-usage.yml under monthly_data_processed_gb. $0.01/GB each direction

Sample C3X output

One private endpoint processing 100 GB/month:

azurerm_private_endpoint.sql
├─ Private endpoint   730 hours   $7.30
└─ Data processed     100 GB      $1.00
                      Monthly     $8.30

Optimization tips

Common ways to reduce azurerm_private_endpoint cost without changing the workload.

Don't put a private endpoint on every resource by reflex

$7.30/month per avoided endpoint

Landing-zone templates often attach a private endpoint to every PaaS resource. At hundreds of endpoints the hourly fees alone run into thousands per month. Reserve private endpoints for data planes that genuinely need network isolation; use service endpoints (free) where a private IP isn't required.

Prefer service endpoints when a private IP isn't required

100% vs an unnecessary endpoint

Azure service endpoints keep traffic on the Microsoft backbone and restrict access by VNet, at no per-hour charge. They don't give a private IP or cross-region/on-prem reach, but for many intra-region cases they're the free alternative to a private endpoint.

Consolidate endpoints behind shared services

Per-endpoint

A shared storage account or key vault accessed by several apps needs one endpoint, not one per app. Centralizing shared PaaS resources reduces the endpoint count directly.

FAQ

How much does an Azure private endpoint actually cost?

About $0.01/hour (~$7.30/month) per endpoint, plus $0.01/GB for data processed in each direction. The first 6 months of endpoint hours are free per subscription. Individually trivial; the cost shows up when you have hundreds of them.

Is data processing charged both ways?

Yes. Inbound and outbound are each $0.01/GB, so a workload reading 100 GB and writing 100 GB pays for 200 GB. It's still usually cheaper and safer than the public path, but it's not free.

Private endpoint vs service endpoint — which is cheaper?

Service endpoints have no per-hour charge, so they're cheaper. They restrict PaaS access to a VNet but don't provide a private IP, cross-region, or on-prem connectivity. Private endpoints give a private IP and broader reach at ~$7.30/month each. Choose by requirement, not by default.

Does c3x estimate the data-processing cost?

Only if you add monthly_data_processed_gb to c3x-usage.yml for the endpoint. Without it, c3x shows the endpoint hours and treats data as usage-dependent.

Related resources

Azure

azurerm_virtual_network

Private endpoints live in a VNet subnet

Azure

azurerm_storage_account

A common target for a private endpoint

Estimate this resource in your own Terraform

Free, open source, no API key. C3X parses your Terraform and shows line-item cost for every resource, including azurerm_private_endpoint.

Get Started Star on GitHub

← Browse all Azure resources