Google CloudCloud IDSSecurity

`google_cloud_ids_endpoint` cost estimation

A managed intrusion detection endpoint built on Palo Alto threat engines. Priced per endpoint-hour plus per-GB of traffic inspected.

A google_cloud_ids_endpoint provides managed network intrusion detection, mirroring VPC traffic to a Palo Alto Networks-powered engine that flags threats. It has two cost dimensions: an always-on endpoint fee and a per-GB inspection charge.

The endpoint bills per hour at roughly $1.16/hour (about $847/month), running continuously once created. On top of that, traffic inspected through the endpoint bills at roughly $0.07/GB. So a Cloud IDS deployment has a meaningful fixed floor plus a usage component that scales with how much traffic you mirror to it. Inspecting all VPC traffic in a busy environment makes the per-GB charge significant.

c3x prices the endpoint-hours at 730 hours/month and treats inspected traffic as a usage-based dimension supplied in c3x-usage.yml. The ~$847/month floor is the surprise, Cloud IDS is not a casual add-on, so the estimate helps you weigh it against scoping inspection to only sensitive subnets rather than the whole VPC.

Terraform example

A minimal but realistic configuration that C3X can estimate.

resource "google_cloud_ids_endpoint" "prod" {
  name     = "prod-ids"
  location = "us-central1-a"
  network  = google_compute_network.vpc.id
  severity = "INFORMATIONAL"
}

Pricing dimensions

What you actually pay for when you provision google_cloud_ids_endpoint.

Dimension	Unit	What's being charged
Endpoint hours	per hour	Always-on endpoint fee, billed continuously once created. c3x assumes 730 hours/month. $1.16/hour (~$847/month)
Traffic inspected	per GB	Traffic mirrored to and inspected by the endpoint. Usage-based; define expected inspected volume in c3x-usage.yml. $0.07/GB inspected

Sample C3X output

Example output from c3x estimate (endpoint fee only):

google_cloud_ids_endpoint.prod
└─ Endpoint hours             730  hours    $846.80

OVERALL TOTAL                              $846.80
(inspected traffic usage-based)

Optimization tips

Common ways to reduce google_cloud_ids_endpoint cost without changing the workload.

Scope inspection to sensitive subnets

Inspected-GB on low-risk traffic

Per-GB inspection adds up fast if you mirror all VPC traffic. Mirroring only sensitive workloads (regulated data, internet-facing tiers) cuts the inspected-GB charge without losing the coverage that matters.

Consolidate endpoints per region

Per avoided endpoint

Each endpoint carries the ~$847/month floor. One endpoint per region serving mirrored traffic from multiple subnets is cheaper than one per workload.

Right-size against alternatives

Workload-dependent

For lighter needs, VPC flow logs plus a SIEM, or a self-managed IDS on a VM, may be cheaper than Cloud IDS's managed floor. Reserve Cloud IDS for where its Palo Alto detection genuinely earns the cost.

FAQ

How does c3x estimate Cloud IDS cost?

It prices the endpoint-hours at 730 hours/month (~$847) and treats inspected traffic as a usage-based per-GB dimension supplied in c3x-usage.yml.

Why does Cloud IDS cost ~$847/month even with little traffic?

The endpoint bills per hour continuously once created, independent of traffic. Only the per-GB inspection charge scales with usage, so there's a substantial fixed floor.

How do I control the per-GB inspection cost?

Scope packet mirroring to only the subnets and workloads that need inspection, rather than the entire VPC. The inspected-GB charge scales directly with how much traffic you mirror.

Is the underlying network mirroring included?

Cloud IDS uses packet mirroring under the hood; the inspection charge covers it. Standard cross-zone or egress data transfer for the mirrored traffic may apply separately under networking.

When is Cloud IDS worth the cost?

When you need managed, Palo Alto-grade intrusion detection for regulated or high-risk workloads without running your own appliances. For basic visibility, VPC flow logs plus a SIEM can be cheaper.