Estimating the real cost of Microsoft Defender for Cloud
Introduction
In this post, I want to highlight the challenge of understanding the true cost of enabling Microsoft Defender for Cloud, and a recommendation for how to gain better insights using the (now) built-in Pricing Estimate workbook.
The Pricing page for the Microsoft Defender for Cloud service lists all the prices per server or service. For example, here's the pricing table (as of April 2022).
We can clearly see the prices per server, per service, queries, or per transaction. This helps a lot to understand how the cost is incurred when we use the Microsoft Defender for Cloud service.
However, when managing many resources simultaneously, it isn't easy to calculate the actual costs by looking at a pricing table. Similarly, using the pricing calculator can be close to impossible to work with when figuring out real-world costs for the Defender for Cloud products when your workloads shift and scale up and down.
Every organization, project, and deployment is different. Many times I see a dynamically scaling workload, adapting to external factors like user input, data to be analyzed, the complexity of incoming requests, and more. For reference, I can process billions of transactions monthly across Azure Storage Accounts. Sometimes it's closer to 400,000,000 transactions per week, other times it's 1B transactions per week - all depending on circumstances we can't easily predict.
To set the scene:
- You've got orchestrators that create and remove Azure Container Instances ad-hoc depending on load. You can't predict if you'll have 20 or 250 containers running at any time; the system will decide this based on the incoming workload and external factors.
- Azure Storage Accounts are created dynamically due to your solution's design. These storage accounts are amassing billions of monthly transactions. You can't predict the number of transactions, as this depends on the incoming workload and, again, external factors.
- Azure Key Vaults are a central configuration for maintaining secrets, keys, and certificates. While you can implement some caching in various scenarios, it's not always applicable. I can cache certain things during operations in my system, while I can't cache others. With the dynamic nature of the incoming workloads, you can't predict the number of transactions sent to these Key Vaults, as this depends on factors outside of our control (user demands, system upscaling, etc.).
The point is that not all systems have a predicted workload or pattern of usage. Sometimes it is depending on user load, sometimes it's depending on what the users put into the system - for example, things that need heavy processing - and sometimes we can't even vaguely estimate the number of service instances, let alone the number of transactions we will create in the coming period.
Don't burn your money.
On many occasions, I've read recommendations to enable Microsoft Defender for Cloud. I concur with these recommendations, most of the time. However, don't burn your money by just clicking the button. Please be advised and understand the cost picture before you start enabling this across your cloud estate.
Additional protection is excellent, but some features come with a tradeoff. Security and cost optimizations can often be on opposing sides; you can have more of one, but you'll get less of the other. E.g., more security will increase your cost.
For example, the Azure Advisor will tell us to enable Microsoft Defender for Storage across all our subscriptions and storage accounts. There is also a subtle hint that charges will begin for existing and new storage accounts.
- The recommendation tells us to enable this (which is great!)
- There's a small note that any storage accounts that later end up in this subscription are subject to charges automatically.
- Select multiple subscriptions and click "Fix", and you're done.
While this is very easy to accomplish, we still don't have any type of indication of what the actual cost will be for us. Since the transaction count is the billable unit here, the amount of storage accounts still doesn't tell me anything about the cost.
After discussions with several peers, it became clear that this happens a lot in organizations. You get a recommendation to enable a feature, and it's as easy as clicking the button to enable it. However, when this for example will incur another 40% on your total cloud spend for the month, it's not a tangible solution - unless, of course, you've got unlimited budgets and resources to spend.
Perhaps this leads us to the question:
- How do we get a realistic cost estimate of the Microsoft Defender plans?
Enter the Price Estimation workbook.
Please say welcome to the Price Estimation workbook in Microsoft Defender for Cloud. This workbook was previously worked on in a GitHub repository but has been integrated natively into the Microsoft Defender for Cloud workbooks.
We can now use the built-in workbooks to derive a more realistic estimate of the actual cost of enabling the Microsoft Defender services.
Currently, there are these available Microsoft Defender services that come with cost optimization insights:
- Defender for App Service
- Defender for Containers
- Defender for Databases
- Defender for Key Vault
- Defender for Servers
- Defender for Storage
An example: Microsoft Defender for Storage
For example, here are a few select subscriptions with a total of only 148 storage accounts. I am getting recommendations to enable the security capabilities for these, which makes perfect sense.
The total estimated price for these is just above $1,000 USD per month. Put that in relation to the fact that the total cost for these storage accounts per month is around $1,700 USD, as-is. That's a 58% increase in cost by just enabling this feature across these subscriptions.
This is an example from a subset of resources I manage. At the full scale, these numbers grow and it becomes increasingly clear that we need to be really careful. Be aware of what you enable, and try to predict and understand the costs ahead of time. Doing this in hindsight will likely result in a bill you weren't expecting.
Summary and resources
Using the Price Estimation workbook for Microsoft Defender for Cloud, we can easily get a better insight into the cost if we enable certain capabilities across our deployed resources.
- Welcome, Price Estimation workbook. You're a great help.
- Don't just enable things without knowing the cost impact.
- The pricing tables and pricing calculators are great tools, but perhaps not when you manage hundreds or thousands of resources spread over a huge amount of subscriptions.
- Dynamically changing workloads can still cause the price estimation to be incorrect, but it gives you a better look at the current situation and your current costs.
Additional insights on the Pricing Estimation workbook:
- Microsoft Defender for Cloud Price Estimation Dashboard (Microsoft Tech Community)
- Microsoft Defender for Cloud - Price Estimation Dashboard (GitHub)