Compare scenarios
Every scenario shares the same hub-spoke topology. You only add what the customer actually needs.
| Baseline | Firewall | VPN | Full | |
|---|---|---|---|---|
| Approx. cost / month | ~$48 | ~$336 | ~$327 | ~$616 |
| Hub + spoke VNets | ✅ | ✅ | ✅ | ✅ |
| Key Vault + Private Endpoint | ✅ | ✅ | ✅ | ✅ |
| Log Analytics + Recovery Vault | ✅ | ✅ | ✅ | ✅ |
| NAT Gateway (egress) | ✅ | — | ✅ | — |
| Hub ↔ Spoke peering | — | ✅ | ✅ | ✅ |
| Azure Firewall (Basic) | — | ✅ | — | ✅ |
| Spoke UDR → Firewall | — | ✅ | — | ✅ |
VPN Gateway (VpnGw2AZ) | — | — | ✅ | ✅ |
Decision shortcuts
- Outbound inspection required? → choose
firewallorfull. - Site-to-site connectivity? → choose
vpnorfull. - Both? →
full. - Neither? →
baseline.
The wizard walks you through this in 30 seconds and emits a tfvars file.