Skip to content

Choose a scenario

Not sure which scenario fits? Answer three questions.

1. Do you need outbound traffic inspection?

Section titled “1. Do you need outbound traffic inspection?”

A central egress chokepoint that logs and (optionally) filters all internet-bound traffic from the spoke.

  • No → start with Baseline or VPN (NAT Gateway only).
  • Yes → use Firewall or Full (Azure Firewall Basic).

2. Do you need site-to-site (hybrid) connectivity?

Section titled “2. Do you need site-to-site (hybrid) connectivity?”

A VPN Gateway that terminates an IPsec tunnel from the customer’s on-prem network or another cloud.

  • No → stick with Baseline or Firewall.
  • Yes → use VPN or Full (adds a VpnGw2AZ gateway).

3. Single subscription or split across multiple?

Section titled “3. Single subscription or split across multiple?”
  • Single subscription → any of the four scenarios above land in one sub.
  • Connectivity / Management / Landing Zone in separate subs → see Multi-subscription (ALZ split).
flowchart TD
  A[Need outbound traffic inspection?] -->|No| B[Need site-to-site VPN?]
  A -->|Yes| C[Need site-to-site VPN?]
  B -->|No| Baseline([Baseline ~$48/mo])
  B -->|Yes| VPN([VPN ~$327/mo])
  C -->|No| Firewall([Firewall ~$336/mo])
  C -->|Yes| Full([Full ~$616/mo])
  Baseline --> S{Split across<br/>subscriptions?}
  VPN --> S
  Firewall --> S
  Full --> S
  S -->|No| Single[Use single-sub scenario as-is]
  S -->|Yes| Multi([Multi-subscription ALZ split])
If you need…Pick
Lowest cost, dev/test, small workloadBaseline
Egress filtering / complianceFirewall
Hybrid connectivity to on-premVPN
Both egress filtering and hybridFull
Separate subs per ALZ layerMulti-subscription

Once you’ve picked a scenario, the configuration generator generates the matching tfvars or bicepparam file.