Cost governance for Azure Arc-enabled Kubernetes

Cost governance is the continuous process of implementing policies to control the costs of services you use in Azure. This document provides cost governance considerations and recommendations for you to keep in mind while using Azure Arc-enabled Kubernetes.

Cost of Azure Arc-enabled Kubernetes

Azure Arc-enabled Kubernetes provides two types of services:

Note

Billing for Azure services used in conjunction with Azure Arc-enabled Kubernetes is the same as billing for the Azure Kubernetes Service.

Note

If your Azure Arc-enabled Kubernetes cluster is on Azure Kubernetes Service (AKS) on Azure Local, Kubernetes GitOps configuration is included at no extra charge.

Design considerations

  • Governance: Define a governance plan for your hybrid clusters that translates into Azure Policies, tags, naming standards and least-privilege controls.

  • Azure Monitor Container Insights: Azure Monitor Container Insights provides telemetry visibility by collecting performance metrics from controllers, nodes, and containers available in Kubernetes through the Metrics API. Container logs are also collected. This is billed by data ingestion, retention, and exports.

  • Microsoft Defender for Cloud: Microsoft Defender for Cloud is offered in two modes:

    Without enhanced security features (Free) - Microsoft Defender for Cloud is enabled for free on all your Azure subscriptions when you visit the workload protection dashboard in the Azure portal for the first time, or if you enable it programmatically via API. This free mode provides the secure score and its related features: security policy, continuous security assessment, and actionable security recommendations for your Azure resources.

    With all enhanced security features (Paid) - Enabling Microsoft Defender for Cloud enhanced security extends the capabilities of free mode to workloads running in private and other public clouds, providing unified security management and threat protection across your hybrid cloud workloads.

  • Kubernetes GitOps configuration: Kubernetes GitOps configuration delivers configuration management and application deployment using GitOps. Admins can declare their cluster configuration and applications in Git. Development teams can then use pull requests and other tools they're familiar with (existing Azure Pipelines, Git, Kubernetes manifests, Helm charts) to easily deploy applications into Azure Arc-enabled Kubernetes clusters and make updates in production. Billing is charged monthly and is based on the number of vCPUs/hour in your cluster. Clusters incur a single charge for configuration management, no matter how many repositories are connected.

    Note

    Clusters can function without a constant connection to Azure. When disconnected, each cluster’s charge is determined based on the last known number of vCPUs that were registered with Azure Arc. The vCPU count is updated every 5 minutes while your cluster is connected to Azure. Each cluster's first 6 vCPUs are included at no cost.

    If your cluster will be disconnected from Azure and you don’t want to be charged for Kubernetes configurations, you can delete the configurations.

  • Azure Policy for Kubernetes: Azure Policy for Kubernetes extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Azure Policy makes it possible to manage and report on the compliance state of your Kubernetes clusters from one place. There's currently no cost for Azure Policy for Kubernetes while in public preview.

  • Microsoft Sentinel: Microsoft Sentinel provides intelligent security analytics across your enterprise. The data for its analysis is stored in an Azure Monitor Log Analytics workspace. Microsoft Sentinel is billed based on the volume of data ingested for analysis in Microsoft Sentinel and stored in the Azure Monitor Log Analytics workspace for your Azure Arc-enabled Kubernetes clusters.

  • Azure Key Vault: The Azure Key Vault Provider for Secrets Store CSI Driver allows for the integration of an Azure Key Vault as a store of secrets with a Kubernetes cluster via a CSI volume. Azure Key Vault is billed by the operations performed on certificates, keys, and secrets.

Design recommendations

The following sections contain design recommendations for Azure Arc-enabled Kubernetes cost governance.

Note

Pricing information shown in the provided screenshots are examples and provided to allow a demonstrating Azure Calculator, and don't reflect the actual pricing information you might see in your own Azure Arc deployments.

Governance

  • Review the recommendations in the resource organization and governance disciplines critical design area to implement a governance strategy, organize your resources for better cost control and visibility, and avoid unnecessary costs by using the least privileged access model for onboarding and management.

Azure Monitor for Containers

Microsoft Defender for Cloud (formerly known as Azure Security Center)

Kubernetes GitOps configuration

  • Review Kubernetes GitOps configuration pricing.

  • Review the CI/CD workflow critical design area to find best practices and recommendations for managing and monitoring Kubernetes GitOps configuration on your Azure Arc-enabled Kubernetes clusters.

  • Use Azure Policy for Kubernetes to enforce and ensure consistent configuration across all your Azure Arc-enabled Kubernetes clusters.

  • Use Azure Resource Graph queries to review the number of cores you have for Azure Arc-enabled Kubernetes clusters and estimate the cost of enabling Kubernetes GitOps configuration.

    Resources
    | extend AgentVersion=properties.agentVersion, KubernetesVersion=properties.kubernetesVersion, Distribution= properties.distribution,Infrastructure=properties.infrastructure, NodeCount=properties.totalNodeCount,TotalCoreCount=toint(properties.totalCoreCount)
    | project id, subscriptionId, location, type,AgentVersion ,KubernetesVersion ,Distribution,Infrastructure ,NodeCount , TotalCoreCount
    | where type =~ 'Microsoft.Kubernetes/connectedClusters'
    | order by TotalCoreCount
    
  • Use Microsoft Cost Management to understand Kubernetes GitOps configuration costs.

    A screenshot showing Kubernetes GitOps configuration cost in Azure portal.

Azure Policy for Kubernetes

Microsoft Sentinel

Azure Key Vault

Next steps

For more information about your hybrid and multicloud cloud journey, see the following articles: