Azure NAT Gateway pricing — and how to cut it.

On Azure, data-processing charges are per-gigabyte fees billed on traffic as it passes through a managed network service, on top of the per-hour fee for the service itself. An Azure NAT Gateway adds a per-GB data-processing charge to its hourly cost (commonly cited at $0.045/GB, directional). Azure Firewall adds its own per-GB data-processing charge on every byte it inspects — $0.016/GB on the Standard and Premium SKUs, $0.065/GB on Basic (dated 2026-06-14, directional) — on top of a per-hour SKU fee. The per-GB lines grow with your traffic and never stop.

An Azure NAT Gateway is billed per resource-hour plus a per-GB data-processing charge on the traffic it handles (commonly cited at roughly $0.045/hour plus $0.045/GB — directional; Azure's live pricing page should be checked for your region and current rates). Like AWS, the hourly fee is the part that is easy to see, and the per-GB data-processing charge is the part that quietly scales with how much your private subnets talk to the internet.

Yes. Azure Firewall bills a per-hour SKU fee plus a per-GB data-processing charge on the traffic it processes. State one SKU at a time: Standard is $1.25/hour (a floor near $912/month before any traffic) plus $0.016/GB; Premium is $1.75/hour (a floor near $1,278/month) plus $0.016/GB; Basic is $0.395/hour plus $0.065/GB (dated 2026-06-14, directional). Azure Firewall performs its own source-NAT, so unlike AWS you do not stack a separate NAT gateway behind it for outbound — but you still pay the per-GB data-processing charge on top of a high per-hour floor.

Route outbound traffic through a flat-priced network virtual appliance instead of a metered Azure NAT Gateway or Azure Firewall. Enforza is a single Linux VM in your own Azure network that does secure source-NAT and FQDN/SNI-based L7 egress filtering under a flat per-firewall licence with $0/GB. You pay only the VM plus the flat Enforza licence — no per-GB data-processing charge and no high per-hour SKU floor — so the bill stops scaling with egress. It is reached via a user-defined route, one of Microsoft's own sanctioned outbound methods.

Since March 31, 2026, new Azure virtual networks default to private subnets with no implicit outbound internet access (for API versions released after that date). Every new private subnet now needs an explicit egress method, so this is the moment to choose one. Rather than reach for a metered NAT Gateway or a high-floor Azure Firewall, route the subnet through the Enforza NVA via a user-defined route: you get secure source-NAT and FQDN/SNI-based L7 filtering in one hop, at a flat price with no per-GB data-processing charge.

Yes — a flat-priced network virtual appliance. Azure's own outbound methods (NAT Gateway, load-balancer outbound rules, a public IP, or an NVA via a user-defined route) all leave you either paying per GB or running unmanaged plumbing. Enforza is the managed, flat-priced NVA option: one VM that does secure NAT and L7 egress filtering, self-patches, and is managed from one console — with no per-GB charge and no per-hour SKU floor.

Enforza is a flat per-firewall licence — £179/month per firewall, dropping to £149 from your sixth — at $0/GB, plus the VM you run it on. Against Azure Firewall Standard at $1.25/hour (a ~$912/month floor before traffic) plus $0.016/GB, the flat line typically lands 60–80% cheaper at modest egress, and the gap widens as traffic grows because the Enforza line stays flat while the per-GB charge climbs. Rates are directional and dated — run your own numbers in the savings calculator.

No. Enforza reads the destination domain from data already in clear text on the wire — the TLS SNI extension, the HTTP Host header and the DNS question — so it filters egress by FQDN without man-in-the-middle, without a private CA pushed to every endpoint, and without custody of your production TLS keys. Azure Firewall Premium's L7 filtering, by contrast, requires TLS decryption and key custody.

No. Enforza removes the per-GB data-processing charges and the high per-hour managed-firewall and NAT-gateway fees, and replaces them with one flat per-firewall licence. You still pay Azure for the VM the firewall runs on (typically $100–$200/month at modest egress) and for normal data-transfer-out where it applies. The saving is on the firewall and NAT metering, not on Azure's underlying infrastructure.