Defender for Cloud Cost Controls
Finding the true cost of cloud SaaS tooling is a complicated and elusive task. Microsoft has some different tools we can use to try and estimate costs that we’ll cover in this post. There are challenges in accurately estimating cloud consumption and usage costs due to day-to-day variances in that usage, and many times, not finding the right information when you need it.
This post will walk through two different methods, or tools, to build some estimates of what is being consumed in Microsoft Defender for Cloud, and attach costs to those estimates.
First up is what you are actually using in Defender for Cloud.
Method 1 – Azure Workbook
Log into your Azure environment at https://portal.azure.com and head to Microsoft Defender for Cloud dashboard. Handy link to Defender for Cloud Dashboard: https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0
Now you should see something similar on the Defender for Cloud Overview blade:
Next, on the left navigation menu, choose Workbooks, then select Cost Estimation.
When the Cost Estimation workbook loads, ensure you take a moment to select the relevant subscriptions that you want to work with for our exercise today:
Typically in a production environment, you would want to look at ALL subscriptions, but reality tells me that we will have a mixed & matched set of subscriptions.
Remember that we are estimating here! This is not a ‘live cost tracking’ tool. Please remember this and read ALL the informational notes at the top of the workbook. I say this with positive intent to minimize any misunderstanding of costs.
We can toggle the Azure and AWS Defender for Servers between Plan 1 and Plan 2. If you do this, you will not change anything in a configuration, this is a cost estimating workbook…..you won’t break it!
In my testing environment, you’ll notice that it is not connected to AWS today. We’ll focus on our Azure costs today.
Now, the other sections towards the bottom of this workbook are really my favourite part here. This is where we can see the ACTUAL number of resources (You can use this for the Method 2 section of this post hint hint!)
Under the Azure section, we can see the breakdown of cost by subscription, and the cost of:
- Defender CSPM
- Defender for ARM
- Defender for Key Vault
- Servers
- App Services
- SQL Databases
- OSS DBs
- Storage Accounts
- Containers
- ….and the Total per Subscription.
This is the information generally needed to estimate what your costs using Defender for Cloud will be in your own Azure and ARC connected AWS environments.
Method 2 – Pricing Calculator
The second way to estimate costs is a bit more traditional I suppose, the Azure Pricing Calculator: https://azure.microsoft.com/en-ca/pricing/calculator/.
Under products, search for Defender for Cloud and Add to your Estimate:
I’ve added both Defender for Cloud and External Attack Surface Management tooling so that I can see those cost estimates for my environment.
Now, the trick here is to build an estimate that is fairly accurate to your environment. This means that you need to have your resource count numbers known and ready to use here. I’m going to use some made-up numbers as my example, but as you click through the price calculator, you’ll get the idea pretty quickly here…the tool is very easy to use.
As you enter your resource numbers into the tool, scroll down and complete the estimate as accurately as possible.
As you get to the bottom of your first product (Defender for Cloud), you will see a product cost summary for upfront and recurring monthly costs. If you scroll way down to the bottom of the whole page, you can set your currency type. I set mine to CAD, so my USD friends please relax! USD is the default pricing in this tooling.
The last item to mention with this is the EXPORT button. This allows you to export to a spreadsheet so that you can reference the costs offline or edit your estimated cost manually. This is a great way to build costs estimates out when making a design proposal to your organization or clients!
Conclusion
So, in this post we covered the two most reliable ways to create cost estimates for Microsoft Defender for Cloud, we learned how fast and easy it is to use the Workbook to build some accurate estimates on our actual environments, and the calculator is great for forecasting when we may not have all the access we need to an environment, or we just want to work up a quick cost estimate.
I hope this helps take some of the mystery out of the cost estimating process for Defender for Cloud and the Attack Surface Management tooling for you. Thanks for reading, and I’ll get back to work on my next post!