Category Archives: Amazon Web Services (AWS)

The cost model for Azure Stack HCI (12/2022)

Technologies from different vendors are available on the market that allow you to build hyper-converged infrastructures (HCI). Microsoft in this sector offers an innovative solution called Azure Stack HCI, deployed as an Azure service, that allows you to achieve high performance, with advanced security features and native integration with various Azure services. This article describes how much you need to invest to get the Azure Stack HCI solution and what aspects you can consider to structure the cost model as you like..

Premise: OPEX vs CAPEX

The term CAPEX (contraction from CAPital EXpenditure, ie capital expenditures) indicates the cost of developing or providing durable assets for a product or system.

Its counterpart, operational expenditure or OPEX (from the English term OPerational EXpenditure) is the cost of managing a product, a solution or a system. These are also called costs O&M (Operation and Maintenance) or operating and management costs.

CAPEX costs usually require a budget and a spending plan. Also for these reasons, companies generally prefer to incur OPEX costs, as they are easier to plan and manage.

Clarify these concepts, now let's see the Azure Stack HCI cost model and how to get a totally OPEX model.

Hardware costs

In order to activate the Azure Stack HCI solution, it is necessary to have on-premise hardware to run the dedicated operating system of the solution and to run the various workloads. There are two possibilities:

  • Azure Stack HCI Integrated Systems: determined by the vendor, offer specially structured and integrated systems for this solution, that provide an appliance-like experience. These solutions also include integrated support, jointly between the vendor and Microsoft.
  • Azure Stack HCI validated nodes: implementation takes place using hardware specifically tested and validated by a vendor. In this way you can customize the hardware solution according to your needs, going to configure the processor, memory, storage and features of network adapters, but respecting the supplier's compatibility matrices. There are several hardware vendors that offer suitable solutions to runAzure Stack HCI and can be consulted by accessingthis link. Most implementations are done in this way.

Figure 1 - Hardware deployment scenarios

Also for the hardware it is possible to make some evaluations to adopt a cost model based on rental. In fact,, major vendors such as HPE, Dell and Lenovo, are able to offer the necessary hardware in "infrastructure as-a-service" mode, through a payment model based on use.

Azure costs

Despite being running on premise, Azure Stack HCI provides for billing based on Azure subscription, just like any other service in Microsoft's public cloud.

Azure Stack HCI offers a free trial period that allows you to evaluate the solution in detail. The duration of this period is equal to 60 days and starts from when you complete the registration of the cluster environment in Azure.

At the end of the trial period, the model is simple and costs “10 € / physical core / month"*. The cost is therefore given by the total of physical cores present in the processors of the Azure Stack HCI cluster. This model does not provide for a minimum or a maximum on the number of physical cores licensed, much less limits on the activation duration.

Financial benefits for customers with a Software Assurance agreement

Customers who have Windows Server Datacenter licenses with active Software Assurance, can activate’Azure Hybrid Benefit also for Azure Stack HCI cluster. To activate this benefit, at no additional cost, you will need to exchange a Windows Server Datacenter core license with Software Assurance for an Azure Stack HCI physical core. This aspect allows to zero the Azure costs for the Azure Stack HCI host fee and provides the right to run an unlimited number of Windows Server guest virtual machines on the Azure Stack HCI cluster.

Furthermore, Azure Hybrid Benefits can also be activated for Azure Kubernetes Service (AKS). In this case, Windows Server StandardDatacenter licenses with active Software Assurance are required, or the presence of a Cloud Solution Provider subscription (CSP). Each Windows Server core license entitles you to use an AKS virtual core.

In the following image it is summarized as, customers with Software Assurance, can use Azure Hybrid Benefit to further reduce costs in the cloud, in on-premises datacenters and peripheral offices.

Figure 2 – What is included in the Azure Hybrid Benefit for customers in Software Assurance

Specifically for customers with a Software Assurance agreement, the adoption of Azure Stack HCI translates into a drastic reduction in the costs of modernizing the virtualization environment, making this solution even more competitive from a cost point of view compared to competitors on the market. To consult in detail the licensing requirements you can refer to this document.

Costs for guest VMs

The Azure costs listed in the previous paragraph do not include the operating system costs for guest machines running in the Azure Stack HCI environment. This aspect is also common to other HCI platforms, like Nutanix and VMware vSAN.

The following image shows how the licensing of guest operating systems can take place:

Figure 3 – Licensing of guest operating systems

Costs for Windows Server virtual machines

There are mainly two options for licensing Windows Server guest machines in Azure Stack HCI:

  • Buy Windows Server licenses (CAPEX mode), Standard or Datacenter, which include the right to activate the OS of guest virtual machines. The Standard Edition may be suitable if the number of Windows Server guest machines is limited, while if there are several Windows Server guest systems, it is advisable to evaluate the Datacenter Edition which gives the right to activate an unlimited number of virtualized Windows Server systems.
  • Pay for the Windows Server license for guest systems through your Azure subscription, just like in Azure environment. Choosing this option will incur a cost (OPEX) bet a “€22.4 / physical core / month ”* to be able to activate an unlimited number of Windows Server guest systems in the Azure Stack HCI environment.

*Costs estimated for the West Europe region and subject to change. For more details on the costs of Azure Stack HCI you can consult the Microsoft's official page.

Charges for other workloads running on Azure Stack HCI

The result we intend to pursue with the Azure Stack HCI infrastructure is to be able to run in an on-premises environment, not just virtual machines, but the same Microsoft public cloud workloads. To achieve this Microsoft is bringing the most popular Azure workloads to Azure Stack HCI and the following cost considerations apply to each of them:

  • Azure Kubernetes Service: the configuration of the K8s Arc enabled cluster is free **.
  • Azure Arc-enabled data services:
    • For SQL Server, customers can purchase SQL Server licenses in CAPEX mode or, who already has SQL licenses, can use Azure Hybrid Benefit for Azure Arc-enabled SQL Managed Instance, without having to pay the SQL license again.
    • If you want to switch to an OPEX model, you can obtain Microsoft SQL Server licenses through Microsoft's Azure Arc-enabled data services **.
  • Azure Virtual Desktop:
    • User access rights for Azure Virtual Desktop. The same licenses that grant access to Azure virtual desktops in the cloud also apply to Azure Virtual Desktop in Azure Stack HCI.
    • Azure Virtual Desktop Hybrid Service Fee. This fee is charged for each virtual CPU (vCPU) used by Azure Virtual Desktop session hosts running in Azure Stack HCI environment.

**For more details on Azure Arc costs you can consult this page.

Support costs

Azure Stack HCI, being in effect an Azure solution, is covered by Azure support with the following features:

  • A choice is provided between several Azure support plans, depending on your needs. Basic support is free, but in certain scenarios it is recommended that you at least consider Standard support, which provides a fixed monthly cost.
  • Technical support is provided by a team of experts dedicated to supporting the Azure Stack HCI solution and can be easily requested directly from the Azure portal.


Azure Stack HCI allows you to bring cloud innovation into your data center and at the same time create a strategic link to Azure. In the era of hybrid datacenters, a solution like Azure Stack HCI, allows you to structure the cost model at will and to have maximum flexibility. There are several vendors on the market offering solutions to build hyper-converged infrastructures (HCI) hybrid, and Azure Stack HCI can be very competitive, not only from the point of view of functionality, but also from the point of view of costs.

The security of AWS environments with Microsoft Defender for Cloud

Microsoft Defender for Cloud, previously known as Azure Security Center and Azure Defender, is a solution of Cloud Security Posture Management (CSPM) and for the protection of workloads, able to identify security weaknesses in cloud configurations, strengthen the overall security posture of the environment and protect workloads in hybrid and multi-cloud environments. For those who are adopting a multi-cloud strategy and who need high security standards for their environment, it is important to know that Microsoft Defender for Cloud can also include resources present in Amazon Web Services (AWS) and Google Cloud Platform (GCP). This article describes how to secure AWS environments using Microsoft Defender for Cloud.

The pillars of security covered by Microsoft Defender for Cloud

The capabilities of Microsoft Defender for Cloud are capable of contemplating two great pillars of cloud security:

  • Cloud Security Posture Management (CSPM) capable of providing the following features:
    • Visibility: to assess the current security situation.
    • Hardening Guide: to be able to improve security efficiently and effectively

Thanks to a continuous assessment, Defender for Cloud is able to continuously discover new resources that are distributed and evaluate if they are configured according to security best practices. If not,, assets are flagged and you get a priority list of recommendations on what to fix to improve their security. This list of recommendations is taken and supported by Azure Security Benchmark, the Azure-specific set of guidelines created by Microsoft, this contains security and compliance best practices based on common frameworks, with a focus on cloud-centric security. This benchmark may cover the controls of theCenter for Internet Security (CIS) and theNational Institute of Standards and Technology (NIST).

Defender for Cloud assigns a global score to the ambient environment, defined Secure Score, which allows you to evaluate the risk profile (the higher the score, the lower the level of risk identified) and to take action to take remediation actions.

  • Cloud workload protection (CWP): Defender for Cloud delivers security alerts based on Microsoft Threat Intelligence. Furthermore, includes a wide range of advanced and intelligent protections for workloads, provided through specific Microsoft Defender plans for the different types of resources present in the subscriptions and in hybrid and multi-cloud environments.

Defender for Cloud therefore allows you to meet the following three needs, considered essential when managing the security of resources and workloads residing in the cloud and locally:

Figure 1 - Security needs covered by Microsoft Defender for Cloud

AWS resource protection

To protect resources on other public clouds with this solution, there has been a mechanism for some time now that involves the use of interfacing connectors with AWS and GCP accounts. The onboarding process of your AWS account was based on the integration of the solution AWS Security Hub, as detailed in this article.

Now a new native mechanism and, through an approach agentless, allows you to connect to AWS environments. This new method of interfacing take advantage of the AWS API and it has no dependence on other solutions, like AWS Security Hub. The onboarding experience is designed to work easily on a large scale, simply by connecting your AWS master account, which allows you to automatically onboard existing and future accounts.

Figure 2 - Connect AWS to Microsoft Defender for Cloud

This mechanism easily extends Defender for Cloud's advanced security capabilities to your AWS resources and includes the following areas.

Figure 3 - Protection plans available

Cloud Security Posture Management (CSPM) for AWS

Defender for Cloud CSPM capabilities are extended to your AWS resources. This agentless plan evaluates AWS resources against AWS specific security recommendations and these are included in the calculation of the global security score. To provide an overall view on the security status of your multi-cloud environments, AWS security recommendations are also integrated into the Defender for Cloud portal, along with Azure recommendations. Have been implemented by Microsoft beyond 160 ready-to-use recommendations for IaaS and PaaS services and three regulatory standards including AWS CIS, AWS PCI DSS e AWS Foundational Security Best Practices. All this allows you to strengthen your security posture while also contemplating AWS resources in the best possible way. Furthermore, you can customize existing models or create new ones that contain your own recommendations and standards to verify compliance with internal requirements.

Figure 4 - Recommendations for AWS integrated in Defender for Cloud

Cloud workload protection (CWP) for AWS

AWS currently provides enhanced security for the following workloads:

  • Server protection: Microsoft Defender for server offers advanced threat detection and defense for EC2 instances as well, for both Windows and Linux systems. This plan includes the integrated license for Microsoft Defender for Endpoint and several features, including: Security baselines and assessment at the OS level, Vulnerability assessment, Adaptive Application Controls (AAC) and File Integrity Monitoring (FIM).
  • Container protection: Microsoft Defender for Containers extends container threat detection and advanced defenses of Defender for Kubernetes to Amazon EKS Clusters (Elastic Kubernetes Service). For Defender for Kubernetes to be able to protect AWS EKS clusters, Azure Arc-enabled Kubernetes and Defender extension are required.

Figure 5 – Alerts and recommendations for EKS clusters

Note: For those who have already set up an AWS connector using classic cloud connectors, it is recommended to connect the account again using the new mechanism.

The Cost of the Solution

If you decide to activate this integration, the following information on costs applies:

  • The CSPM plan is free. To provide recommendations, the CSPM plan queries the AWS resource APIs multiple times a day. These read-only API calls incur no charge, but they are logged in CloudTrail in case you have enabled the trail for reading events. As noted in the AWS documentation, this does not involve additional costs for maintenance. However, it is necessary to be careful and possibly filter these events if data exports are expected (for example to make them flow into an external SIEM).
  • The Defender for Containers plan will be billed at the same price as the plan Defend for Kubernetes for Azure resources.
  • For each AWS machine connected to Azure through Azure Arc, the Defender per server plan is billed at the same price as the Microsoft Defender for server plan for Azure machines.


Microsoft Defender for Cloud, originally developed with the claim of being the best tool to protect resources in an Azure environment, extend and refine its capabilities to cover other public clouds as well. In particular, Thanks to the new integration mechanism with AWS, you can natively adopt a CSPM solution and enable threat protection for your computing workloads in Amazon Web Services (AWS). This allows to obtain a high degree of security, to improve security postures in multi-cloud environments and to simplify the management of tools useful for governing security.

Protection of multi-cloud environments with Azure Security Center

The tendency of companies to adopt a multi-cloud strategy is increasingly widespread, but this operating model makes it particularly challenging to achieve high safety standards for your environment. To meet this need, Microsoft has officially made multi-cloud security support available in the Azure Security Center solution, allowing you to also contemplate amazon web services resources (AWS) and Google Cloud Platform (GCP). this article describes the features of this solution that provides a high degree of security and improves security postures in multi-cloud environments.

Azure Security Center (ASC) was originally developed as the best tool to protect resources in an azure environment. However, the need for customers to protect resources located on multiple public clouds is widespread and for this reason the product team has decided to expand the capacity for action, simplifying security management tools in multi-cloud environments. Azure Security Center can protect not only resources in hybrid environments but also contemplate multi-cloud architectures, including AWS and GCP.

Figure 1 – Multi-cloud and hybrid protection in Azure Security Center

These are the features that are made available to users to cover multi-cloud scenarios:

  • Connecting your AWS or GCP accounts to Azure Security Center provides a unified multi-cloud view of your environment's security postures. In particular, if the solutions AWS Security Hub or GCP Security Command Center detect incorrect configurations, these reports are included in the Secure Score template and in the compliance assessment against specific regulations (Regulatory Compliance), present in Azure Security Center.
  • Thanks to the fact that Azure Defender for Servers take advantage of Azure Arc you can simplify the onboarding process, and enable the protection of virtual machines running in AWS environments, GCP or hybrid cloud. All of which includes several features, including, automatic provisioning of agents, policy management, vulnerabilities and EDR (Endpoint Detection and Response) integrated. In particular, for vulnerability assessment functionality it is possible to perform manual or large-scale scans, and analyze the vulnerabilities detected, on scanned systems, through a unified experience.

These features complement multi-cloud support, also recently announced, of Azure Defender for SQL, this allows you to constantly monitor sql server implementations to detect known threats and vulnerabilities. these features are usable for sql server enabled in an on-premises environment, on virtual machines in Azure and also in multi-cloud deployment, contemplating Amazon Web Services (AWS) and Google Cloud Platform (GCP).

The solutionAzure Arc plays a fundamental role in all this and allows you to extend azure management services and principles to any infrastructure. To achieve this, Microsoft has decided to extend the model Azure Resource Manager to support hybrid and multi-cloud environments, this makes it easier to implement the security features in Azure on all infrastructure components.

Figure 2 – Azure Arc for hybrid and multi-cloud environments

The onboarding process and capabilities offered vary depending on the public cloud you intend to incorporate into Azure Security Center. the following paragraphs provide features for both amazon web services (AWS) that for Google Cloud Platform (GCP).

Amazon Web Services (AWS)

The onboarding process of your AWS account integrates the solution AWS Security Hub with Azure Security Center. In this way it is possible to obtain complete visibility and protection of these cloud environments to provide:

  • Automatic agent provisioning. ASC uses Azure Arc to deploy Log Analytics agent on board AWS instances.
  • Policy management.
  • Vulnerability management.
  • EDR (Endpoint Detection and Response) integrated.
  • Detecting security-impacting configuration errors.
  • A single view that can show ASC recommendations and AWS Security Hub.
  • An ASC score that also includes AWS resources.
  • Regulatory compliance assessments also for AWS resources.

The moment the connection with AWS Security Hub is configured correctly:

  • ASC scans AWS environment for EC2 instances, onboarding is done in Azure Arc, allowing log analytics agent to be installed. This gives you threat protection and gets security advice.
  • The ASC service scans new AWS EC2 instances each 6 hours and integrates them according to the configuration made.
  • The AWS CIS standard is shown in asc's regulatory compliance dashboard.
  • If the AWS Security Hub are enabled, recommendations will appear in the asc portal and regulatory compliance dashboard, after a few minutes after the completion of the onboarding process.

Figure 3 – AWS recommendations displayed in the ASC portal

To view active recommendations for your resources by type, you can use the security center asset inventory page and apply the specific filter for the type of aws resource that interests you:

Figure 4 – Display filters for AWS resources

Google Cloud Platform (GCP)

The onboarding mechanism of your GCP account allows you to integrate GCP Security Command with Azure Security Center and to have complete visibility and protection, in particular by providing:

  • Detecting security-impacting configuration errors.
  • A single view that can show ASC recommendations and GCP Security Command Center.
  • An ASC score that also includes GCP resources.
  • Integration of boards of GCP Security Command Center CIS-based within the Azure Security Center regulatory compliance dashboard.

The moment the connection with GCP Security Command completes:

  • The CIS GCP standard is shown in asc's regulatory compliance dashboard.
  • Security recommendations for resources located in GCP will appear in the Azure Security Center portal and regulatory compliance dashboard within minutes of completing onboarding.

Figure 5 – GCP recommendations displayed in the ASC portal

GCP virtual machine onboarding is currently manual, but you can adopt scripts to do it on a large scale.

On the Azure Security Center recommendations page, you can view all azure resource security recommendations along with AWS and GCP recommendations, thus obtaining a multi-cloud view.


The ability to adopt Azure Security Center as a centralized control solution, where security information from other public clouds also converges, combined with the possibilities given by integration with Azure Arc, to extend the protection of your systems, allows you to achieve a high degree of security and improve security postures in multi-cloud environments. Multi-cloud strategy adoption will become increasingly widespread, and Microsoft will continue to expand Azure Security Center to provide the best solutions to protect Azure, hybrid environments and multi-cloud operating models.