Azure Firewall is the main default cost driver. Deploy the full lab for a short validation window, then destroy it.
The Azure Retail Prices API returned these West Europe prices during the latest lab check:
| Meter | Price |
|---|---|
| Azure Firewall Basic deployment | $0.40/hour |
| Azure Firewall Basic data processed | $0.07/GB |
Prices can change. Verify with the Azure Retail Prices API or your Azure cost management view before running long lab sessions.
- Keep
deploy_bastion = falseunless you need private access. - Keep
deploy_sentinel = falseuntil you want detection scenarios. - Use
log_analytics_daily_quota_gbto cap ingestion. - Use
deploy_budget = truefor subscription budget alerts. - Destroy resources when finished.
- Keep the default VM size small unless you need more capacity.
- Run full firewall tests in short windows instead of leaving the lab online.
| Profile | Toggles | Cost behavior |
|---|---|---|
| Static docs and policy work | deploy_firewall = false |
Lowest practical infrastructure profile |
| Default security lab | deploy_firewall = true, deploy_bastion = false |
Firewall is the main cost |
| Private admin lab | deploy_bastion = true |
Adds Bastion hourly cost |
| SOC lab | deploy_sentinel = true |
Adds Sentinel and ingestion considerations |
Use this lifecycle:
terraform plan -var-file="environments/lab.tfvars"
terraform apply -var-file="environments/lab.tfvars"
# run tests
terraform destroy -var-file="environments/lab.tfvars"Then verify:
terraform state list
az group exists --name "rg-security-lab-weu-hub"The June 7, 2026 validation run followed this pattern: the lab created 65
resources, produced runtime and firewall-log evidence, destroyed 65 resources,
and verified that the four default resource groups returned false. See the
environment test report.