What Azure Arc Charges For
Azure Arc projects on-premises, edge and other-cloud resources into Azure so they can be governed like native Azure resources. The core control plane is free: inventorying servers, organising them with tags and resource groups, basic management, and connecting Kubernetes clusters all cost nothing. Azure Arc-enabled Kubernetes — connecting and configuring clusters across data centres, edge and multi-cloud — carries no additional charge. For a CIO mapping the advanced Microsoft estate across hybrid infrastructure, that free baseline is real and worth using; the discipline is knowing exactly where the meter starts.
The Per-Server Add-On Menu
The cost in Arc is the value-added services you attach to each connected server, billed per server per month.
| Service | Price (per server/month) | What it does |
|---|---|---|
| Microsoft Defender for Servers Plan 1 | $5 | Core server threat protection |
| Microsoft Defender for Servers Plan 2 | $15 | Full server security and posture |
| Azure Update Manager | $5 | Patch orchestration |
| Azure Policy guest config (with Change Tracking and Inventory) | $6 | Configuration governance |
| Hotpatching | Per core | Reboot-free Windows patching |
Each line looks trivial, but they stack: a server running Defender Plan 2, Update Manager and Policy guest config carries $26 a month before any other workload. Across 1,000 hybrid servers, that is roughly $312,000 a year in Arc add-ons alone — a figure that rarely appears in the original business case for adopting Arc.
The Free-Until-You-Switch-It-On Trap
The most common Arc cost surprise is treating it as a free platform and then enabling Defender, Update Manager and guest configuration estate-wide by default. Each is a per-server charge, and applied across every connected server they turn a free control plane into a six-figure annual bill.
The defence is selective enablement. Apply Defender Plan 2 to the servers that genuinely warrant full posture management and Plan 1 — or nothing — elsewhere; scope Update Manager and Policy guest config to the workloads that need them rather than the whole fleet. The same security-tooling cost discipline governs your SIEM estate, which we cover in the Microsoft Sentinel licensing guide, and it applies identically to Arc add-ons.
SQL and Windows Server via Arc
Arc also unlocks flexible licensing for the server software itself. Windows Server and SQL Server can be licensed pay-as-you-go through Arc, billed by the hour against actual consumption rather than purchased as perpetual licences with Software Assurance. For variable or temporary workloads this can be cheaper; for steady-state production it usually is not. The decision interacts directly with Azure Hybrid Benefit — using existing licences with Software Assurance to cover Azure or Arc-managed workloads — so model both routes before defaulting to pay-as-you-go. Identity-based access to these Arc-managed resources should be governed through your Entra ID tiers rather than treated as a separate problem.
When Arc Is Worth It
The per-server economics only make sense against a clear use case, and Arc has three where it genuinely earns its cost. The first is governance at scale: an organisation with hundreds of servers spread across on-premises data centres and multiple clouds gets a single Azure control plane for policy, tagging and inventory, which is hard to replicate with point tools. The second is unified security: extending Microsoft Defender across a hybrid fleet so that on-premises and multi-cloud servers appear in the same posture view as native Azure resources. The third is Arc-enabled data services, which let you run Azure SQL Managed Instance or PostgreSQL on your own infrastructure, billed per vCore.
Those data services are a distinct cost line worth flagging: Arc-enabled SQL Managed Instance is billed per vCore per hour in the same way as its Azure-native equivalent, so a large database footprint managed through Arc can become a significant consumption item in its own right. For organisations with data-residency requirements that prevent a full cloud migration, that cost buys a genuine capability — cloud-style managed databases on local infrastructure — but it should be modelled deliberately, not enabled experimentally.
Where Arc is not worth it is the small or static estate. A handful of servers that rarely change do not need a hybrid control plane, and the per-server add-ons will cost more than the management overhead they remove. Arc rewards scale and heterogeneity; it punishes the assumption that because the control plane is free, switching everything on is also free. The honest test is whether you have enough servers, enough clouds and enough governance burden to justify the add-on services you actually intend to enable.
For most enterprises the answer is selective: Arc the estate for free inventory and governance, enable Defender and management services only where the risk or scale justifies them, and treat Arc-enabled data services as a deliberate architecture choice for residency-constrained workloads rather than a default. That posture captures the free value while keeping the per-server bill proportionate to genuine need.
Controlling Arc Spend
Arc spend belongs inside the Azure commitment, not bolted on afterwards. Because the add-ons are consumption-style charges, they draw down your Microsoft Azure Consumption Commitment (MACC) and should be forecast as part of it. The levers are which services you enable and on how many servers, the Defender plan mix, and the pay-as-you-go-versus-Hybrid-Benefit decision on Windows and SQL Server. Benchmark the all-in per-server cost against the Microsoft vendor intelligence hub and the framework in the Cloud Contract Framework. To model an Arc rollout before the per-server charges compound, request a confidential briefing.