What Triggers a Scan and Billing of Azure Blob Storage?
The costs associated with Azure Blob Storage scanning are related to the following Netskope services,
Data egress from storage accounts
Event Grid notification to webhook
API calls to list the blobs inside storage accounts
API calls to read the properties of blobs inside the storage accounts
The cost is determined by the number of notifications Netskope receives through the webhook. Netskope receives a notification for every event when a blob is created, renamed or deleted.
Sample billing
Consider that Netskope receives 100 notifications per second for one month. The number of notifications for this month is calculated as,
Number of notifications in the month = 100*60*60*24*30 = 260 Million.
Consider that 50% of the notifications are a result of a policy match. Therefore, the file will be downloaded and sent for DLP or malware scanning.
Number of files to be scanned in the month = 130 Million.
If the average file size is 2MB, then the amount of data downloaded for the month is 250TB.
In this example, the following are the costs from ongoing scans for this month.
Data Egress cost over the internet: 0.01*250*1024 = $2560
To learn more: https://azure.microsoft.com/en-in/pricing/details/storage/blobs/
Event Grid notification cost: (260,000,000 - 100,000)/1,000,000*0.6 = $156
To learn more: https://azure.microsoft.com/en-in/pricing/details/event-grid/
Cost of API calls to get metadata of blobs: 130,000,000/10000*0.005 = $65
To learn more: https://azure.microsoft.com/en-in/pricing/details/storage/blobs/
Consider that you want to run a retroscan which will incur additional costs from services such as list API calls, get properties calls, and egress. If the retrsocan lists 100 Million objects of which 50% are downloaded for scan after matching policies, we will have 50 million files with an average file size of 2Mb.
The following are the retroscan costs for this month.
Data Egress cost over the internet: 0.01*100*1024 = $1024
Cost of API calls to get metadata of blobs: 50,000,000/10000*0.005 = $25
Cost of Listing APIs: 50,000,000/10000*0.005 = $25
To learn more: https://azure.microsoft.com/en-in/pricing/details/storage/blobs/
What triggers a scan?
For Azure blob storage, a scan is triggered in the following scenarios:
Uploading/re-uploading a file using the Azure CLI, portal, or API calls to an Azure storage container under a storage account that has policies configured for DLP and/or malware.
Copying a blob using the Azure CLI, portal, or API calls between or within Azure storage containers under a storage account that has policies configured for DLP and/or malware.
Cases where a scan is not performed include:
Setting blob metadata.
Setting blob properties.
Deleting a blob from a container.
Deleting a container.
Uploading/re-uploading a file using the Azure CLI, portal, or API calls to an Azure storage container under a storage account that does not have policies configured for DLP and/or malware.
Copying a blob using the Azure CLI, portal, or API calls between or within Azure storage containers under a storage account that does not have policies configured for DLP and/or malware.