Skip to article
Web App Service metric

Bandwidth in/out

Bandwidth in/out refers to measured inbound and outbound network traffic or throughput for Azure resources, often reviewed through metrics, diagnostics, and billing data.

Source: Microsoft Learn - Azure Virtual Machine Network Throughput and Bandwidth Reviewed 2026-05-11

Exam trap
Treating Bandwidth in/out as a simple label instead of a production operating decision with owners and evidence.
Production check
Confirm which application, data set, owner, and environment depend on Bandwidth in/out.
Article details and learning context
Aliases
None listed
Difficulty
intermediate
CLI mappings
4
Last verified
2026-05-11

Understand the concept

In plain English

Bandwidth in/out is the inbound and outbound network traffic a resource sends or receives, used to understand throughput, egress, bottlenecks, and transfer cost. It helps network engineers, platform operators, application teams, FinOps analysts, and performance reviewers separate application slowdowns, egress charges, and capacity limits from vague traffic assumptions. Use it when teams must explain why an app is slow, why egress cost increased, or whether a resource size can support expected transfer volume. It is not a single universal Azure limit; bandwidth behavior depends on resource type, region, SKU, destination, and metric definition.

Why it matters

Bandwidth in/out matters because it connects network behavior to user experience and cloud spend. Without it, teams often chase application bugs while the real issue is saturation, unexpected egress, cross-region transfer, or undersized compute. In enterprises, it connects application owners, network teams, SREs, FinOps analysts, security teams, platform engineers, and service desk responders. It turns measurable network flow control into metric baselines, alert thresholds, cost exports, flow analysis, SKU review, and documented traffic paths and exposes tradeoffs around resource size, regional placement, private connectivity, data gravity, monitoring granularity, egress cost, and throughput headroom. For glossary readers, the value is understanding how this Azure capability changes operating behavior, such as comparing Network In, Network Out, latency, and cost meters before blaming application code..

Official wording and source

Bandwidth in/out refers to measured inbound and outbound network traffic or throughput for Azure resources, often reviewed through metrics, diagnostics, and billing data. Microsoft Learn places it in Azure Virtual Machine Network Throughput and Bandwidth; operators confirm scope, configuration, dependencies, and production impact.

Open Microsoft Learn

Technical context

Technically, Bandwidth in/out works through Azure Monitor metrics, diagnostic logs, network throughput limits, ingress and egress counters, VM size capabilities, App Service metrics, storage transactions, and Cost Management usage records. It depends on resource SKU, VM size, NIC configuration, load balancers, private endpoints, routing, peering, internet egress, storage location, region pairing, and monitoring retention. Common settings include metric namespace, Network In, Network Out, aggregation, time grain, resource scope, alert threshold, diagnostic settings, routing path, and cost export filters.

Exam context

Compare with

Where it is used

Where you see it

  1. You see bandwidth in and out in Azure Monitor metrics where operators compare Network In, Network Out, aggregation, and time range during accountable operational reviews.
  2. You see it in FinOps reviews when egress charges, cross-region transfers, CDN offload, or unexpected data movement need explanation during accountable operational reviews during accountable operational reviews.
  3. You see bandwidth evidence during performance incidents when saturation, packet drops, routing changes, or service limits affect user response time during accountable operational reviews during accountable operational reviews.

Common situations

  • Separate application slowdowns, egress charges, and capacity limits from vague traffic assumptions.
  • Validate production readiness before releases, migrations, incidents, or audits.
  • Control cost, access, monitoring, and recovery behavior with accountable evidence.
  • Document ownership and support expectations for Azure operations.

Illustrative Azure scenarios

These examples show how the concept can affect design and operations. They are illustrative scenarios, not customer claims.

Scenario 01 Operational rollout Scenario, objectives, solution, measured impact, and takeaway.
Scenario

Coastline Media, a streaming media organization, saw weekend streaming costs jump after video previews bypassed the CDN cache.

Goals
  • Identify the source of outbound traffic growth.
  • Reduce internet egress cost by 25 percent.
  • Create alerts for unusual Network Out spikes.
  • Validate CDN cache-hit improvement.
Approach using Bandwidth in/out

The architecture team used Bandwidth in/out as the primary mechanism: Network engineers compared Network Out metrics, CDN analytics, and Cost Management egress meters. They found preview traffic flowing directly from App Service instances, corrected routing through CDN, and added alert thresholds tied to weekend baselines. The design included owners, validation steps, rollback criteria, monitoring evidence, and support handoff notes. Before production use, engineers tested the workflow safely, trained the support shift, and captured acceptance criteria in the service runbook. Business owners signed off on success measures, escalation contacts, and the rollback decision point before rollout. Business owners signed off on success measures, escalation contacts, and the rollback decision point before rollout.

Potential outcomes
  • Internet egress cost dropped by 34 percent.
  • Network Out spikes were detected within 10 minutes.
  • CDN cache-hit ratio improved from 71 to 89 percent.
  • Weekend incident reviews now include bandwidth evidence.
What to learn

Bandwidth in/out is valuable when teams connect the Azure feature to measurable outcomes, accountable operations, and practical risk reduction.

Scenario 02 Governed modernization Scenario, objectives, solution, measured impact, and takeaway.
Scenario

IronVale Manufacturing, a manufacturing organization, had slow telemetry uploads from plants but no clear view of inbound traffic limits on ingestion VMs.

Goals
  • Baseline inbound telemetry throughput.
  • Confirm VM size headroom during shift changes.
  • Reduce upload backlog under five minutes.
  • Document route and metric ownership.
Approach using Bandwidth in/out

The architecture team used Bandwidth in/out as the primary mechanism: Operators measured Network In, Network Out, and queue depth during peak plant uploads. The team increased VM size for ingestion nodes, moved dashboard queries off the same hosts, and documented expected bandwidth by plant and time window. The design included owners, validation steps, rollback criteria, monitoring evidence, and support handoff notes. Before production use, engineers tested the workflow safely, trained the support shift, and captured acceptance criteria in the service runbook. Business owners signed off on success measures, escalation contacts, and the rollback decision point before rollout. Business owners signed off on success measures, escalation contacts, and the rollback decision point before rollout.

Potential outcomes
  • Upload backlog fell from 23 minutes to four minutes.
  • Peak throughput stayed below approved headroom.
  • Dashboard queries no longer competed with ingestion.
  • Metric ownership moved into the plant operations runbook.
What to learn

Bandwidth in/out is valuable when teams connect the Azure feature to measurable outcomes, accountable operations, and practical risk reduction.

Scenario 03 Incident-ready optimization Scenario, objectives, solution, measured impact, and takeaway.
Scenario

PrairieGov Records, a public sector organization, needed to explain cross-region data-transfer charges after an archive migration.

Goals
  • Trace outbound transfer by resource group.
  • Stop unnecessary cross-region copies.
  • Lower migration bandwidth cost.
  • Keep an approved transfer report for audit.
Approach using Bandwidth in/out

The architecture team used Bandwidth in/out as the primary mechanism: FinOps analysts used Cost Management exports and Azure Monitor metrics to compare outbound traffic by storage account and VM. Architects adjusted the migration plan so archive validation happened in-region before a smaller approved cross-region copy ran. The design included owners, validation steps, rollback criteria, monitoring evidence, and support handoff notes. Before production use, engineers tested the workflow safely, trained the support shift, and captured acceptance criteria in the service runbook. Business owners signed off on success measures, escalation contacts, and the rollback decision point before rollout. Business owners signed off on success measures, escalation contacts, and the rollback decision point before rollout. Business owners signed off on success measures, escalation contacts, and the rollback decision point before rollout.

Potential outcomes
  • Cross-region transfer volume fell by 48 percent.
  • Migration bandwidth cost dropped by 29 percent.
  • Audit received a resource-level transfer report.
  • Future migrations require a bandwidth review gate.
What to learn

Bandwidth in/out is valuable when teams connect the Azure feature to measurable outcomes, accountable operations, and practical risk reduction.

Azure CLI

Use command-line evidence for Bandwidth in/out when portal views or desktop tools are too slow, inconsistent, or hard to audit. CLI output helps operators inspect Network In and Network Out metrics, resource scope, time range, route context, and cost evidence, capture repeatable JSON, compare environments, and prove current state before production changes.

Useful for

  • Inspect Network In and Network Out metrics, resource scope, time range, route context, and cost evidence during reviews, incidents, migrations, or release readiness checks.
  • Compare development, test, and production configuration without relying on screenshots or memory.
  • Capture JSON or table output for change tickets, audits, rollback decisions, and support escalations.
  • Validate resource group, subscription, identity, region, and target resource before any mutating command.

Before you run a command

  • Confirm the active tenant, subscription, resource group, region, and exact resource name before running commands.
  • Start with read-only show, list, or metrics commands before create, update, delete, failover, or migration actions.
  • Check whether the command changes cost, access, data placement, encryption, retention, or workload connectivity.
  • Make sure approval, rollback, owner contact, and evidence requirements are clear for production-impacting work.

What the output tells you

  • Resource IDs, regions, SKUs, tags, identities, and states show whether live Azure configuration matches design intent.
  • Empty, missing, or unexpected fields often reveal wrong scope, unsupported features, drift, or incomplete deployment steps.
  • Operation state, timestamps, counts, errors, and report fields show whether a requested change completed successfully.
  • Metric and configuration values help separate platform settings from application behavior during troubleshooting.

Mapped commands

Bandwidth in/out

direct
az monitor metrics list --resource <resource-id> --metric "Network In,Network Out" --interval PT1M
az monitor metricsdiscoverWeb
az monitor metrics list --resource <resource-id> --metric "BytesReceived,BytesSent" --interval PT5M
az monitor metricsdiscoverWeb
az monitor metrics list-definitions --resource <resource-id> --output table
az monitor metricsdiscoverMonitoring and Observability
az network watcher flow-log show --resource-group <rg> --location <region> --name <flowlog>
az network watcher flow-logdiscoverWeb

Architecture context

Technically, Bandwidth in/out works through Azure Monitor metrics, diagnostic logs, network throughput limits, ingress and egress counters, VM size capabilities, App Service metrics, storage transactions, and Cost Management usage records. It depends on resource SKU, VM size, NIC configuration, load balancers, private endpoints, routing, peering, internet egress, storage location, region pairing, and monitoring retention. Common settings include metric namespace, Network In, Network Out, aggregation, time grain, resource scope, alert threshold, diagnostic settings, routing path, and cost export filters.

Security
Security for Bandwidth in/out starts with knowing who can configure it, who can view its output, and what sensitive data, credentials, or network paths may be affected. Important controls include flow log access control, private endpoint routing, firewall review, diagnostic log protection, least-privilege metric access, egress monitoring for suspicious transfers, and data classification for outbound flows. Operators should prefer managed identities or reviewed automation where possible, avoid broad contributor access, and record changes in Activity Log, audit trails, or approved tickets. Security teams should check whether logs, reports, copies, keys, or migrated data reveal customer data or topology details. The safest deployments document approval paths, break-glass use, retention expectations, and audit evidence.
Cost
Cost considerations for Bandwidth in/out come from resources it controls, telemetry it produces, and operational choices it encourages. Key factors include internet egress, inter-region transfer, peering scenarios, VPN or ExpressRoute charges, monitoring ingestion, storage replication traffic, CDN offload choices, and oversized SKU upgrades. Teams should separate direct platform charges from avoided labor, avoided downtime, and reduced waste. Reviews should ask whether the configuration is oversized, underused, duplicated, or retaining more data than policy requires. Budgets, tags, and amortized reporting help connect spend to owners. The best cost outcome is not simply the lowest bill; it is spending enough to meet risk, recovery, performance, and compliance goals without hidden waste.
Reliability
Reliability depends on whether Bandwidth in/out is tested under realistic operating conditions, not just enabled once during deployment. The most important practices are bandwidth baselines, alert thresholds, capacity headroom, failover traffic modeling, route validation, regional dependency review, and tests during peak transfer windows. Teams should define expected state, monitor drift, and rehearse the failure modes that would make the capability necessary. Alerts need owners, thresholds, and escalation paths that match business impact. Good designs capture recovery or validation evidence because incident responders need to know what worked, what failed, and whether assumptions still support stated objectives after upgrades, migrations, or regional changes.
Performance
Performance for Bandwidth in/out is about how quickly and predictably the capability supports the workload or operator action. Important concerns include throughput, latency, packet drops, NIC limits, VM size bandwidth allocation, connection count, compression, caching, source throttling, and downstream service capacity. Teams should measure the user-visible result rather than assuming the Azure feature is fast enough by default. For data and database services, check latency, throttling, concurrency, storage behavior, wait patterns, and query efficiency. For governance or migration capabilities, measure how long decisions, scans, transfers, and validations take during real events. Keep baselines so later tuning has evidence Keep baseline measurements for comparison.
Operations
Operationally, Bandwidth in/out should fit into support, release, and review routines. Useful practices include traffic dashboards, egress cost reviews, network incident playbooks, metric exports, route diagrams, ownership tags, threshold tuning, and post-change traffic comparisons. Owners should keep runbooks current, define who approves production changes, and make important state visible without tribal knowledge. During incidents, operators need quick ways to inspect configuration, confirm scope, and compare current behavior with intended design. After changes, teams should update diagrams, tags, alerts, and evidence repositories. The goal is a capability support staff can run confidently during off-hours, not a feature only the original architect understands.

Common mistakes

  • Treating Bandwidth in/out as a simple label instead of a production operating decision with owners and evidence.
  • Running a mutating command before collecting read-only state and confirming the target subscription and resource.
  • Copying examples into production without adjusting names, regions, identities, network rules, SKUs, or limits.
  • Ignoring service-specific permissions, private networking, monitoring, rollback behavior, and cost impact before rollout.