Qualys Virtual Scanner Appliance is available as an Amazon Machine Image (AMI) at AWS Marketplace, ready for customers to launch onto Amazon EC2-Classic and EC2-VPC. Customers commonly ask how much it will cost them to run a Qualys scanner on EC2.
There are two aspects to consider:
- Qualys costs for the virtual scanner license subscription
- AWS costs for the computing resources to run the appliance as an EC2 Instance
You will need to acquire a Qualys license for each virtual scanner appliance Instance you would like to run. This license is acquired from Qualys, not from AWS, and our scanner appliances are listed at AWS Marketplace with a BYOL (i.e., "bring your own license") model accordingly.
Each QualysGuard Virtual Scanner Appliance profile that you define in the Qualys Cloud Platform UI will consume a single virtual scanner appliance license. If you delete a virtual scanner appliance profile from your Qualys subscription, that license is freed up and immediately available for re-use.
Contact your Qualys technical account manager or Qualys reseller for a pricing quotation or to request an evaluation.
Each virtual scanner appliance Instance will be launched into one of your own AWS accounts. You will be responsible for paying AWS for the costs of running the appliance. Those costs include:
- compute capacity, based upon Instance Type
- per-GB of provisioned storage
- per 1 million I/O requests
- data transfer IN/OUT
The compute capacity charges (i.e., CPU, RAM) are overwhelmingly the largest part of the costs to run an Instance.
Note that you are not required to keep your scanner appliance(s) running at all times. Any hours during which your Instance is Stopped will incur only per-GB provisioned storage charges. However, scanners should be turned on for at least several hours per week in order to ensure that they stay up-to-date with software and signatures.
See Amazon EC2 Pricing for their current rates.
Sample AWS Cost Exercise
This exercise uses AWS prices published as of 2013-10-10 for the US East Region.
Medium Instance Type
OPTION 1: On-Demand
You may run the QualysGuard Virtual Scanner Appliance as an m1.medium (general purpose) or c1.medium (compute-optimized). m1. medium is recommended for most use cases.
On-demand price for a standard Linux m1.medium Instance:
$0.12 per Hour @ 8760 hours = $1,051.20/year
OPTION 2: Reserved
If you expect to have an EC2 Instance on much or even all of the time, you can pre-pay for a Reserved Instance to obtain a lower per-hour rate. Reserved Instances are available in different types for Light, Medium, and Heavy Utilization use cases, with different pricing models for each. This example uses a Heavy Utilization pricing model suitable for an Instance that would be on all of the time.
Reserved price for a Linux - Medium - Heavy Utilization:
$338 upfront + $0.028 per Hour @ 8760 hours = $583.28/year
The virtual scanner appliance has a ~25GB virtual disk attached to it.
Per-GB-month of provisioned storage:
$0.10 per-GB-month for 25GB @ 12 months = $30/year
Per 1 million I/O requests:
$0.10 per million @ [indeterminate quantity] = variable, but negligible
Data Transfer IN/OUT
Consider the following types of data transfer which can occur:
- Management traffic (Internet)
- OUT from appliance to QualysGuard Cloud Platform (compressed scan results)
- IN from QualysGuard Cloud Platform to appliance (signature and software updates, scan job profiles)
- Scanning traffic (local)
- OUT queries from appliance to scanning targets
- IN responses from targets to appliance
Considering these facts:
- Data transfer IN from the Internet is priced at $0.00 per GB
- Data transfer OUT to the Internet is priced variably, but no more than $0.12 per GB in any case.
- Internal data transfer charges on EC2 within the same Availability Zone are priced at $0.00 per GB
- Internal data transfer charges across Availability Zones are priced at $0.01 per GB
Given all of this, total costs for data transfer charges are variable, but neglible.
- Choosing The Correct Scanner AMI (Amazon Machine Image
- How to configure a virtual scanner using Amazon EC2/VPC
- AWS Acceptable Use Guidance For Scanning
2013-10-11 - Minor semantic corrections
2013-10-10 - Updated with more detail
2013-10-10 - Created