AWS Data Transfer Costs: The Hidden Bill You Didn't Plan For
Definition
Data transfer costs are the charges AWS applies whenever bytes move between specific points in its network: out to the internet, across Availability Zones, across Regions, through a NAT Gateway, over VPC peering, through Direct Connect, or through CloudFront edge locations. They are the single largest source of surprise bills in AWS — not because rates are high in isolation, but because the topology of where data flows is invisible until the invoice arrives. Understanding the data transfer map is the first thing any AWS architect or FinOps team needs to internalize.
The single most important rule: data transfer IN to AWS is free; data transfer OUT to the internet is metered and tiered; data transfer within AWS depends on exactly where the source and destination sit.
The Three Boundaries That Matter
Every byte that moves in AWS crosses one or more of these boundaries:
- AWS ↔ Internet — public-facing user traffic, API responses, file downloads.
- Region ↔ Region — multi-Region replication, cross-Region read replicas, Global Accelerator.
- AZ ↔ AZ within a Region — Multi-AZ databases, cross-AZ load balancing, replicated logs.
A fourth boundary — within a single AZ — is mostly free, with a few exceptions noted below.
Concrete Price Map (us-east-1, 2026)
| From → To | Price per GB | Notes | | --- | --- | --- | | Internet → AWS (any service, any Region) | Free | Inbound is always free | | AWS → Internet (first 100 GB / month, all services aggregated) | Free | Tier shared across S3, EC2, RDS, etc. | | AWS → Internet (next 10 TB) | $0.09 | Standard US/EU egress rate | | AWS → Internet (next 40 TB) | $0.085 | Tier 2 | | AWS → Internet (next 100 TB) | $0.07 | Tier 3 | | AWS → Internet (over 150 TB) | $0.05 | Contact sales for >500 TB | | AWS Region → AWS Region (e.g., us-east-1 → eu-west-1) | $0.02 | Both directions metered | | AZ ↔ AZ within a Region (private IPs) | $0.01 each direction | $0.02 round-trip | | Public IPv4 / Elastic IP within same Region | $0.01 each direction | Even within the same AZ | | Within the same AZ (private IPs) | Free | Same-subnet or same-AZ private traffic | | NAT Gateway processing | $0.045 per GB | Plus $0.045/hour per gateway | | VPC Peering same Region (cross-AZ) | $0.01 each direction | Same as cross-AZ | | VPC Peering cross-Region | $0.02 each direction | Plus normal inter-Region rates | | AWS PrivateLink endpoint | $0.01 per GB | Plus hourly endpoint charge | | AWS Transit Gateway data processing | $0.02 per GB | Per Transit Gateway attachment | | CloudFront → Internet (US/EU, first 10 TB) | $0.085 | Cheaper than direct internet egress past Free Tier | | CloudFront → Internet (next 40 TB US/EU) | $0.080 | Tier 2 | | CloudFront → Origin (S3, EC2, ALB in same Region) | Free | Origin fetch is free for AWS origins | | Direct Connect (data transfer out from AWS) | $0.02 | Plus port-hour fee | | Public IPv4 address (in-use or idle) | $0.005/hour (~$3.60/month) | Since Feb 2024, applies to all public IPv4 |
Note: numbers above are headline rates and round trip to actual invoice may vary by Region (eu-* is generally same as us-* for egress; ap-* and sa-east-1 are higher; gov-cloud is significantly higher). Always verify with the AWS Pricing Calculator.
The Five Hidden Cost Traps
1. NAT Gateway: $32/month minimum + $0.045 per GB
A single NAT Gateway costs $0.045/hour (~$32/month) just for existing, plus $0.045 per GB processed. For workloads with high outbound traffic (Lambda functions calling third-party APIs, ECS tasks pulling Docker images from Docker Hub, EC2 instances downloading OS updates), NAT Gateway processing alone can easily exceed $100/month.
Mitigations:
- Use VPC endpoints (Gateway endpoint for S3 and DynamoDB — both are free; Interface endpoints for other services — $0.01/hour + $0.01/GB but no NAT charges).
- Place workloads needing outbound internet access in public subnets with an Internet Gateway if appropriate.
- For Lambda calling AWS APIs, don't put Lambda in a VPC unless required — Lambdas outside VPC use AWS-managed networking that doesn't pay NAT.
- Pull container images from ECR (same Region) via VPC endpoint instead of Docker Hub.
2. Cross-AZ Traffic: $0.02 per GB Round Trip
Each AZ ↔ AZ transfer costs $0.01 in each direction. A Multi-AZ RDS database synchronously replicating writes pays for the cross-AZ replica traffic. An Application Load Balancer with cross-zone load balancing enabled pays for any traffic that crosses an AZ. ECS tasks in AZ A talking to RDS in AZ B pay both directions.
Mitigations:
- Use availability zone-aware service discovery so application-tier traffic stays in-AZ where possible.
- For high-throughput data pipelines, consider single-AZ deployment when DR requirements allow.
- Use Cluster Placement Groups for HPC workloads to keep traffic on the same physical fabric.
3. Internet Egress: $0.09/GB Past the Free Tier
The first 100 GB/month of internet egress is free across all AWS services. Beyond that, $0.09/GB for the next 10 TB adds up: 1 TB of user-facing API responses = ~$90/month per Region.
Mitigations:
- Serve user-facing assets through CloudFront — egress costs less ($0.085 vs $0.09/GB) and origin fetch from S3/ALB is free.
- Use S3 Transfer Acceleration sparingly — it's faster but charges extra.
- Compress responses (gzip, brotli) at the application layer.
- Cache aggressively in CloudFront, browser, and at the application tier.
4. Public IPv4 Address Tax
Since February 2024, AWS charges $0.005/hour per public IPv4 address — both in-use and idle. A single EC2 instance with a public IP costs ~$3.60/month just for the IP, on top of the instance cost. A NAT Gateway uses a public IP and is also subject to the charge.
Mitigations:
- Use IPv6 where possible — IPv6 addresses are free.
- Remove unused Elastic IPs — they cost $0.005/hour when unattached even without the public IPv4 tax.
- For internal services, use private subnets with Internet Gateway only on a NAT — but watch the NAT Gateway cost too.
5. Region-Replication Traffic
Cross-Region replication for S3, RDS read replicas across Regions, DynamoDB Global Tables, and EC2 inter-Region traffic all pay $0.02 per GB. A petabyte of S3 replication is $20,000.
Mitigations:
- Replicate only what you need — use S3 replication filters by prefix or tag.
- Use S3 same-Region replication when DR isn't the goal (e.g., compliance separation in the same Region is much cheaper).
- Consider AWS Snowball or DataSync for bulk one-time transfers instead of continuous replication.
When AWS Data Transfer Is Actually Free
Keep this short list in mind — these are guaranteed free movements:
- Anything inbound from the internet to any AWS service.
- EC2 → S3 in the same Region (both with private IPs / VPC endpoint).
- S3 → CloudFront origin fetch (any Region).
- CloudWatch Logs ingestion (you pay per GB ingested, but not as "data transfer").
- VPC endpoint to S3 or DynamoDB Gateway endpoint (the endpoint itself is free; only Interface endpoints charge hourly + per GB).
- Within the same AZ using private IPs.
- First 100 GB/month outbound to internet across all services and Regions.
- Replication between Availability Zones inside Aurora and ElastiCache is included in the service price.
A Worked Example: API Backend with 1 TB/month Egress
Suppose you run an API on EC2 + ALB + RDS Multi-AZ + DynamoDB serving 1 TB/month of user-facing JSON responses.
| Cost Component | Estimate | | --- | --- | | Internet egress (1 TB - 100 GB free = 900 GB @ $0.09) | ~$81 | | Cross-AZ ALB to EC2 (~30% cross-zone, ~300 GB × $0.02) | ~$6 | | RDS Multi-AZ replication (~500 GB internal × $0.02) | ~$10 | | Public IPv4 for ALB and NAT Gateway (3 IPs × $3.60) | ~$11 | | NAT Gateway (1 GW × $32 + 50 GB outbound × $0.045) | ~$34 | | Total data-transfer-related | ~$142/month |
Now add CloudFront in front of the ALB, cache 80% of responses:
| Cost Component | Estimate | | --- | --- | | CloudFront egress (1 TB - 100 GB = 900 GB @ $0.085) | ~$77 | | Origin fetch ALB ← CloudFront (200 GB) | Free | | Reduced cross-AZ on cache-miss traffic | ~$1 | | Same RDS, NAT, IPv4 costs | ~$55 | | Total with CloudFront | ~$133/month |
The savings look small here but scale linearly with traffic, and the latency benefit is significant.
How to Measure Your Own Data Transfer Cost
- Cost Explorer → filter by Usage Type group: Data Transfer to see all data-transfer charges by service.
- VPC Flow Logs → analyze which subnets and which services drive cross-AZ and NAT-Gateway traffic.
- AWS Cost and Usage Report (CUR) → granular per-line-item analysis in Athena or QuickSight.
- AWS Compute Optimizer and Trusted Advisor identify idle Elastic IPs and underused NAT Gateways.
For any AWS account spending over $1,000/month, expect data transfer to be 10–30% of the bill. Anything higher means you have an optimization opportunity.
Comparison with Other Clouds
| Cloud | Internet egress (1st tier) | Cross-AZ | Cross-Region | | --- | --- | --- | --- | | AWS | $0.09/GB | $0.01 each direction | $0.02 | | Azure | $0.087/GB | Free within VNet, $0.01/GB inter-VNet | $0.02 | | Google Cloud | $0.12/GB | Free within zone, $0.01/GB inter-zone | $0.01–$0.05 |
AWS is generally on par with Azure and cheaper than GCP for internet egress; AWS cross-AZ pricing is slightly steeper than Azure's free intra-VNet model. Egress price wars accelerated in 2024 after EU regulators pressured cloud providers — small price changes are possible.
Exam Relevance
- Cloud Practitioner (CLF-C02) — know that data IN is free, data OUT is charged, and that the AWS Free Tier includes 100 GB/month outbound across all services.
- Solutions Architect Associate (SAA-C03) — cost-optimization questions frequently test data transfer optimization patterns: VPC endpoints for S3/DynamoDB, CloudFront for high egress, Single-AZ for high cross-AZ workloads, PrivateLink for SaaS connectivity.
- SysOps Administrator (SOA-C02) — Cost Explorer and Cost and Usage Report analysis.
- Solutions Architect Professional (SAP-C02) — multi-Region architecture cost trade-offs, hybrid (Direct Connect vs Site-to-Site VPN) cost differences.
Classic exam trap: "A workload pulls 5 TB of data from S3 each day to EC2 in the same Region" → answer mentions VPC Gateway endpoint for S3 (free), not direct internet access. Or: "Reduce data transfer cost from an EC2 fleet serving global users" → CloudFront, not Global Accelerator (GA is for latency, not egress price).
Frequently Asked Questions
Q: Is data transfer between EC2 and S3 in the same Region free?
A: Yes, if both resources are in the same Region and EC2 accesses S3 through a VPC Gateway endpoint (free) or through the public S3 endpoint over the AWS backbone. The traffic stays within the AWS network and incurs no data transfer charge. The Gateway endpoint itself is free. The only catch: if your EC2 is in a private subnet without a Gateway endpoint and reaches S3 through a NAT Gateway, you pay NAT processing ($0.045/GB) — so always add the S3 Gateway endpoint.
Q: Why is my NAT Gateway bill so high?
A: NAT Gateway charges two ways: $0.045/hour just for the gateway to exist (~$32/month) and $0.045 per GB processed. For workloads with high outbound volume — Lambda calling external APIs, ECS pulling Docker images from Docker Hub, EC2 fetching OS updates — the per-GB charge dominates quickly. Reduce it by using VPC Interface Endpoints for AWS services, pulling container images from ECR via the VPC endpoint, and routing public-bound traffic through an Internet Gateway where security allows.
Q: Does CloudFront actually save money on data transfer?
A: Often, yes. CloudFront egress to the internet is $0.085/GB (US/EU, first 10 TB) vs $0.09/GB direct from EC2 or S3 — a small per-GB saving. The bigger win is free origin fetch: CloudFront doesn't charge to pull from S3 or an ALB in the same account. Combined with the 1 TB/month CloudFront free tier, putting CloudFront in front of a public application typically reduces total egress cost by 10–20% before considering cache hit rate benefits.
This article reflects AWS features and pricing as of 2026 (us-east-1 unless noted). AWS data transfer pricing changes occasionally — always verify against the official AWS pricing pages before making production decisions.