The Line Item Nobody Reads Until It Is 40% of the Bill
Here is something that surprises most engineering teams: data transfer is the third largest line item on the average AWS bill, behind compute and storage. For distributed architectures (microservices, multi-AZ, multi-region), it can climb to 30-40% of total spend.
The reason it sneaks up on you: data transfer does not appear in your architecture diagrams. You draw boxes for EC2 instances, RDS databases, and S3 buckets. You estimate CPU and disk. But the arrows between those boxes? Nobody prices those. Until the bill arrives.
A single Kubernetes cluster spread across 3 Availability Zones with 50 services talking to each other can generate 5-10TB of inter-AZ traffic per month. At $0.02/GB round-trip, that is $100-200/month in pure network costs before a single byte leaves AWS. Add NAT Gateway for outbound internet access and cross-region replication for disaster recovery, and data transfer easily crosses $1,000/month for a mid-size deployment.
We see this constantly at LeanOps. A client comes in asking about EC2 rightsizing, and we find that 25% of their bill is data transfer they did not know they were paying for. This post maps out every AWS data transfer charge in 2026, shows you where the money actually goes, and gives you the specific architectural changes that cut network costs by 40-70%.
AWS Data Transfer Pricing: Complete 2026 Rate Card
Internet Egress (Data Transfer OUT to Internet)
This is what most people think of when they say "AWS egress." Any data that leaves AWS to the public internet.
| Monthly Volume | Rate per GB | Cost per TB |
|---|---|---|
| First 100 GB | Free | Free |
| 100 GB - 10 TB | $0.09 | $92.16 |
| 10 TB - 50 TB | $0.085 | $87.04 |
| 50 TB - 150 TB | $0.07 | $71.68 |
| 150 TB - 500 TB | $0.05 | $51.20 |
| 500 TB+ | Contact AWS | Negotiable |
Key details:
- The 100GB free tier is per account, per month, across all services
- Rates are the same for EC2, S3, RDS, Lambda, and all other services
- Pricing above is for US East (N. Virginia). Some regions are 10-20% more expensive
- South America (Sao Paulo) is the most expensive region at $0.15/GB
Data Transfer IN (Internet to AWS)
| Direction | Rate |
|---|---|
| All data transfer IN | Free |
| S3 Transfer Acceleration IN | $0.04/GB (optional acceleration premium) |
Data into AWS is always free. This is intentional. AWS wants your data inside their network. Getting it out is where they charge.
Inter-Region Data Transfer
| Direction | Rate per GB | Notes |
|---|---|---|
| US East to US West | $0.02 | Same continent |
| US to Europe | $0.02 | Cross-continent |
| US to Asia Pacific | $0.09 | Premium rate |
| Europe to Asia Pacific | $0.09 | Premium rate |
| Any region to same region | $0 | Same-region is free (within same AZ) |
Real cost example: Replicating a 5TB RDS database from us-east-1 to eu-west-1 for disaster recovery costs $100/month in ongoing replication traffic. If you replicate both directions (active-active), that doubles to $200/month in network fees alone.
Inter-AZ Data Transfer (Same Region)
| Direction | Rate per GB | Notes |
|---|---|---|
| EC2 to EC2 (different AZ) | $0.01 each direction | $0.02 round-trip |
| EC2 to RDS (different AZ) | $0.01 each direction | Multi-AZ RDS included |
| EC2 to ElastiCache (different AZ) | $0.01 each direction | Cluster mode |
| Same AZ | Free | Always free within AZ |
This is the silent killer. $0.01/GB seems negligible. But consider:
- An EKS cluster with 50 pods across 3 AZs, each making 1,000 requests/second to other pods
- Average request + response size: 10KB
- Monthly inter-AZ traffic: 50 pods x 1,000 req/s x 10KB x 86,400s x 30 days x 0.67 (probability of cross-AZ) = ~8.6 TB
- Cost: 8.6 TB x $0.02/GB (round-trip) = $172/month
For a "free" Kubernetes networking feature, $172/month adds up fast across multiple clusters.
NAT Gateway Pricing
| Component | Rate | Monthly (24/7) |
|---|---|---|
| Hourly charge | $0.045/hour | $32.40/month |
| Data processed | $0.045/GB | Varies |
| Data processed (same AZ) | $0.045/GB | Same rate regardless |
NAT Gateway total cost formula:
Total = $32.40/month + ($0.045 x GB processed)
| Monthly Traffic | NAT Gateway Cost | Just Egress Would Cost |
|---|---|---|
| 100 GB | $37 | $9 |
| 500 GB | $55 | $45 |
| 1 TB | $78 | $92 |
| 5 TB | $257 | $450 |
| 10 TB | $482 | $900 |
At low volume, NAT Gateway's fixed hourly cost dominates. At high volume, its per-GB rate ($0.045) stacks on top of the internet egress rate ($0.09), making total outbound cost $0.135/GB. That is 50% more than egress alone.
VPC Endpoint Pricing
| Endpoint Type | Hourly Cost | Per-GB Cost | Services |
|---|---|---|---|
| Gateway Endpoint | Free | Free | S3, DynamoDB only |
| Interface Endpoint | $0.01/hour ($7.20/month) | $0.01/GB | SQS, SNS, KMS, ECR, CloudWatch, etc. |
This is free money. Gateway endpoints for S3 and DynamoDB cost absolutely nothing. If your EC2 instances or Lambda functions access S3 through a NAT Gateway, you are paying $0.045/GB for something that should cost $0.
For Interface Endpoints (other services), the math:
- NAT Gateway: $0.045/GB processed
- Interface Endpoint: $0.01/GB processed
- Savings: 78% per GB
At 1TB/month of SQS/SNS/KMS traffic, that is $35/month saved per endpoint.
CloudFront (CDN) Data Transfer
| Volume | CloudFront to Internet | Origin Fetch (CloudFront to S3/EC2) |
|---|---|---|
| First 10 TB | $0.085/GB | Free (from S3) |
| 10-50 TB | $0.080/GB | Free (from S3) |
| 50-150 TB | $0.060/GB | Free (from S3) |
| 150-500 TB | $0.040/GB | Free (from S3) |
CloudFront egress is cheaper than direct EC2/S3 egress at every tier:
- At 10TB: CloudFront saves $0.005/GB = $50/month
- At 50TB: CloudFront saves $0.01/GB = $500/month
- At 150TB: CloudFront saves $0.03/GB = $4,500/month
Plus, CloudFront caches content. If your cache hit ratio is 80%, you only fetch 20% from origin. That means 80% of your bytes cost only the CloudFront egress rate, not the origin transfer.
S3-Specific Transfer Costs
| Transfer Type | Cost |
|---|---|
| S3 to Internet | Standard egress rates above |
| S3 to CloudFront | Free |
| S3 to EC2 (same region) | Free |
| S3 to EC2 (different region) | $0.02/GB |
| S3 Transfer Acceleration | +$0.04/GB (on top of egress) |
| S3 Cross-Region Replication | $0.02/GB (inter-region rate) |
| S3 Same-Region Replication | $0.015/GB |
Real-World Cost Modeling: Where Data Transfer Money Actually Goes
Scenario 1: Typical SaaS Backend (Medium)
A 3-AZ EKS cluster with 30 microservices, PostgreSQL RDS (Multi-AZ), ElastiCache cluster, S3 for assets, and moderate internet traffic.
| Transfer Type | Monthly Volume | Rate | Monthly Cost |
|---|---|---|---|
| Internet egress (API responses) | 2 TB | $0.09/GB | $184 |
| Inter-AZ (pod-to-pod) | 5 TB | $0.02/GB (round-trip) | $100 |
| Inter-AZ (app-to-RDS) | 1 TB | $0.02/GB | $20 |
| Inter-AZ (app-to-ElastiCache) | 2 TB | $0.02/GB | $40 |
| NAT Gateway (outbound API calls) | 500 GB | $0.045/GB + hourly | $55 |
| S3 to EC2 (same region) | 3 TB | Free | $0 |
| Total | $399/month |
Almost $400/month in pure network costs. The inter-AZ traffic alone is $160/month across three line items. Most teams have no idea they are paying this.
Scenario 2: Content-Heavy Platform (Media/CDN)
A video streaming or media platform serving 50TB/month of content globally, with origin in us-east-1.
| Transfer Type | Monthly Volume | Rate | Monthly Cost |
|---|---|---|---|
| CloudFront egress (cached) | 40 TB (80% cache hit) | $0.080/GB avg | $3,200 |
| CloudFront origin fetch | 10 TB | Free (S3 to CF) | $0 |
| S3 cross-region replication (DR) | 5 TB | $0.02/GB | $100 |
| API egress (non-CDN) | 1 TB | $0.09/GB | $92 |
| NAT Gateway (webhooks, APIs) | 200 GB | $0.045/GB + hourly | $41 |
| Total | ~$3,433/month |
Without CloudFront, serving 50TB directly from S3 would cost: 50TB x $0.085/GB = $4,250/month. CloudFront saves roughly $800/month AND improves latency.
Scenario 3: Multi-Region Disaster Recovery
An enterprise application with active-passive DR across two regions (us-east-1 primary, eu-west-1 secondary).
| Transfer Type | Monthly Volume | Rate | Monthly Cost |
|---|---|---|---|
| RDS cross-region replication | 2 TB | $0.02/GB | $40 |
| S3 cross-region replication | 10 TB | $0.02/GB | $200 |
| DynamoDB Global Tables | 500 GB | $0.02/GB | $10 |
| ElastiCache Global Datastore | 1 TB | $0.02/GB | $20 |
| Internet egress (primary region) | 5 TB | $0.09/GB | $450 |
| Inter-AZ (primary cluster) | 3 TB | $0.02/GB | $60 |
| NAT Gateway (primary) | 1 TB | $0.045/GB + hourly | $78 |
| Total | ~$858/month |
Cross-region replication alone is $270/month. That is the cost of disaster recovery in data transfer. The question is whether your RPO/RTO requirements justify replicating everything or just critical data.
AWS Data Transfer Cost Optimization: 8 Strategies That Work
1. Deploy VPC Gateway Endpoints for S3 and DynamoDB (Free)
If your workloads access S3 or DynamoDB and traffic routes through a NAT Gateway, you are paying $0.045/GB for what should cost $0.
Savings at 5TB/month S3 traffic: $225/month (eliminates NAT processing for S3)
Implementation: one CloudFormation resource, zero application changes.
Type: AWS::EC2::VPCEndpoint
Properties:
VpcId: !Ref VPC
ServiceName: com.amazonaws.us-east-1.s3
RouteTableIds:
- !Ref PrivateRouteTable
2. Use Interface Endpoints for High-Volume AWS Services
For services like ECR, SQS, SNS, KMS, and CloudWatch Logs, Interface Endpoints cost $0.01/GB vs NAT Gateway's $0.045/GB.
Break-even: An Interface Endpoint costs $7.20/month in hourly charges. At $0.035/GB savings, you break even at 206 GB/month. Anything above that is pure savings.
3. Consolidate to Fewer AZs Where Possible
Not every workload needs 3-AZ redundancy. Development environments, batch processing, and non-critical services can run in a single AZ.
The trade-off is real: single-AZ means an AZ failure takes down that workload. For production, keep multi-AZ. For dev/staging/batch, single-AZ saves 100% of inter-AZ costs.
4. Enable Topology-Aware Routing in Kubernetes
EKS supports topology-aware routing that preferentially sends traffic to pods in the same AZ. Instead of random load balancing across AZs (default), traffic stays local when possible.
apiVersion: v1
kind: Service
metadata:
annotations:
service.kubernetes.io/topology-mode: Auto
This typically reduces inter-AZ traffic by 60-80% in multi-AZ clusters without sacrificing availability.
5. Put CloudFront in Front of Everything Internet-Facing
Even if your content is not cacheable (dynamic APIs), CloudFront egress is cheaper than direct EC2 egress:
- EC2: $0.09/GB
- CloudFront: $0.085/GB
For 10TB/month of API traffic, that is $50/month saved just by routing through CloudFront. If even 10% of responses are cacheable (health checks, static configs, repeated queries), the savings multiply.
6. Audit Cross-Region Replication
Many teams enable cross-region replication during initial setup and never revisit it. Common waste patterns:
- Replicating non-critical S3 buckets (logs, temp data) to DR region
- Global Tables on DynamoDB tables that only serve one region
- ElastiCache Global Datastore for caches that can be rebuilt in minutes
Ask for each replicated resource: "If this region fails, do we need this data available in under X minutes?" If the answer is "we can rebuild it," stop replicating it.
7. Use S3 Transfer Acceleration Only When Needed
Transfer Acceleration adds $0.04/GB on top of standard egress. It is worth it for:
- Large file uploads from distant regions (speeds up upload by 50-500%)
- Real-time data ingestion from global sources
It is NOT worth it for:
- Transfers within the same continent (minimal speed improvement)
- Small files (overhead negates benefit)
- Any workload where latency is not critical
8. Negotiate Private Pricing at 50TB+
AWS offers private pricing for data transfer at scale. If you transfer 50TB+/month consistently:
- Standard: $0.07/GB (50-150TB tier)
- Negotiated: $0.04-0.05/GB (typical enterprise discount)
- Savings at 100TB/month: $2,000-3,000/month
Engage your AWS account team. Data transfer is one of the most negotiable line items.
AWS vs GCP vs Azure: Data Transfer Cost Comparison
| Transfer Type | AWS | Google Cloud | Azure | Cloudflare R2 |
|---|---|---|---|---|
| Internet egress (first 10TB) | $0.09/GB | $0.12/GB | $0.087/GB | Free |
| Internet egress (50-150TB) | $0.07/GB | $0.08/GB | $0.05/GB | Free |
| Inter-AZ | $0.01/GB each way | Free (within zone group) | Free (within region) | N/A |
| Inter-region (same continent) | $0.02/GB | $0.01/GB | $0.02/GB | N/A |
| NAT Gateway equivalent | $0.045/GB + $0.045/hr | $0.045/GB + $0.044/hr | $0.045/GB + $32/mo | N/A |
| CDN egress (first 10TB) | $0.085/GB | $0.08/GB | $0.081/GB | Free |
Key takeaways:
- GCP charges more for basic egress ($0.12 vs $0.09) but inter-AZ is free
- Azure and AWS are nearly identical for egress
- GCP inter-AZ being free is a massive advantage for distributed architectures (no Kubernetes cross-AZ penalty)
- At high volume (150TB+), Azure is cheapest among the big three
- Cloudflare R2 is free egress but limited to object storage use cases
For a detailed comparison of all three major clouds, see our AWS vs Azure vs GCP cost comparison.
The Hidden Costs Most Teams Miss
1. NAT Gateway as Default Route
The most common architecture mistake: putting all private subnet traffic through NAT Gateway. Every API call to AWS services (S3, SQS, DynamoDB, ECR image pulls) goes through NAT at $0.045/GB.
Fix: VPC endpoints for AWS services. Keep NAT only for genuine third-party internet traffic.
2. Multi-AZ RDS Read Replicas
A Multi-AZ RDS deployment with a read replica in a third AZ means:
- Primary to standby (synchronous): $0.01/GB each way
- Primary to read replica (asynchronous): $0.01/GB each way
- Application to read replica (cross-AZ): $0.01/GB each way
For a database doing 500GB/month of replication and 1TB/month of queries to the replica: $30/month in hidden network fees.
3. ECR Image Pulls Through NAT
Every time a Kubernetes pod starts, it pulls a container image from ECR. If ECR traffic routes through NAT Gateway:
- Average image size: 500MB
- 100 pod restarts/day x 500MB x 30 days = 1.5TB/month
- NAT cost: $67.50/month just for container image pulls
Fix: ECR Interface Endpoint ($7.20/month fixed) eliminates this entirely.
4. CloudWatch Logs Egress
CloudWatch Logs export and cross-account sharing counts as data transfer. Teams shipping 1TB/month of logs to a central account or third-party tool (Datadog, Grafana) pay $90/month in transfer alone, on top of CloudWatch ingestion charges.
The Bottom Line
Data transfer is the AWS cost category with the highest savings potential per engineering hour invested. A senior engineer spending 4 hours setting up VPC endpoints and enabling topology-aware routing can save $200-500/month permanently. That is $2,400-6,000/year from a single afternoon of work.
The three highest-impact changes for most teams:
- VPC Gateway Endpoints for S3/DynamoDB (free, saves $0.045/GB)
- Topology-aware routing in EKS (config change, saves 60-80% inter-AZ)
- CloudFront for internet-facing traffic (cheaper egress + caching benefit)
If your AWS data transfer bill exceeds $500/month, our team at LeanOps typically finds 40-70% in savings through architecture changes and endpoint optimization. Get a free Cloud Waste Assessment and we will map exactly where your network dollars are going.
Further reading:
