AWS Networking Costs · Billing Explainer
AWS Data Transfer Costs Explained - and How to Cut Them
Data transfer is the most confusing line item on any AWS bill. It's hidden across multiple services, hard to attribute, and easy to accidentally double (cross-AZ + NAT Gateway). Here's a complete breakdown.
AWS Data Transfer Pricing Breakdown
Each transfer type has different pricing and a different optimization strategy.
Intra-AZ (same AZ)
FreeExample: EC2 to EC2 in the same AZ, EC2 to RDS replica in the same AZ
How to reduce: No action needed. Ensure replicas and related services are in the same AZ.
Cross-AZ (same region)
$0.01/GB each directionExample: EC2 in us-east-1a talking to RDS in us-east-1b
How to reduce: Consolidate services into the same AZ where possible. Review cross-AZ RDS replica placement.
Cross-region
$0.02–0.09/GB depending on regionsExample: S3 cross-region replication, cross-region API calls, RDS read replicas in another region
How to reduce: Audit Cost & Usage Report for cross-region line items. Reduce unnecessary cross-region replication.
Internet egress (to public internet)
$0.085–0.09/GB (first 10TB/month)Example: EC2/ECS serving API responses, CloudFront origin fetch, S3 direct downloads
How to reduce: Use CloudFront for public content. Cache aggressively to reduce origin fetches.
NAT Gateway data processing
$0.045/GBExample: Private EC2 instances accessing S3, ECR, CloudWatch, or internet through NAT Gateway
How to reduce: Use Gateway VPC Endpoints for S3/DynamoDB (free). Interface Endpoints for ECR/CloudWatch.
AWS PrivateLink (Interface Endpoints)
$0.01/GB processed + $7.30/AZ/monthExample: Private access to ECR, Secrets Manager, SSM, CloudWatch Logs
How to reduce: Compare against NAT Gateway cost for the same traffic. Usually breaks even at ~160GB/month.
Top 3 Causes of Unexpected Data Transfer Charges
NAT Gateway processing S3/DynamoDB traffic
Your private EC2 instances or ECS tasks access S3 (for assets, logs, model files) and DynamoDB through NAT Gateway - at $0.045/GB. A Gateway VPC Endpoint routes this for free. Most teams don't know this exists.
NAT Gateway cost guide →Cross-AZ RDS replicas and data access
If your application runs in us-east-1a but queries an RDS read replica in us-east-1b, you pay $0.01/GB each way - plus any NAT Gateway charges on top. With high-read applications, this compounds quickly.
CloudFront misconfiguration (origin fetch)
CloudFront is excellent for reducing egress costs - but only if cache hit rates are high. Misconfigured cache behavior (query string variations, unset TTLs, aggressive cache invalidation) forces constant origin fetches at full egress rates.
How to Diagnose Your Data Transfer Charges
The AWS Cost & Usage Report (CUR) is the only way to get granular enough data to understand what's driving transfer costs.
Enable Cost & Usage Report
CUR exports to S3. Set up Athena to query it. This gives you resource-level, usage-type-level data - far more granular than Cost Explorer.
Filter by DataTransfer usage types
Query CUR for line items where `line_item_usage_type` LIKE '%DataTransfer%' OR '%Bytes%'. Group by `product_region`, `line_item_resource_id`.
Enable VPC Flow Logs
Flow logs show which sources and destinations are generating traffic. Correlate with the CUR to identify which resources are responsible for high cross-AZ or NAT transfer.
Apply targeted fixes
Use the findings to implement Gateway/Interface Endpoints, adjust AZ placement, or tune CloudFront caching.