AWS Data Transfer Costs: How to Cut Your Egress Bill Without Rebuilding Your Stack

For a workload moving 50 TB/month to the internet, AWS egress alone runs roughly $2,100/month at standard rates before you add cross-AZ traffic, NAT Gateway processing fees, and inter-region replication. At mid-to-large scale, data transfer regularly accounts for 10–20% of total AWS spend.

The reason it gets missed: AWS buries most of these charges inside "EC2-Other" in Cost Explorer rather than surfacing them as a dedicated line item. By the time teams notice, the meter has been running for months.

This guide covers every pricing dimension, where to find these charges in your bill, and how to reduce them without a full architecture rewrite.

How AWS Data Transfer Billing Actually Works

Three rules define the billing model:

• Data in is always free. Ingress from the internet, on-premises, or another cloud carries no charge.
• Data out is always charged. Any byte leaving AWS to the internet, to your data center, or to another Region carries a per-GB rate.
• Internal traffic charges depend on topology. Same-AZ, private IP: free. Cross-AZ or cross-Region: metered, even between services you own.

The four boundaries that generate charges:

• Internet egress: data leaving AWS to the public internet (largest category for most teams)
• Cross-AZ traffic: $0.01/GB each direction within the same Region
• Cross-Region traffic: ~$0.02/GB for US Region pairs, higher for APAC/South America
• On-premises traffic: varies by whether you use the public internet, Direct Connect, or VPN

All rates approximate. Verify at Amazon EC2 On-Demand Pricing rates change.

Cross-AZ Traffic: The Line Item That Compounds Silently

Cross-AZ traffic is $0.01/GB each direction round-trip costs $0.02/GB. That sounds trivial. At production scale it is not.

A three-tier application running 10,000 requests/second with a 10 KB average payload, routing between an ALB in one AZ and EC2 instances in another, generates:

• 10,000 req/sec × 10 KB = 100 MB/sec of cross-AZ traffic
• 100 MB/sec × 3,600 sec × 730 hours/month = ~263 TB/month
• 263 TB × $0.01/GB × 2 directions = ~$5,260/month in cross-AZ charges alone

The fix is AZ-affinity routing: ensure EC2 instances, RDS read replicas, and ElastiCache nodes are in the same AZ as the workloads consuming them. AWS now allows cross-zone load balancing to be disabled independently on ALBs and NLBs for stateless workloads, disabling it is often the fastest single reduction with zero performance impact.

Service-by-Service Egress Breakdown

EC2: Tiered pricing $0.09/GB for the first 10 TB/month, dropping progressively at higher volumes. A common misconfiguration: using public or Elastic IP addresses for same-Region EC2-to-EC2 communication triggers $0.01/GB each direction even within the same AZ. Always use private IPs for intra-VPC traffic.

S3: Same tiered rates as EC2 for internet egress. S3 to EC2 in the same Region is free. S3 to CloudFront is free (the correct architecture for content served at scale). Transfer Acceleration adds $0.04–$0.08/GB on top of standard for long-distance uploads.

RDS: Internet egress follows the same tiered rates. Multi-AZ replication between primary and standby is free. Cross-Region read replica replication is not these are different features with different billing treatment.

Lambda: Charges standard EC2 egress rates for internet-bound traffic. Same-Region calls over private endpoints are free.

ElastiCache: Redis clusters with cross-AZ replicas incur $0.01/GB on every write replication. Use same-AZ reader endpoints where read latency tolerates it.

NAT Gateway: The Surprise Multiplier

NAT Gateway charges $0.045/GB for every byte it processes in addition to, not instead of, EC2 internet egress charges. An EC2 instance routing traffic through NAT Gateway pays:

$0.045/GB (NAT processing) + $0.09/GB (EC2 egress) = $0.135/GB total for the first 10 TB

For traffic accessing AWS services from private subnets S3, DynamoDB, SSM, CloudWatch replace NAT Gateway routing with VPC Gateway Endpoints. They are free, require only a route table update, and eliminate the NAT processing charge entirely.

If you want the full breakdown of egress reduction options ranked by ROI, it's covered in detail here How to Reduce AWS Egress Costs

How to Find Data Transfer Costs in Your AWS Bill

AWS Cost Explorer buries most data transfer charges inside "EC2-Other." Here is the exact workflow to surface them:

• Open Cost Explorer. Set date range to last 3 months, granularity to Monthly.
• Group by Service. Identify the "EC2-Other" line item.
• Filter to EC2-Other only. Change Group by to Usage Type.
• Look for usage types containing DataTransfer, InterZone, Regional, or NatGateway.
• For deeper analysis, use the AWS Cost and Usage Report (CUR) — query lineitem_usagetype via Athena to break down charges by resource ID.

The operation codes to know: DataTransfer-Out-Bytes (internet egress), InterZone-In/InterZone-Out (cross-AZ), DataTransfer-Regional-Bytes (cross-Region), NatGateway-Bytes.

CloudFront vs Direct EC2/S3 Egress

CloudFront reduces internet egress in two ways: lower per-GB rate ($0.0085/GB from US/EU edge locations vs $0.09/GB from EC2), and origin-to-CloudFront transfer is free when the origin is an AWS service in the same Region.

For a media workload serving 100 TB/month:

• EC2/S3 direct egress: 100 TB × $0.07/GB (50–150 TB tier) = $7,000/month
• CloudFront egress: 100 TB × $0.0085/GB = $850/month

That is $6,150/month before factoring in CloudFront's cache hit rate reducing origin traffic.

CloudFront is not always the answer. For API traffic with low cacheability, high cache-miss rates eliminate the savings advantage. For workloads under 1 TB/month, the operational overhead may not justify the reduction.

Direct Connect vs Internet Egress: Break-Even Math

Direct Connect data transfer over a private virtual interface costs $0.02/GB for US Regions vs $0.09/GB for internet egress, a 78% reduction on the egress rate.

Break-even calculation:

• 1 Gbps dedicated connection: ~$216/month (US port charge) + partner/colocation fees
• Egress savings: $0.09 – $0.02 = $0.07/GB saved
• Break-even volume: $216 ÷ $0.07 = ~3 TB/month

If your workload consistently moves more than 3–4 TB/month between your data center and AWS, Direct Connect typically pays for itself on egress savings alone before factoring in latency and reliability improvements. Verify at AWS Direct Connect pricing.

Architecture Decision Tree for Data Transfer Cost Reduction

Is your data transfer cost above $500/month?

If yes, identify the largest line item:

Internet Egress (DataTransfer-Out-Bytes):

• Serving web content or assets? → Move to CloudFront. S3-to-CloudFront is free. CloudFront egress ~$0.0085/GB vs $0.09/GB.
• Traffic going to on-premises? → Evaluate Direct Connect (break-even ~3–4 TB/month).
• Neither? → Review application-level compression and caching.

Cross-AZ (InterZone-In / InterZone-Out):

• ALB/NLB spreading traffic across AZs? → Disable cross-zone load balancing or implement AZ-affinity.
• EC2 instances using public IPs for same-Region communication? → Switch to private IP addressing within VPC.

NAT Gateway (NatGateway-Bytes):

• Traffic accessing AWS services (S3, DynamoDB, SSM)? → Replace with VPC Gateway Endpoints (free for S3 and DynamoDB).
• Internet access from private subnets? → Consider NAT Instance for lower-volume workloads, or one NAT Gateway per AZ.

Cross-Region (DataTransfer-Regional-Bytes):

• Replication traffic? → Evaluate whether workloads can colocate.
• Serving global users? → Route through CloudFront edge instead of origin-to-user.

Worked Example: 3-Tier Web App at Scale

Setup: E-commerce platform, us-east-1, 3 AZs, 50,000 active users/day ALB serving 100 GB/day, EC2 fleet across mixed AZs, RDS Multi-AZ, S3 for product images (500 GB/day), ElastiCache Redis cluster (3 nodes, 3 AZs).

Before optimization; estimated monthly data transfer bill:

• ALB internet egress: 3 TB @ $0.09/GB → $270
• S3 internet egress: 15 TB @ $0.085/GB → $1,275
• Cross-AZ EC2-to-EC2: 5 TB @ $0.01/GB × 2 → $100
• NAT Gateway (SSM/CloudWatch): 2 TB @ $0.045/GB → $90
• ElastiCache cross-AZ replication: 1 TB @ $0.01/GB × 2 → $20
• Total: ~$1,755/month

Changes applied:

• S3 content moved behind CloudFront (S3-to-CloudFront free, CloudFront egress $0.0085/GB)
• VPC Gateway Endpoint for S3 added (eliminates NAT Gateway on S3 API calls)
• AZ-affinity enabled on ALB (reduces cross-AZ EC2 traffic by ~70%)
• ElastiCache readers placed in same AZ as app servers

After optimization; estimated monthly data transfer bill:

• ALB internet egress: 3 TB @ $0.09/GB → $270
• CloudFront egress (replaces S3 direct): 15 TB @ $0.0085/GB → $127.50
• Cross-AZ EC2-to-EC2 (reduced): 1.5 TB @ $0.01/GB × 2 → $30
• NAT Gateway (reduced): 0.5 TB @ $0.045/GB → $22.50
• ElastiCache cross-AZ (same-AZ placement): 0.2 TB @ $0.01/GB × 2 → $4
• Total: ~$454/month

Estimated saving: ~$1,300/month (~74% reduction) from architecture changes alone. All rates are approximate verified at aws.amazon.com/pricing.

Want to see your actual number? You can run a free AWS savings estimate in 60 seconds [Usage.ai Savings Calculator(https://www.usage.ai/blogs/aws/guides/usage-ai/savings-calculator-launch/)]

Common Mistakes

Using public IPs for intra-VPC communication. EC2 instances communicating via public or Elastic IP addresses within the same Region trigger $0.01/GB even in the same AZ. Use private IP addresses for all intra-VPC traffic.

NAT Gateway for AWS service access. Routing S3, DynamoDB, SSM, CloudWatch, or SQS traffic through NAT Gateway costs $0.045/GB in processing fees that are completely avoidable with VPC Gateway or Interface Endpoints.

Cross-Region replication without traffic modeling. Multi-Region active-active architectures, DynamoDB Global Tables, S3 Cross-Region Replication all generate cross-region transfer charges that need to be explicitly budgeted.

Ignoring ElastiCache cross-AZ replication costs. Redis clusters with replicas in multiple AZs generate $0.01/GB on replication traffic. Place reader endpoints in the same AZ as application instances for read-heavy workloads.

Confusing Multi-AZ RDS with Cross-Region read replicas. Multi-AZ RDS replication between primary and standby is free. Cross-Region read replica replication is not. Different features, different billing.

How Data Transfer Optimization Connects to Compute Commitment Strategy

Reducing data transfer costs and reducing compute costs use different levers but they interact.

When you restructure for same-AZ placement, your EC2 fleet size per AZ increases while total instance count stays the same. When you add CloudFront, origin EC2 load drops. These architecture changes alter your compute baseline and a more stable, predictable baseline is easier to commit against.

Teams that have completed a data transfer optimization pass typically see EC2 utilization patterns stabilize, which makes commitment purchasing recommendations more accurate. After optimizing your transfer architecture, committing the stabilized compute baseline through an automated platform captures an additional 30–50% reduction on top of the transfer savings already achieved.

Usage.ai automates commitment purchasing for EC2, RDS, Lambda, and other services refreshing recommendations every 24 hours vs the 72+ hour refresh cycle of Cost Explorer's native tools. Insured Flex Commitments carry no multi-year lock-in: commitments adjust quarterly, and underutilized commitments are covered by a buyback guarantee paid in cash, not credits.

This matters specifically for teams mid-optimization: your compute baseline is still shifting as you move workloads to the same AZ, add CloudFront, and remove NAT Gateway traffic. A platform that penalizes commitment size changes is the wrong tool when architecture is in flux. See how Usage.ai handles dynamic workloads.

Which of these do you see most consistently underestimated on AWS bills cross-AZ traffic, NAT Gateway fees, or something else entirely?

For the complete technical breakdown, read the full article here → AWS Data Transfer Costs