😅 The Problem
At my previous company, in one of our AWS accounts, our AWS bill showed ~$300/month in “Data Transfer” even though all workloads were in the same region.
Our setup:
- EC2 batch jobs
- Uploading results/logs to Amazon S3
- Same region, no cross-region calls
I assumed:
“Same region = no cost.”
Wrong. 😬
🔍 The Root Cause
After checking Cost Explorer and VPC Flow Logs, I found the issue.
EC2 instances were talking to S3 using the public endpoint.
Example:
aws s3 sync /data s3://abccompany-logs/
That meant:
- Traffic left the VPC via NAT Gateway
- Crossed AWS’s public network
- Re-entered AWS to reach S3
So even though both were in the same region, we paid:
- NAT Gateway data processing: $0.045 per GB
- Regional data transfer charges for EC2 → S3 path
💰 At ~6 TB/month = $270+ in pure data movement.
Per AWS Docs:
“If data leaves a VPC through an Internet Gateway or NAT Gateway, standard data-processing charges apply.”
🧠 The Fix - VPC Gateway Endpoint for S3
The solution: keep the traffic inside AWS’s private network.
Here’s the Terraform snippet we used:
resource "aws_vpc_endpoint" "s3" {
vpc_id = aws_vpc.main.id
service_name = "com.amazonaws.eu-central-1.s3"
route_table_ids = [aws_route_table.main.id]
}
Once created:
- EC2 → S3 traffic stays internal
- NAT Gateway no longer handles uploads
- Zero data-processing or transfer charges
Confirmed by AWS docs
:
“Gateway endpoints for Amazon S3 have no additional cost.”
💰 Results
After one billing cycle:
Metric Before After
EC2 → S3 Transfer Cost ~$300 $0
NAT Gateway Data High Minimal
Performance Same Same
🧩 Common Mistakes to Avoid
❌ Mistake ✅ Fix
Assuming “same region = free” Verify network path
Using public S3 endpoint Use Gateway Endpoint
Ignoring NAT data charges Track via Cost Explorer
No flow visibility Enable VPC Flow Logs
🧠 Lessons Learned
This experience taught me that AWS cost optimization isn’t just reserved instances or savings plans, it’s about network awareness.
A single endpoint change saved us hundreds per month, with zero downtime or refactor.
It’s one of the simplest, most underrated optimizations you can make.
🪶 TL;DR
✅ EC2 → S3 via NAT = $$
✅ EC2 → S3 via VPC Endpoint = Free
✅ Check your data paths, even in the same region
Top comments (4)
you could also just setup the S3 bucket as a mounted drive on your EC2 and cache all the assets using cloudfront and not get charged for using the NAT.
But in our case, we heavily used S3 uploads (log files, reports, backups).
Great advice - Jeff Bezos is already rich enough ;-)
Exactly hehe
Some comments may only be visible to logged-in visitors. Sign in to view all comments.