The AWS Data Transfer Bill Nobody Warned You About

The AWS bill arrives. Compute is roughly what you expected. Storage is under budget. Then there is a line item labeled "Data Transfer" for $38,000 that nobody predicted, nobody owns, and nobody can immediately explain.

This is not an unusual story. Data transfer costs are consistently the most surprising charge on AWS bills — particularly for teams that have invested time optimizing EC2 instance types and RDS sizing but never mapped their data flows against AWS's pricing model.

The pricing is publicly documented. The problem is that it is genuinely complex — charges vary by direction, by whether traffic crosses an Availability Zone boundary, by whether it crosses a regional boundary, and by which AWS service is involved. Very few engineers have all of these rules in mind when designing an architecture. This post maps the main cost sources, the common architectural mistakes, and the optimizations that have the largest impact.

What AWS Actually Charges For

Internet egress is the most expensive category: approximately $0.09 per GB for the first 10 TB per month, decreasing at higher volumes. Traffic coming into AWS from the internet is free — the charges are directional. Applications with large outbound payloads (APIs, media downloads, data exports) are most exposed.

Cross-region transfer costs approximately $0.02 per GB in each direction between AWS regions. Modest per-GB, but it accumulates fast in multi-region architectures with inter-region replication or API traffic.

Cross-AZ transfer is the charge that surprises most teams: $0.01 per GB in each direction ($0.02 round-trip) between resources in different Availability Zones within the same region. The rate is low, but the volumes can be enormous — every database read from an application server in a different AZ, every load balancer request that crosses an AZ boundary, every cross-AZ cache miss. A high-throughput application doing 1 TB of cross-AZ database reads per day pays approximately $7,300/year on that pattern alone.

NAT Gateway charges a data processing fee of $0.045 per GB on all traffic it routes — both in and out — in addition to an hourly base fee. Every S3 operation from a private subnet that routes through NAT Gateway instead of a VPC endpoint pays this fee unnecessarily.

CloudFront origin fetch is charged at approximately $0.02 per GB from origin to edge. Critically, S3-to-CloudFront is free. S3 direct to the internet (bypassing CloudFront) is charged at internet egress rates. Cache hit rate is the lever here: higher cache hit rates eliminate origin fetch costs for cached content.

The Common Architectural Mistakes

Cross-AZ database reads. Application servers distributed across multiple AZs for high availability, but the primary database in a single AZ. An Application Load Balancer distributing traffic across all AZs means most requests cross an AZ boundary on the database round-trip. This is pervasive and often invisible until the bill arrives.

Services in wrong regions. Staging environments, shared logging infrastructure, or development tooling provisioned in a different region than production, with integrations sending data between them. Multi-region for resilience is justified. Multi-region because someone selected the wrong region when launching a resource is not.

S3 access without VPC endpoints. EC2 instances in private subnets accessing S3 through NAT Gateway instead of a VPC Gateway Endpoint. Every S3 request pays the NAT Gateway data processing fee ($0.045/GB) when the VPC endpoint is free.

Uncompressed API responses. JSON responses delivered without gzip or Brotli compression pay data transfer charges on bytes that can typically be reduced by 60–80%. The CPU cost of compression is negligible compared to the transfer savings at volume.

Misconfigured CloudFront caching. Overly aggressive cache invalidation or incorrectly configured cache behaviors that effectively disable caching for frequently accessed content. Every cache miss generates an origin fetch charge, then an egress charge. A well-configured CloudFront distribution with high cache hit rates substantially reduces both.

Cross-account data transfer. Production, staging, development, and shared services accounts in the same region still pay cross-AZ or cross-region rates depending on where resources are located. Centralized logging pipelines and shared build infrastructure commonly generate this cost invisibly.

Practical Optimizations

VPC Gateway Endpoints for S3 and DynamoDB. Free to create, no hourly charge, no data processing fee. Route S3 and DynamoDB traffic directly between your VPC and the service, bypassing NAT Gateway entirely. Create the endpoint in the VPC console, attach the route tables, verify bucket policies allow VPC endpoint access. Takes under 30 minutes and is non-disruptive. For applications processing 100 TB of S3 traffic per month through NAT Gateway, this eliminates approximately $4,500/month in processing fees.

Co-locate high-throughput service pairs in the same AZ. For service pairs with very high read throughput between them — application servers and their database, application servers and their cache cluster — same-AZ deployment eliminates cross-AZ charges on that traffic. This is a deliberate trade: reduced cross-AZ cost in exchange for reduced AZ redundancy on that specific traffic path. For RDS read replicas, use the instance endpoint for a specific AZ's replica rather than the reader endpoint that load-balances across AZs.

CloudFront for egress reduction. CloudFront egress pricing is lower than standard EC2/ALB internet egress for high-volume customers. More importantly, cache hits eliminate origin fetch costs entirely. Evaluate CloudFront for static assets, API responses with reasonable TTLs, and large file downloads. An 80% cache hit rate on cacheable content eliminates origin data transfer costs for most requests.

Compress API responses. Enable gzip or Brotli on API Gateway, ALB, or your application framework. Gzip typically achieves 5:1 to 8:1 compression on JSON. On 50 TB of API Gateway responses per month, compression to 10 TB saves approximately $3,600/month at $0.09/GB.

Audit and right-size data pipelines. Log aggregation and analytics pipelines often ship everything cross-region to a central store without evaluating whether analysis can be done in the source region. Evaluate sampling for high-frequency, low-value log events. Reducing a pipeline's data volume by 70% reduces its transfer charges by 70%.

Model before you build. The AWS Pricing Calculator lets you model data flows before deployment. For any new feature involving significant data movement — bulk processing, media streaming, ML inference — model the transfer costs before finalizing the architecture. The design that looks reasonable on compute and storage often looks very different when transfer costs are made explicit.

Finding What You Are Paying Now

AWS Cost Explorer → Service: Data Transfer → group by Usage Type reveals the specific charge categories: DataTransfer-Regional-Bytes (cross-AZ), DataTransfer-Out-Bytes (internet egress). AWS Cost and Usage Reports (CUR) exported to S3 and queried with Athena give line-item granularity — the product_transfer_type and resource_id columns identify what is generating each charge. VPC Flow Logs map the actual traffic patterns by source and destination IP, letting you cross-reference with your subnet-to-AZ mapping to find the highest-volume cross-AZ flows.

The Bottom Line

Data transfer costs are predictable from architecture and reducible through architectural change. The teams that get surprised are those who optimized compute and storage but never applied the same rigor to data flows.

The three highest-return changes for most architectures: VPC endpoints for S3 and DynamoDB (free, immediate impact), API response compression (low effort, immediate impact), and AZ co-location of the highest-throughput service pairs (requires planning, significant impact). Start there. Model the rest before you build it.