$10,000 a day. That’s what one engineering team stared at, dumbfounded, when their AWS networking bill finally surfaced — not from EC2 instances churning away, but from NAT Gateways processing massive data volumes headed for the public internet.
Zoom out. Cloud networking costs — VPCs, NAT Gateways, data transfer — lurk in the shadows of your dashboard. Compute screams for attention. Storage tallies neatly. But networking? It hides in vague line items until the postmortem.
Here’s the raw truth: AWS flips the meter every time traffic crosses a boundary. Stay in one AZ on private IPs? Free. Venture out? Pay up. And it stacks ruthlessly.
Free Lunch Ends at the AZ Border
VPC creation, subnets, route tables, internet gateways — all gratis. Security groups, NACLs, too. Data zipping within the same AZ via private IPs? Zero. Inbound from the internet? Also free. Gateway endpoints to S3 or DynamoDB? No hourly hit, no data fees.
But cross that line — and the paid components kick in hard.
NAT Gateway: $0.045/hour plus $0.045/GB. Public IPv4: $0.005/hour ($3.65/month). Interface endpoints: $0.01/hour per AZ + $0.01/GB. Transit Gateway attachments: $0.05/hour. Data processing there: $0.02/GB. Cross-AZ: $0.01/GB each way. Internet egress (first 10TB): $0.09/GB. Cross-region peering: $0.02-$0.17/GB.
That $0.01/GB cross-AZ? Peanuts for a query. Multiply by microservices chatter — thousands per second — and watch it compound.
One byte of data leaving through NAT to the internet costs: $0.045 (NAT processing) + $0.09 (egress) = $0.135/GB total.
Plus the fixed $32.85/month per NAT (us-east-1) and now $3.65 for that Elastic IP. Since February 2024, AWS doesn’t let idle IPv4s slide.
The NAT Gateway Nightmare — Real-World Carnage
Picture a private subnet. Your app needs internet — container pulls, API calls. Route to NAT Gateway. It processes at $0.045/GB, shoves out via Internet Gateway at $0.09/GB egress. Total: $0.135/GB, atop fixed costs.
That $10K/day team? Massive volumes through public NATs. Swapped to Direct Connect — poof, $310K/month saved. Direct Connect sidesteps NAT processing and public egress, tunneling straight.
Smaller horror: CI/CD gone wild. 340 jobs/day instead of 10. Each yanks images via NAT. 47TB/month. $12K bill — 87% from that bug. Fix config, down to $667.
NAT’s solid for what it does. But funneling intra-AWS traffic (S3 pulls, say) through it? Waste. Use VPC endpoints — free for S3/DynamoDB gateways.
Teams miss this because diagrams look clean. Architecture reviews post-bill reveal the stacks.
Why Does Cross-AZ Traffic Secretly Ruin Budgets?
$0.01/GB per direction. Round-trip: $0.02. Datadog’s 2024 report pegs it at 50% of data transfer costs — 98% of orgs hit.
Why? Redundancy deploys across AZs. Default routing ignores locality. Kubernetes pods in 1a ping 1c — bam, charge.
One team: 991,980 GB/month cross-AZ. $9,919 bill — 94% of data transfer. Culprit? Route tables dumping all to one NAT in wrong AZ. Per-AZ NATs fixed it: $36K/year saved.
It’s not just K8s. Any multi-AZ setup without topology smarts pays.
Kubernetes: Blessing or Bill Generator?
Default service routing — round-robin to any pod, any AZ. High-volume service? Cross-AZ hell.
But fixes exist. Kubernetes 1.27+ Topology Aware Routing: Annotate service.kubernetes.io/topology-mode: auto. Pods first in same AZ.
Cilium, Istio? Config locality-aware LB. One-line changes, massive ROI.
And here’s my take — the unique angle AWS won’t admit: this pricing echoes 1980s AT&T. Local calls free. Long-distance? Toll. AWS built cloud networking costs as an architectural tax, nudging you from raw VPCs to managed services like EKS Fargate (locality baked in) or Cilium CNI (zero-trust efficiency). It’s not accident; it’s evolution toward enterprise lock-in. Bold prediction: By 2026, 70% of teams ditch default NATs for PrivateLink + topology routing, halving networking bills as IPv6 adoption kills IPv4 fees.
Critique the spin? AWS calls it ‘transparent.’ Nah — it’s opaque until it bites.
Highest-ROI Optimizations — Least Effort First
-
Audit routes: NAT per AZ. Free within AZ.
-
VPC endpoints for S3/DynamoDB/CRR. Skip NAT entirely.
-
Topology-aware everything. K8s annotation. Done.
-
Container registries: Use ECR — intra-AWS, no egress.
-
Direct Connect or Transit for high-volume outbound.
-
Monitor with VPC Flow Logs + Cost Explorer tags.
A single route tweak saved $36K/year. Pipeline fix: $11K/month.
Don’t rebuild arch — tweak boundaries.
FAQ
What are AWS cloud networking costs exactly?
Fixed fees (NAT hourly) plus per-GB (cross-AZ $0.01, egress $0.09) — meters tick on boundary crosses.
How to reduce AWS NAT Gateway costs?
Per-AZ NATs, VPC endpoints for S3, Direct Connect for bulk outbound.
Does cross-AZ traffic really add up in Kubernetes?
Yes — 50% of transfer bills per Datadog. Topology-aware routing fixes it cheap.
Teams ignoring this? Your bill’s a ticking bomb. Act now — architecture shifts like these pay dividends.
