.png)
AWS network pricing follows a consistent pattern: the infrastructure that handles routing is often free, while the data flowing through it is charged per GB. The exceptions — NAT Gateway, Transit Gateway, Interface Endpoints — carry both hourly base charges and per-GB data charges, and these two components together can make them significantly more expensive than their headline rates suggest.
This guide covers VPC, NAT Gateway, Interface Endpoints, Transit Gateway, and CloudFront pricing in one place. All rates are for US East (N. Virginia), May 2026. Verify at aws.amazon.com/pricing — rates change significantly by region, and services like CloudFront use tiered pricing by traffic volume.
See exactly what you’re overpaying in under 60 seconds. Try the Calculator for free →
VPC Pricing: What Is Free and What Is Not
Creating a VPC is free. Running instances, load balancers, and databases inside a VPC is free from a VPC-infrastructure perspective — those resources have their own charges, but the VPC itself has no hourly cost.
What costs money inside a VPC: data transfer between availability zones ($0.01/GB each direction), data transfer to the internet (see the data transfer costs guide), and the specific networking services described below. VPC creation, subnets, route tables, security groups, and network ACLs all have no charges.
VPC Peering
Creating a VPC Peering connection is free. There are no hourly charges for maintaining a peering connection. Data transfer across a peering connection is charged at standard regional data transfer rates: $0.01/GB each direction for cross-AZ traffic within the same region, or standard cross-region rates ($0.02/GB for most US corridors) for inter-region peering.
Gateway Endpoints (S3 and DynamoDB): Completely Free
Gateway Endpoints for S3 and DynamoDB cost nothing: no hourly charge, no per-GB charge. They route traffic from your private subnets directly to S3 or DynamoDB over the AWS backbone, bypassing NAT Gateway. This is the single highest-ROI AWS networking configuration change available — free to deploy and immediately eliminates NAT Gateway processing charges ($0.045/GB) on all S3 and DynamoDB traffic.
Interface Endpoints (AWS PrivateLink)
Interface Endpoints for other AWS services (ECR, CloudWatch Logs, Secrets Manager, STS, SQS, SNS, and many others) cost $0.01/hr per AZ per endpoint plus $0.01/GB data processed. In a three-AZ VPC: $0.03/hr = $21.90/month base per endpoint. The per-GB rate of $0.01 is 78% cheaper than NAT Gateway’s $0.045/GB. Break-even versus NAT Gateway: approximately 626 GB/month of traffic to that specific service.
Public IPv4 Addresses
Since February 2024, every public IPv4 address costs $0.005/hr — including Elastic IPs attached to running instances, IPs on load balancers, IPs on NAT Gateways, and idle Elastic IPs not attached to any resource. A running NAT Gateway, an ALB, and 10 EC2 instances all with public IPs: 12 addresses x $0.005/hr x 730 = $43.80/month in IP address fees alone, before any traffic. Release unused Elastic IPs immediately.
Also read: Compute Savings Plans: Complete GuideÂ
NAT Gateway: The Hidden Cost in Private Subnet Architectures
NAT Gateway is the service that enables instances in private subnets to initiate outbound internet connections. It is also one of the most commonly under-examined line items on AWS bills.
Pricing Components
Base charge: $0.045/hr per NAT Gateway = $32.85/month. Data processing charge: $0.045/GB of data processed through the NAT Gateway — both inbound and outbound, in either direction. Internet egress charges still apply separately on top of NAT Gateway processing. A container in a private subnet sending 1 GB to the internet pays: $0.045 NAT processing + $0.09 internet egress = $0.135/GB total. Source: AWS official pricing, verified May 2026.
The Per-AZ Deployment Decision
Production architectures typically deploy one NAT Gateway per AZ ($32.85 x 3 = $98.55/month base for three AZs) to avoid cross-AZ traffic charges. Development environments can use a single NAT Gateway shared across all AZs at $32.85/month base, accepting that cross-AZ traffic to the NAT Gateway incurs additional $0.01/GB charges. For dev environments with low traffic volume, the single NAT is cheaper. Above approximately 6.6 TB/month of cross-AZ NAT traffic, per-AZ deployment becomes cheaper.
How to Reduce NAT Gateway Costs
Add S3 and DynamoDB Gateway Endpoints (free — eliminates NAT processing for those services). Add Interface Endpoints for ECR, CloudWatch Logs, and Secrets Manager (break-even at ~626 GB/month per endpoint). Enable topology-aware routing in Kubernetes to minimize cross-AZ traffic reaching the NAT Gateway. For containers: use ECR VPC Endpoints to pull images without going through NAT.
NAT Gateway generates three separate charges: base hourly, data processing, and whatever internet egress or cross-AZ charges apply to the traffic it routes. Teams that see NAT Gateway as a $32.85/month line item are missing the data processing charges that typically make it $100-500/month for production workloads. Check Cost Explorer, filter EC2-Other, and look for NatGateway-Bytes usage type.
Also read: Compute Savings Plans: complement to network optimization for total AWS bill reductionÂ
Transit Gateway: VPC Interconnect at Scale
Transit Gateway is the AWS service for connecting multiple VPCs and on-premises networks through a central hub, eliminating the need for full-mesh VPC Peering. It makes architectural sense above roughly 5-10 VPCs where the Peering connection count would become unmanageable.
Pricing: $0.05/hr per VPC attachment ($36.50/month per attachment). Data processing: $0.02/GB processed through the Transit Gateway. For 10 VPCs attached to a Transit Gateway: 10 x $36.50 = $365/month in attachment fees before any traffic. At $0.02/GB for data processing, a workload moving 5 TB/month through the Transit Gateway adds $102.40/month.
VPC Peering is cheaper for small VPC counts (no hourly charges, only data transfer). Transit Gateway is cheaper for large counts where Peering would require N x (N-1) / 2 connections. At 5 VPCs: Peering requires 10 connections (all free to maintain). At 10 VPCs: Peering requires 45 connections and Transit Gateway at $365/month may be operationally simpler even if slightly more expensive per GB.
CloudFront: CDN Pricing Structure
CloudFront charges on three dimensions: data transfer out to the internet (egress), HTTP/HTTPS request count, and origin transfer (which is now free for S3 origins in the same account).
Egress Pricing (US and Canada Tier)
$0.085/GB for the first 10 TB/month. $0.080/GB for the next 40 TB. $0.060/GB for the next 100 TB. $0.040/GB for the next 350 TB. $0.030/GB above 524 TB/month. These are lower than direct internet egress from S3 ($0.09/GB for the first 10 TB tier), which is why CloudFront is cost-effective even without aggressive caching. Other regions (Asia Pacific, South America) carry higher rates. Source: aws.amazon.com/cloudfront/pricing, May 2026.
Request Pricing
$0.0100 per 10,000 HTTP requests. $0.0100 per 10,000 HTTPS requests (same price). At 100 million requests per month: $100 in request charges. At 1 billion requests: $1,000. For most content-delivery workloads, egress charges dominate over request charges. For API-style workloads with small responses but high request rates, request charges can be meaningful.
S3-to-CloudFront: Free Since Late 2024
Data transfer from S3 to CloudFront within the same AWS account and region is free since late 2024. Previously $0.02/GB, eliminating this charge makes CloudFront strictly cheaper than serving S3 directly for any workload where users download content from the internet. The only cost is CloudFront egress to users ($0.085/GB), which is lower than direct S3 egress ($0.09/GB).
Origin Shield
CloudFront Origin Shield adds an additional caching layer between CloudFront edge locations and the origin, reducing origin fetches. Costs $0.009-0.010/GB of data served through Origin Shield (varies by region). Worth enabling for origins with high cache-miss rates or for origins where reducing load is a priority. Not worth it for highly cacheable static content where edge caches already have high hit ratios.
Lambda@Edge and CloudFront Functions
CloudFront Functions: $0.10 per 1 million invocations. For lightweight header manipulation, URL redirects, or A/B testing logic at the edge — very cheap for high-traffic sites. Lambda@Edge: $0.60 per 1 million requests plus $0.00000625001 per GB-second. Considerably more expensive than CloudFront Functions for the same logic that can run in either. Use CloudFront Functions where possible; use Lambda@Edge only when the full Lambda execution environment (file system access, network calls, longer timeouts) is required.
CloudFront free tier: 1 TB/month of data transfer out plus 10 million HTTP/HTTPS requests per month, for the first 12 months on new AWS accounts only. This is an introductory free tier, not a permanent always-free tier. The always-free tier for data transfer is only the first 100 GB/month of general internet egress from any service, not specific to CloudFront. Source: aws.amazon.com/free.
Quick Reference: AWS Network Pricing Summary
All US East (N. Virginia), May 2026. Verify at aws.amazon.com/pricing — rates change.
VPC creation: FREE. Subnets, route tables, security groups: FREE. VPC Peering (connection): FREE (data transfer charged separately).
Gateway Endpoints (S3, DynamoDB): FREE. No hourly charge, no per-GB charge.
Interface Endpoints (PrivateLink): $0.01/hr per AZ + $0.01/GB. Three AZs = $21.90/month base per endpoint.
Transit Gateway: $0.05/hr per attachment ($36.50/month) + $0.02/GB processed.
NAT Gateway: $0.045/hr ($32.85/month) + $0.045/GB processed. Add internet egress on top.
Public IPv4 address: $0.005/hr per IP ($3.65/month). Charged even when idle. Since February 2024.
CloudFront egress (US): $0.085/GB (10 TB), $0.080/GB (50 TB), $0.060/GB (150 TB), $0.040/GB (500 TB).
CloudFront requests: $0.0100 per 10,000 HTTP or HTTPS requests.
CloudFront origin (S3, same account): FREE since late 2024.
Cross-AZ data transfer: $0.01/GB each direction.
Internet egress (general, not CloudFront): first 100 GB/month FREE, then $0.09/GB (10 TB).
Architecture Decisions That Eliminate the Largest Costs
Deploy Gateway Endpoints for S3 and DynamoDB before deploying NAT Gateways. Free, 5 minutes, and eliminates the most common source of unexpected NAT Gateway data processing charges.
Put public-facing content behind CloudFront, not directly behind S3 or an ALB. S3-to-CloudFront is free. CloudFront egress is cheaper than direct S3 egress. Cache hit ratios above 5% make CloudFront cost-neutral or cost-negative.
Use private IP addresses for all intra-VPC and intra-AZ communication. Public IP traffic routes externally and incurs charges. Same-AZ private IP traffic is free.
Keep application tiers and database tiers in the same availability zone for latency-sensitive traffic. Cross-AZ charges are $0.01/GB each direction and compound quickly for high-throughput microservices architectures.
Evaluate Transit Gateway vs VPC Peering at the 5-10 VPC threshold. Below 5 VPCs: Peering is free to maintain and cheaper. Above 10 VPCs: Transit Gateway’s operational simplicity typically justifies the per-attachment cost.
Start your free AWS cost analysis with Usage.ai
Frequently Asked Questions
1. How much does AWS VPC cost?
Creating and running a VPC is free. There are no hourly charges for VPCs, subnets, route tables, security groups, or network ACLs. Costs come from services running inside the VPC (EC2 instances, RDS, load balancers) and from data transfer between availability zones ($0.01/GB each direction), to the internet, or through paid networking services like NAT Gateway or Interface Endpoints.
2. How much does AWS NAT Gateway cost per month?
$0.045/hr base charge ($32.85/month) plus $0.045/GB of data processed — both inbound and outbound. A production three-AZ deployment (one NAT Gateway per AZ) costs $98.55/month in base charges before any traffic. For workloads routing 1 TB/month of internet-bound traffic through NAT Gateway: $98.55 base + $46.08 data processing + standard internet egress charges. Use S3 and DynamoDB Gateway Endpoints (free) to eliminate NAT processing on those services. Source: AWS official pricing (May 2026).
3. How much does CloudFront cost per GB?
$0.085/GB for the first 10 TB/month from US and Canada edge locations. Volume discounts apply at higher tiers: $0.080/GB (10-50 TB), $0.060/GB (50-150 TB), $0.040/GB (150-524 TB), $0.030/GB above 524 TB/month. Data transfer from S3 to CloudFront within the same AWS account is free since late 2024. CloudFront egress ($0.085/GB) is cheaper than direct S3 internet egress ($0.09/GB). Verify at aws.amazon.com/cloudfront/pricing — rates change.
4. Is AWS VPC Peering free?
Yes, maintaining a VPC Peering connection has no hourly charge. Data transfer across the peering connection is charged at standard rates: $0.01/GB each direction for cross-AZ peering within the same region, or cross-region transfer rates ($0.02/GB for most US corridors) for inter-region peering. The peering connection itself — creating it, listing it, maintaining it — is free.
5. What is the difference between Gateway Endpoints and Interface Endpoints?
Gateway Endpoints cover S3 and DynamoDB only and are completely free — no hourly charge, no per-GB charge. Interface Endpoints (AWS PrivateLink) cover most other AWS services (ECR, CloudWatch Logs, Secrets Manager, SQS, etc.) and cost $0.01/hr per AZ plus $0.01/GB. Both bypass NAT Gateway, eliminating the $0.045/GB NAT processing charge. The correct strategy: always deploy Gateway Endpoints first (free), then evaluate Interface Endpoints for high-volume service traffic.
6. How much does AWS Transit Gateway cost?
$0.05/hr per VPC or VPN attachment ($36.50/month per attachment). Data processing: $0.02/GB processed through the Transit Gateway. Ten VPCs attached: $365/month in attachment fees before traffic. Compare to VPC Peering which has no hourly charge (data transfer costs only). Transit Gateway is cost-effective above approximately 10 VPCs where the Peering mesh complexity becomes unmanageable. Source: aws.amazon.com/transit-gateway/pricing, May 2026.
7. Does Compute Savings Plans cover AWS network costs?
No. Compute Savings Plans cover EC2 instance compute, Fargate task compute, and Lambda duration only. NAT Gateway charges, CloudFront egress, data transfer fees, Interface Endpoint charges, and Transit Gateway costs are all separate billing categories not covered by any commitment discount product. Network cost optimization requires architectural changes, not commitment discounts.
