.png)
AWS charges for data leaving your infrastructure — to the internet, to other availability zones, to other regions, and through services like NAT Gateway that handle routing. For most teams running distributed workloads, data transfer sits in the top three AWS cost categories alongside compute and storage.
The good news: egress costs are among the most reducible line items on any AWS bill. Unlike compute — where savings require a commitment or a right-sizing analysis — several egress optimizations are configuration changes that take under 30 minutes and generate savings from the next billing cycle. This guide covers them in order of impact, with specific numbers so you can calculate ROI before touching anything.
Step 1: Add Gateway Endpoints for S3 and DynamoDB (Free, Immediate)
Gateway Endpoints are the highest ROI action on this list. They are completely free — no hourly charge, no per-GB charge. A Gateway Endpoint creates a private route between your VPC and S3 or DynamoDB over the AWS backbone, bypassing NAT Gateway entirely. Traffic that previously paid $0.045/GB in NAT Gateway processing fees now costs nothing.
The deployment is a single resource addition. In the AWS console: navigate to VPC, select Endpoints, create an endpoint for com.amazonaws.us-east-1.s3, attach it to your private route tables. Done. Any EC2 instance, Lambda function, or ECS task in those subnets now routes S3 traffic directly without touching NAT Gateway.
CLI: aws ec2 create-vpc-endpoint –vpc-id vpc-xxxx –service-name com.amazonaws.us-east-1.s3 –route-table-ids rtb-xxxx
Terraform: resource aws_vpc_endpoint, service_name = “com.amazonaws.${var.region}.s3”, vpc_endpoint_type = “Gateway”. No hourly cost. No per-GB cost. One of the rare cases where the correct answer is both better and free.
Expected saving: $0.045/GB on every byte of S3 and DynamoDB traffic currently routing through NAT Gateway. For a workload sending 1 TB/month to S3 through NAT Gateway: $46.08/month saved. Configuration time: 5 minutes. Effort: low.
Step 2: Put CloudFront in Front of S3 for Internet-Facing Content
Since late 2024, AWS eliminated the data transfer charge from S3 to CloudFront when both are in the same account and region. Origin fetches now cost $0.00/GB. Combined with CloudFront’s lower egress rate ($0.085/GB vs $0.09/GB for direct S3 internet egress), CloudFront is now strictly cheaper than serving S3 directly for any workload with a cache hit ratio above approximately 5%.
The real savings compound with cache hit ratio. A 10 TB/month workload served directly from S3 pays 10,000 GB x $0.09 = $900/month (minus the 100 GB free tier). The same workload through CloudFront at 80% cache hit ratio: only 20% of bytes are fetched from origin (free), while 100% of bytes are served to users at $0.085/GB. Effective cost: 10,000 GB x $0.085 = $850. But that assumes every byte is served regardless. With caching, repeat requests for the same object serve from edge cache — they consume CloudFront egress but do not re-fetch the origin. The correct math: (total bytes to users x $0.085/GB) = $850, minus the $0 origin cost. That is $50/month less than direct S3 on this workload.
Where the savings scale dramatically: high-traffic, highly-cacheable content with 90%+ cache hit ratios. At 90% cache hit ratio, 9 TB is served from edge cache at CloudFront rates and 1 TB is fetched from origin for free. At 95% cache hit ratio serving 100 TB/month, total egress cost is 100 TB x $0.085 (blended tiers) vs 100 TB x $0.09 = a $500-4,000 monthly saving depending on volume tiers.
Enable compression in CloudFront distributions. CloudFront supports automatic Brotli and gzip compression. Brotli reduces text payload size 15-25% more than gzip for HTML, CSS, JS, JSON, and XML. A workload serving 10 TB/month of compressible content at 20% Brotli compression reduction pays for 8 TB instead of 10 TB. At $0.085/GB: $680 vs $850 per month.
Expected saving: 5-50% reduction in internet egress cost depending on cache hit ratio. At 80% cache hit ratio serving 10 TB/month: effective cost $170 vs $900 from S3 direct. S3-to-CloudFront origin transfer: $0/GB (free since late 2024). CloudFront egress: $0.085/GB vs $0.09/GB direct S3.
See exactly what you’re overpaying AWS in under 60 seconds. Try the Calculator for free →
Step 3: Enable Topology-Aware Routing in Kubernetes
Cross-AZ traffic costs $0.01/GB in each direction ($0.02/GB round-trip). In a Kubernetes cluster spread across three availability zones, service-to-service traffic does not respect zone boundaries by default. A request originating from a pod in us-east-1a may be routed to a pod endpoint in us-east-1b or us-east-1c. Every such cross-AZ hop is charged.
Topology-aware routing (formerly Topology Aware Hints) instructs kube-proxy to prefer endpoints in the same zone as the caller. Add the annotation to your Kubernetes services: service.kubernetes.io/topology-mode: Auto. This alone reduces inter-AZ traffic by routing same-zone traffic to same-zone pods whenever sufficient healthy endpoints exist in the local zone.
For workloads with uneven pod distribution across zones, topology-aware routing may produce slightly uneven load distribution. Monitor both cross-AZ costs in Cost Explorer and pod CPU utilization per zone after enabling. The cross-AZ cost reduction is typically worth the minor load asymmetry. For clusters where this is not acceptable, consider Istio or Cilium with locality-aware load balancing for finer-grained control.
Expected saving: 60-80% reduction in cross-AZ traffic for Kubernetes clusters with high inter-service communication. A 3-AZ EKS cluster generating 10 TB/month of inter-AZ traffic pays $200/month in cross-AZ charges. Topology-aware routing reduces that to $40-80/month. Effort: medium (requires Kubernetes 1.24+ and service annotation).
Step 4: Add Interface Endpoints for High-Volume AWS Service Calls
Gateway Endpoints cover S3 and DynamoDB for free. For other AWS services — ECR (container images), CloudWatch Logs, Secrets Manager, STS, SQS, SNS — Interface Endpoints provide private routing at $0.01/GB versus NAT Gateway’s $0.045/GB.
The highest-impact Interface Endpoints to deploy first: ECR for container workloads (image pulls are large and frequent), CloudWatch Logs for workloads with verbose logging, Secrets Manager if secrets are fetched on every Lambda invocation or container start, and STS if your workloads assume IAM roles frequently.
Calculating break-even per endpoint: an Interface Endpoint costs $0.01/hr per AZ. In a three-AZ VPC: $0.03/hr = $21.90/month plus $0.01/GB. Break-even versus NAT Gateway (which charges $0.045/GB): at X GB/month, $21.90 + 0.01X = 0.045X, solving for X = 626 GB/month per endpoint. If your ECR pulls, CloudWatch Logs, or Secrets Manager calls exceed 626 GB/month in a given VPC, the Interface Endpoint is cheaper than NAT Gateway. For most production container environments, ECR pull volume alone exceeds this threshold.
Deploy via CloudFormation or Terraform. One VPC Endpoint resource per service per VPC. No application code changes required.
Expected saving: $0.034/GB on every byte of eligible service traffic currently routing through NAT Gateway (Interface Endpoint: $0.01/GB vs NAT: $0.045/GB). For 1 TB/month of ECR image pulls through NAT: $34.82/month saved per cluster. Interface Endpoint cost: $0.01/hr/AZ + $0.01/GB. Break-even vs NAT: approximately 200 GB/month per endpoint.
Step 5: Eliminate the Single-NAT-Gateway Trap
Many teams deploy a single NAT Gateway in one AZ to save on the $32.85/month base charge per gateway. This is the wrong optimization for production workloads with significant outbound traffic. Traffic from private subnets in other AZs must cross AZ boundaries to reach the centralized NAT Gateway, incurring $0.01/GB in cross-AZ charges on top of the NAT processing and egress fees.
The math for a workload processing 10 TB/month of internet-bound traffic in a three-AZ setup: with one NAT Gateway, approximately 6.67 TB originates from the other two AZs and pays $0.01/GB cross-AZ charges: 6,670 GB x $0.01 = $66.70/month in cross-AZ fees that would not exist with per-AZ NAT Gateways. The additional two NAT Gateways cost $65.70/month in base charges. The two costs are comparable — but the cross-AZ charges grow linearly with traffic volume while the NAT Gateway base charge is fixed.
Decision rule: for production workloads processing more than 6.6 TB/month of outbound NAT traffic across AZs, one NAT Gateway per AZ is cheaper than a centralized gateway. Below that threshold, a single NAT Gateway saves money. For development environments: always use a single NAT Gateway.
Step 6: Evaluate Direct Connect for High-Volume Sustained Egress
AWS Direct Connect provides a dedicated private network connection between your data center or colocation facility and AWS. Outbound data transfer over Direct Connect costs $0.02/GB for US connections versus $0.09/GB for internet egress — a 78% rate reduction per GB.
The break-even calculation must account for Direct Connect port costs: a 1 Gbps dedicated connection starts at approximately $0.30/hr ($219/month) plus partner connection fees. At $0.07/GB saved per GB (from $0.09 to $0.02), the break-even egress volume is: $219 / $0.07 = 3,129 GB/month, approximately 3 TB/month of sustained egress to cover port costs alone. For workloads consistently above 5 TB/month of predictable egress to an on-premises environment, Direct Connect delivers meaningful savings. Below that threshold, or for variable egress patterns, internet egress remains more cost-effective.
Expected saving: $0.07/GB (from $0.09 to $0.02 outbound rate for US) for workloads exceeding the Direct Connect break-even point. Break-even: approximately 2-5 TB/month of consistent egress depending on port speed and upfront costs. Suitable for: production workloads with stable, predictable egress of 5 TB/month or more.
How to Find Your Largest Egress Sources in Cost Explorer
Before optimizing, identify where your egress money is actually going. In AWS Cost Explorer: set the date range to the last 30 days. Group by Usage Type. Filter by service: EC2 (which includes S3, RDS, and most data transfer charges billed under EC2-Other). Sort by cost descending.
Look for these usage type prefixes: DataTransfer-Out-Bytes (internet egress), DataTransfer-Regional-Bytes (cross-AZ), NatGateway-Bytes (NAT Gateway processing), USE1-AWS-Out-Bytes (S3 internet egress specifically). The highest-cost usage types identify which optimization step to prioritize.
CLI to pull last 30 days of data transfer costs by usage type: aws ce get-cost-and-usage –time-period Start=2026-05-01,End=2026-05-31 –granularity MONTHLY –metrics BlendedCost –group-by Type=DIMENSION,Key=USAGE_TYPE –filter ‘{“Dimensions”:{“Key”:”SERVICE”,”Values”:[“Amazon Elastic Compute Cloud – Compute”]}}’ –output table
Run this monthly. Data transfer costs that accumulate silently will show up immediately when you group by usage type. Catch new sources early — a misconfigured container pulling its image from DockerHub through NAT Gateway rather than ECR through an Interface Endpoint will show up as NatGateway-Bytes growth within the first billing cycle.
Egress Optimization Does Not Replace Commitment Discounts
A common mistake: teams focus on egress optimization while leaving their EC2 and RDS instances on on-demand pricing. Egress optimization is the right lever for network costs. Savings Plans and Reserved Instances are the right lever for compute costs. Neither replaces the other.
Egress optimization saves on the DataTransfer-Out and NatGateway-Bytes line items. Savings Plans save on EC2 instance-hours, Fargate vCPU-hours, and Lambda duration. Applying Gateway Endpoints does not reduce your compute bill. Buying a Compute Savings Plan does not reduce your NAT Gateway charges. Both optimizations are necessary and independent.
For organizations with $50,000+/month in AWS spend, applying both simultaneously — commitment coverage for compute and architectural egress optimization for network — typically delivers 40-60% total bill reduction versus fully on-demand unoptimized spend.
Also read: Compute Savings Plans: the complete guide to reducing EC2 and Fargate spend
Frequently Asked Questions
1. What is the fastest way to reduce AWS egress costs?
Add S3 and DynamoDB Gateway Endpoints. They are free, take 5 minutes to configure, and immediately eliminate NAT Gateway processing charges ($0.045/GB) on all S3 and DynamoDB traffic from private subnets. For most workloads this is the single highest-ROI egress action available.
2. Does CloudFront reduce AWS egress costs?
Yes. S3-to-CloudFront transfer within the same account is free since late 2024 (was $0.02/GB). CloudFront egress to internet is $0.085/GB versus $0.09/GB for direct S3 egress. With caching, a workload at 80% cache hit ratio effectively reduces chargeable bytes significantly. CloudFront is cheaper than direct S3 internet egress for any workload with a cache hit ratio above approximately 5%.
3. What is the AWS egress cost per GB?
Internet egress from US East (N. Virginia): $0 for the first 100 GB/month, then $0.09/GB for the next 10 TB, $0.085/GB at 10-50 TB, $0.07/GB at 50-150 TB, $0.05/GB above 150 TB. Cross-AZ (same region): $0.01/GB each direction. Cross-region (US corridors): $0.02/GB. NAT Gateway adds $0.045/GB on top of any egress it routes. Verify at aws.amazon.com/ec2/pricing/on-demand — rates change.
4. How much does NAT Gateway cost for data transfer?
$0.045/GB of data processed plus $0.045/hr base charge ($32.85/month). For internet-bound traffic, NAT Gateway charges stack on top of internet egress charges — a container sending 1 GB to the internet through NAT Gateway pays $0.045 NAT processing + $0.09 internet egress = $0.135/GB effective rate. S3 and DynamoDB Gateway Endpoints eliminate the NAT processing charge for those services entirely at no cost.
5. What are Interface Endpoints and do they save money?
Interface Endpoints (AWS PrivateLink) create private connections to AWS services like ECR, CloudWatch Logs, Secrets Manager, SQS, and SNS. They cost $0.01/hr per AZ plus $0.01/GB processed. Compared to routing the same traffic through NAT Gateway at $0.045/GB, the saving is $0.034/GB minus the hourly cost. Break-even versus NAT: approximately 626 GB/month per endpoint in a three-AZ VPC. Production ECR pull volumes typically exceed this threshold for any active container cluster.
6. Is AWS Direct Connect worth it for egress?
At sustained egress above 3-5 TB/month to an on-premises or colocation environment. Direct Connect outbound US rate: $0.02/GB versus $0.09/GB internet. The $0.07/GB saving covers a 1 Gbps port cost ($219/month) at approximately 3.1 TB/month. Below that threshold, internet egress is more cost-effective. Direct Connect also provides lower, more consistent network latency than internet routing.
