Cloud Egress Costs Explained

The price table at a glance (AWS, us-east-1, 2026)

Azure and GCP have similar structures with slightly different headline numbers. The relative ratios (egress is 9x compute, inter-AZ matters, dedicated saves ~70%) hold across all three.

The four egress traps that show up on every cloud bill

Trap 1: Inter-AZ chatter

You designed for HA by spreading instances across three AZs. Application servers in AZ-A query the database replica in AZ-B. Cache misses in AZ-C hit the cache in AZ-A. Every byte costs $0.01 outbound from one AZ + $0.01 inbound to the other = $0.02 round-trip per GB.

A microservices application with chatty internal traffic can easily generate 50 TB/month of inter-AZ traffic. At $0.02/GB that is $1000/month in pure inter-AZ data transfer, which is more than the instances themselves cost.

Fixes:

• AZ affinity. Route requests to backends in the same AZ when possible. AWS Application Load Balancer supports this with cross-zone load balancing disabled.
• Local caches. A per-AZ Redis cluster vs a single shared cluster eliminates inter-AZ cache traffic.
• Service-mesh awareness. Modern service meshes (Istio, Linkerd, Consul) can express AZ-local routing as a policy.

Trap 2: NAT Gateway processing for AWS service traffic

Application in a private subnet downloads 5 TB/month from S3. Without VPC endpoints, every byte travels through NAT Gateway ($0.045/GB) and out the Internet Gateway. At 5 TB that is $225/month in NAT processing alone — and the traffic never actually leaves AWS.

Fix: gateway endpoints (S3, DynamoDB) are free and eliminate the NAT path entirely. The traffic stays on AWS's backbone. See NAT Gateway vs Internet Gateway.

Trap 3: Cross-region replication

For HA, you replicate a 1 TB dataset from us-east-1 to us-west-2 daily. That is 30 TB/month at $0.02/GB cross-region = $600/month — and that is only the egress; you pay storage on both sides.

Fixes:

• Delta replication only. Replicate changes, not full snapshots.
• Cross-region replication compression. Pre-compress at the source if data is compressible.
• Question whether you need cross-region. Many applications can survive a multi-hour regional outage with backup-and-restore rather than active replication.

Trap 4: Container egress through NAT

EKS / GKE / AKS clusters often run workloads in private subnets that download container images from public registries (Docker Hub, gcr.io, ghcr.io) every time a pod starts. Each pod start can pull 100-500 MB of layers via NAT Gateway.

Fixes:

• Container registry caching. Use Amazon ECR (with VPC endpoint), Google Artifact Registry, or Azure Container Registry, all of which provide private endpoints for in-cloud pulls.
• Image pull policy. Set imagePullPolicy: IfNotPresent so workers cache images locally.
• Pre-pull common images as part of node provisioning.

Why egress is priced this way

Ingress is free; egress is expensive. The asymmetry exists because egress pricing is the major lock-in mechanism for the public clouds. The economic logic:

• Cheap ingress → cheap to migrate data INTO a cloud.
• Storage gets cheaper every year → cheap to keep it there.
• Expensive egress → expensive to migrate data OUT.

The EU Data Act (effective 2024) requires cloud providers to waive egress fees for customers actually switching cloud providers, which slightly weakens the lock-in. Day-to-day egress for normal application traffic is unaffected.

Architecture moves that reduce egress

CDN in front of public-facing data

CloudFront, Azure CDN, and Google Cloud CDN do not charge for traffic from origin (S3, ALB, GCS) to the CDN. They then bill their own egress to the internet at roughly the same per-GB rate as direct S3 egress — but with substantially better performance and DDoS protection. For high-volume content (static sites, media downloads, software distribution), CDN is essentially free incremental cost vs. direct egress.

CDN also enables negotiated rates: at >100 TB/month CloudFront egress, AWS will negotiate per-GB discounts down to $0.04/GB or lower under a Private Pricing Agreement.

VPC endpoints / Private Link / Private Service Connect

For traffic to managed services within the same cloud, private endpoints keep traffic off the public internet AND off the NAT path. Critical for cost on:

• S3, DynamoDB (gateway endpoints — free).
• SQS, SNS, Lambda, KMS, Secrets Manager, ECR (interface endpoints — small cost, large NAT savings).
• RDS, ElastiCache when accessed from another VPC (Private Link).

Dedicated connectivity

For sustained high-volume egress (5+ TB/month from cloud to on-premises), Direct Connect / ExpressRoute / Interconnect reduces the per-GB rate from $0.09 to $0.02 — a 78% reduction. The fixed monthly cost (port + circuit + colo) typically pays back at 1-5 TB/month sustained. See Direct Connect vs ExpressRoute vs Interconnect.

Compression and deduplication

Compressing payloads at the application layer (gzip, brotli, zstd) reduces egress proportionally. The CPU cost is negligible compared to the egress saving. JSON payloads compress 70-90%; image and video already compressed compress less but still benefit from transit-level compression in many cases.

Move processing to the cloud, not data out

The single most effective egress-reduction is architectural: keep data in the cloud and bring queries to it, rather than exporting data for off-cloud processing. AWS Athena, BigQuery, Snowflake (within the same cloud), and serverless functions let you process at-rest data without ever egressing it.

Cost monitoring that actually catches problems

Most cloud egress surprises are not a single spike — they are gradual creep from new application traffic patterns. Useful monitoring:

• AWS Cost and Usage Reports broken down by usage type. Filter for usage types containing "DataTransfer-Out", "BytesUsed", or "NATGateway-Bytes". Build a daily dashboard.
• VPC Flow Logs. Enable on all VPCs. Aggregate by source/destination + bytes. Catches inter-AZ chatter and unexpected egress targets.
• Anomaly alerts. Tools like AWS Cost Anomaly Detection, Datadog cloud cost monitoring, or Cloudability detect when egress patterns shift.
• Per-team allocation. Tag resources so egress can be attributed to specific teams or applications. Untagged egress is unaccountable egress.

Frequently Asked Questions

Why is cloud egress so expensive?

Egress pricing is high because it serves as the major lock-in mechanism for the public clouds. Compute and storage prices have dropped steadily; egress prices have barely moved. The economic logic is that anyone trying to migrate off the cloud has to pay full egress on every byte, while ingress is free — making it cheap to move data IN and expensive to move it OUT. The EU Data Act and similar regulations have started forcing reductions for users actually switching providers, but day-to-day egress remains at roughly the same headline rates.

What is the difference between inter-AZ and cross-region traffic cost?

On AWS, inter-AZ traffic is $0.01/GB each direction ($0.02/GB total for a round trip) — billed on both sides. Cross-region traffic is $0.02/GB outbound from the source region, billed once. Both are dramatically cheaper than internet egress ($0.09/GB). The trap is that inter-AZ adds up faster than people expect — a noisy chat between application instances in two AZs can cost more than the instances themselves.

Is data transfer into the cloud free?

Yes — ingress is free on AWS, Azure, and GCP across all standard scenarios. The cloud providers actively want data flowing in, since stored data drives storage spend, processing spend, and eventual egress spend. The exception is dedicated connectivity (Direct Connect, ExpressRoute, Interconnect) which has port and circuit fees regardless of traffic direction, but the per-GB ingress charge is still zero.

Do VPC endpoints save egress costs?

Yes for traffic to AWS services. Gateway endpoints (S3, DynamoDB) are free and eliminate both NAT Gateway processing charges ($0.045/GB) and the public internet path for that traffic. Interface endpoints have hourly and per-GB charges (~$0.01/GB) but still cost less than NAT Gateway processing for most workloads. For an S3-heavy app, gateway endpoints typically save 30-70% of the data transfer line item on the AWS bill.

How does CloudFront / CDN affect egress pricing?

Traffic from origin (S3, EC2, ALB) to CloudFront is free — internet egress charges do not apply on that hop. CloudFront then bills its own egress to the internet at roughly $0.085/GB on the first tier, similar to S3 internet egress, but with regional and committed-use discounts that can bring it to $0.04/GB or lower at high volumes. For content distributed broadly, CloudFront is essentially identical in cost to direct S3 egress but with better latency and DDoS protection.