You deploy a service across two Availability Zones for resilience — standard practice. A month later, the bill shows $200 in data transfer charges you never expected. Nothing changed in your application. You just didn’t know that every byte moving between those AZs costs money, in both directions.
Data transfer is one of the most common billing surprises on AWS. According to the Flexera 2026 State of the Cloud Report, organizations waste 29% of their cloud spend — up from prior years, the first increase in five years. A significant chunk of that waste hides in networking charges that most developers never think about until the bill arrives.
Here’s what actually costs money, what the rates are, and how to catch it early.
Egress to the Internet: The Charge Everyone Knows (Sort Of)
Sending data out of AWS to the internet — egress — is the most visible data transfer cost. Inbound data is free. Outbound is not.
Current egress pricing for most AWS regions (source: AWS EC2 On-Demand Pricing):
| Monthly egress volume | Price per GB |
|---|---|
| First 100 GB / month | Free (aggregated across all services) |
| Next 9.9 TB (up to 10 TB) | $0.09 |
| Next 40 TB (10–50 TB) | $0.085 |
| Next 100 TB (50–150 TB) | $0.07 |
| Over 150 TB | $0.05 |
For a freelancer or small team serving an API, 100 GB of free egress covers a lot. But if you’re hosting assets, serving media, or running a data pipeline that exports results, you cross that threshold faster than expected. At $0.09/GB, even 500 GB of monthly egress adds $36/month — and that’s before the other charges stack on top.
Cross-AZ Traffic: $0.01 per GB, Both Ways
Running services across multiple Availability Zones improves reliability. AWS recommends it. But it comes with a hidden tax.
Every gigabyte of data transferred between AZs costs $0.01 per GB in each direction (source: AWS Architecture Blog). That’s $0.02 per GB round-trip. Transfer within the same AZ is free.
This adds up silently in common patterns:
- Load balancers distributing traffic across AZs — every request routed to an instance in a different AZ than the load balancer incurs the charge
- Microservices calling each other across AZs — each inter-service hop between AZs adds $0.01/GB each way
- Database replicas in other AZs — replication traffic between primary and standby instances is charged
A service handling 1 TB of cross-AZ traffic per month pays $20 — just for data moving inside your own VPC. Scale that across several microservices and it quietly becomes one of the larger items on the bill.
NAT Gateway: The Silent $1,000/Month Cost
If your Lambda functions, containers, or EC2 instances run in a private subnet — they reach the internet through a NAT Gateway. AWS charges for this in two ways (source: AWS VPC Pricing):
| Charge type | Rate |
|---|---|
| Hourly (per NAT Gateway) | $0.045 / hour (~$32.40 / month) |
| Data processing | $0.045 / GB |
The data processing fee stacks on top of standard egress. So a request from a Lambda in a private subnet to an external API costs: $0.045/GB NAT processing + $0.09/GB egress = $0.135/GB total — 50% more than you’d expect from egress alone.
The real trap: traffic to AWS services also goes through the NAT Gateway by default. Calls to S3, DynamoDB, ECR, CloudWatch — all routed through NAT, all incurring the $0.045/GB processing fee, even though these services run inside AWS’s network.
The $1,000 S3 Mistake
Geocodio documented a real case where S3 transfers inside a VPC were routed through a NAT Gateway — racking up $1,000 in unnecessary charges. The data never left AWS. There was no internet egress. But because no VPC Endpoint existed for S3, every byte took the expensive path through NAT.
The fix was a single VPC Gateway Endpoint for S3 — free of charge. AWS refunded the $1,000 after the issue was explained.
VPC Endpoints: The Fix You’re Probably Missing
VPC Endpoints let traffic to AWS services bypass the NAT Gateway entirely. There are two types (source: AWS PrivateLink Pricing):
| Endpoint type | Supported services | Hourly cost | Per-GB cost |
|---|---|---|---|
| Gateway Endpoint | S3, DynamoDB | Free | Free |
| Interface Endpoint | Most other AWS services | $0.01 / hour / ENI | $0.01 / GB |
Gateway Endpoints for S3 and DynamoDB should be in every VPC. They cost nothing and eliminate NAT Gateway processing charges for the two most commonly accessed AWS services. If you’re running containers that pull images from ECR, an Interface Endpoint for ECR reduces costs from $0.045/GB (NAT) to $0.01/GB — a 78% reduction (source: DEV Community — ECR VPC Endpoints).
For a team processing 1 TB of S3 traffic monthly through a NAT Gateway in a 3-AZ setup, switching to a Gateway Endpoint saves roughly $138/month in processing fees alone — per account (source: AWS re:Post).
How to Spot Data Transfer Costs Before They Compound
The hard part with data transfer isn’t the rates — it’s that you don’t see them until the monthly bill. By then, $50 has become $300.
AWS Cost Explorer breaks down data transfer by type (inter-AZ, internet egress, regional) but requires you to know where to look and to check regularly. AWS Budgets can alert you when total spend crosses a threshold, but budget alerts have an 8–12 hour delay before reflecting actual usage (source: AWS Budgets Documentation). By the time the email arrives — if it doesn’t land in spam — the damage may already be done.
Cost Anomaly Detection uses machine learning to identify unexpected cost spikes, including data transfer. It’s free and catches patterns humans miss. But the alerts ship via email or SNS — not where most developers are looking when they’re heads-down shipping code.
CostPulse: Data Transfer Spikes on Your Lock Screen
CostPulse takes the budget and anomaly signals AWS generates and delivers them as native iOS push notifications — no email, no dashboard to remember.
- Budget alerts as push notifications — hit 50%, 80%, or 100% of your budget and know immediately, not 12 hours later
- Anomaly detection — ML-powered spike detection catches unusual data transfer charges before they compound over days
- Cost Explorer in your pocket — see daily spend by service, spot data transfer trends early
- Lock Screen widgets — budget progress visible at a glance, without opening any app
- 2 minutes to set up — one CloudFormation stack, no AWS credentials shared, IAM roles only
The free plan covers one AWS account with full cost visibility. CostPulse Plus ($4.99/month) adds up to 3 accounts, budget push alerts, anomaly detection, and widgets.
Stop Guessing, Start Monitoring
Data transfer charges don’t announce themselves. They grow $0.01 at a time until the monthly bill looks wrong. Add VPC Gateway Endpoints for S3 and DynamoDB — they’re free. Review your NAT Gateway data processing in Cost Explorer. Set a budget. And make sure the alert actually reaches you.
Download CostPulse and get push-based cost alerts in under two minutes — free plan included, no credit card required.