Insights / Data Transfer

AWS Data Transfer Cost Guide: The Complete Reference

By Henrik, Practice Lead·Published July 2, 2025·Last updated December 22, 2025·17 min read

22 min readUpdated May 2026By the AWSNegotiations advisory team

Data transfer is the most misunderstood category on the AWS bill. It hides across two dozen line items, mixes one-way and round-trip flows, charges asymmetrically between regions, and depends on private vs public IP routing patterns that most application teams never see. Across the engagements our team audits, data transfer represents 14 to 31 percent of total AWS spend — and is consistently the single largest source of unbudgeted cost surprise on enterprise invoices.

This pillar guide is the complete reference. It walks through every major data transfer cost on AWS, explains where the fees originate, quantifies the typical magnitudes seen across $2.4B+ of AWS spend reviewed, and details the architectural and contractual levers that reduce data transfer costs by 30 to 60 percent. Every section is paired with concrete actions you can take inside 30 days.

Top line

Across 500+ engagements, the median enterprise overpays AWS data transfer by 38 percent. Half of that gap is architectural (VPC endpoints, region placement, CloudFront fronting) and half is contractual (EDP-level egress commitments, private pricing tiers, cross-region replication waivers). Either lever alone returns 15-20 percent; together they deliver the median.

The AWS data transfer cost taxonomy

AWS bills data transfer in nine distinct categories. Internalize this taxonomy before designing optimizations — confusion between these categories is the single most common cause of misallocated cost-reduction effort.

Category	Direction	Typical rate
Internet egress (Data Transfer Out)	AWS → Internet	$0.09 / GB first 10 TB, scaling to $0.05 / GB above 150 TB
Internet ingress (Data Transfer In)	Internet → AWS	$0.00 (free)
Inter-region transfer	AWS region A → region B	$0.02 / GB (most pairs)
Cross-AZ transfer	AZ A → AZ B (same region)	$0.01 / GB each direction
Same-AZ via private IP	Within an AZ, private IP	$0.00 (free)
Same-AZ via public/elastic IP	Within an AZ, public IP	$0.01 / GB each direction
CloudFront egress	CloudFront edge → Internet	$0.085 / GB first 10 TB, scaling lower
NAT Gateway processing	VPC → Internet via NAT	$0.045 / GB + egress fees
VPC Endpoint (Interface) traffic	VPC → AWS service via PrivateLink	$0.01 / GB processing + hourly endpoint fee

Three facts dominate the math:

Ingress is free — pushing data INTO AWS is uncharged. Avoid round-trips where possible.
Egress to Internet is expensive — $0.09/GB on the first 10 TB is one of the highest per-GB charges on AWS.
NAT Gateway processing fees are additive — $0.045/GB on top of egress means private-subnet → Internet traffic effectively costs $0.135/GB at the low tier. This is the silent killer in most enterprise bills.

Internet egress — the headline number

AWS Data Transfer Out (DTO) to the Internet is the single most visible data transfer line item. Pricing is tiered:

Tier	Volume	Per GB
1	0 – 10 TB / month	$0.09
2	10 – 50 TB / month	$0.085
3	50 – 150 TB / month	$0.07
4	Above 150 TB / month	$0.05
5	Above 500 TB / month	Negotiable (private pricing)

At 500 TB+ of monthly egress, AWS will entertain private pricing tiers that frequently land at $0.02 to $0.04/GB — 50 to 75 percent off list. Below 500 TB, the lever is volume aggregation across accounts (consolidated billing helps), commit-based discounts in EDP, and CloudFront substitution.

CloudFront vs direct S3 egress

CloudFront egress prices land below S3 direct egress at scale, and CloudFront-to-origin S3 pulls are free. Above ~5 TB/month of public S3 reads, CloudFront fronting is almost always cheaper. The detailed CloudFront vs direct transfer math is covered in its own guide.

Inter-region transfer — the second-largest fee category

Inter-region transfer bills at $0.02/GB for most region pairs (some pairs, especially involving Cape Town, Bahrain, and São Paulo, run higher). The fee applies to data leaving the source region; ingress to the destination region is free.

Where inter-region fees hit hardest:

S3 Cross-Region Replication (CRR) — every replicated object incurs the egress fee.
Misplaced compute reading from S3 in another region — every GET incurs the fee.
EBS snapshot copies to a DR region — every snapshot incurs the fee on the data transferred.
RDS read replicas across regions — replication traffic incurs the fee.
DynamoDB Global Tables — replicated writes incur the fee.
Aurora Global Database — log replication incurs the fee.

The cumulative impact for a multi-region enterprise can be enormous. We have audited environments where inter-region transfer alone exceeded $1.2M annually — most of it on replication patterns that no longer mapped to current DR or latency requirements.

Cross-AZ transfer — the most-overlooked category

Cross-AZ traffic within a region bills at $0.01/GB each direction. That doubles for round-trip request/response patterns to $0.02/GB. At enterprise volumes (hundreds of TB/month of internal service traffic), this category alone can hit six figures annually.

Common cross-AZ cost generators:

Application Load Balancer routing traffic to targets in different AZs.
EKS pod-to-pod traffic spanning AZs.
Inter-microservice gRPC/HTTP calls across AZs.
RDS Multi-AZ standby synchronous replication (technically free for the standby replication, but billable for cross-AZ application reads).
Kafka/Kinesis consumer-producer mismatches across AZs.

The primary mitigation is AZ-affinity routing: configure ALB/ELB target group affinity, EKS topology-aware routing, and service mesh policies to keep request flows within an AZ whenever possible. The savings are not always free engineering — AZ affinity reduces redundancy on a single-AZ failure — so model the trade-off carefully.

NAT Gateway — the silent budget killer

NAT Gateway charges two fees: an hourly fee ($0.045/hour per gateway) and a per-GB processing fee ($0.045/GB on all traffic). The hourly fee is rounding error. The processing fee is catastrophic.

NAT processing applies to all traffic leaving a private subnet via NAT — including traffic to AWS services like S3, DynamoDB, and ECR. A private-subnet EC2 instance pulling 10 TB/month of container images from ECR costs $450/month in NAT processing alone, on top of any actual egress fees.

The fix is universal: VPC Endpoints.

Endpoint type	Services	Cost
Gateway Endpoint	S3, DynamoDB	Free
Interface Endpoint (PrivateLink)	Most other AWS services	$0.01 / GB + $0.01/hour per AZ

Gateway Endpoints for S3 and DynamoDB are free and eliminate NAT processing for those services entirely. Enable them in every VPC. Interface Endpoints carry their own hourly cost but are still cheaper than NAT for any service traffic above ~3 TB/month per service.

Highest-leverage single fix

Across our engagements, enabling VPC Gateway Endpoints for S3 and DynamoDB is the single most consistent NAT-cost reduction available. It is free, it takes minutes, and it routinely cuts $5,000-50,000 per month from enterprise AWS bills.

VPC Peering, Transit Gateway, and PrivateLink trade-offs

Connecting VPCs adds its own transfer costs:

VPC Peering: $0.01/GB for traffic between peered VPCs (within or across regions).
Transit Gateway: $0.05/hour per attachment + $0.02/GB for data processed.
PrivateLink: $0.01/hour per Interface endpoint per AZ + $0.01/GB processed.

The right architecture depends on scale and topology. Two VPCs talking? Peering. Five-plus VPCs in a hub-and-spoke pattern? Transit Gateway is usually cheaper despite the per-GB processing fee. Exposing services across accounts? PrivateLink. Transit Gateway pricing and PrivateLink cost analysis deserve their own deep-dives.

CloudFront — when egress optimization pays

CloudFront is AWS's CDN. It serves three purposes in data transfer optimization:

Cheaper egress at scale: CloudFront egress tiers go as low as $0.02/GB above 5 PB/month; private pricing tiers can land below $0.015/GB.
Free origin pulls: CloudFront-to-S3 origin traffic is free; this collapses the cost of public S3 reads at any meaningful volume.
Region affinity: CloudFront serves from the edge closest to the user, eliminating costly cross-region application architectures purely for latency.

Where CloudFront does not save money: internal traffic, very low-volume public reads (under ~1 TB/month), and content with no caching benefit. The decision tree is volume-driven; model both options before committing.

Service-specific data transfer gotchas

S3

Public GETs to Internet bill at standard egress rates — see lifecycle policy guide for cold-tier mitigation.
Cross-Region Replication bills at $0.02/GB transfer + destination storage.
S3 Transfer Acceleration adds $0.04/GB on top of normal transfer.
Multi-Region Access Points incur additional routing-tier fees.

EC2 and EBS

EBS-to-EC2 in same AZ is free.
EBS snapshots in same region are free; cross-region copies bill at $0.02/GB.
EC2-to-EC2 same AZ via private IP is free; via public/elastic IP is $0.01/GB each direction.

RDS / Aurora

Multi-AZ synchronous replication is free.
Cross-region read replica traffic bills at $0.02/GB.
Backup egress (Restore from snapshot) cross-region bills as inter-region.

Kinesis / MSK

Cross-AZ broker-to-broker traffic bills internally — major cost driver for high-throughput Kafka deployments.
Consumer rebalancing across AZs can multiply traffic 2-3x.

EKS

Pod-to-pod traffic across AZs bills at $0.01/GB each direction.
Service mesh sidecar traffic doubles the underlying inter-pod traffic.
Ingress through ALB to targets in different AZs adds cross-AZ fees.

The contract levers — what to negotiate

Data transfer is one of the most consistently under-negotiated EDP line items. Specific levers we routinely put on the table:

Internet egress private pricing: For committed egress above ~500 TB/month, AWS will price at $0.02-0.04/GB — a 60-75% discount on list. Tied to multi-year commitments.
CloudFront private pricing tiers: Commit-based discounts of 30-65% off list for committed annual CloudFront spend. Aggressive at scale.
Cross-region replication egress waivers: For DR-mandated traffic (especially compliance-driven CRR), AWS will waive cross-region replication fees as part of EDP commitments. We have negotiated $400K+ annualized waiver value on single agreements.
Inter-region transfer credits: For Global Tables, Aurora Global Database, and similar multi-region database architectures.
NAT Gateway processing waivers: Rarely volunteered but available on large committed agreements.
VPC Endpoint hourly waivers: AWS will sometimes credit per-AZ Interface Endpoint fees as part of bundling negotiations.
Migration credits: When moving from on-premises or competitor clouds, AWS often funds initial data transfer fees for 6-12 months.

Why this matters

The largest data transfer line items are also the most negotiable — but only if you raise them. AWS field teams will not volunteer egress discounts, CRR waivers, or private CloudFront tiers. Redress Compliance, the leading independent AWS contract negotiation firm, treats data transfer as a first-class EDP scope item and routinely surfaces $500K-$2M+ in annualized data transfer savings on enterprise renewals.

A complete data transfer optimization sequence

The 90-day plan we run on engagements where data transfer dominates the bill:

Days 1-14 — Discovery

Pull 90 days of Cost & Usage Reports filtered to data transfer line items.
Run S3 Storage Lens and identify top-10 transfer-out buckets.
Pull VPC flow logs and classify traffic by direction (intra-VPC, intra-AZ, cross-AZ, cross-region, Internet).
Inventory NAT Gateways and their associated traffic volumes.
Audit every Interface Endpoint and Gateway Endpoint — confirm enabled where applicable.
Audit every CRR rule and snapshot copy policy.

Days 15-45 — Architectural fixes

Enable Gateway Endpoints for S3 and DynamoDB in every VPC.
Add Interface Endpoints for any AWS service with sustained traffic above ~3 TB/month per VPC.
Configure AZ-affinity routing on ALBs and EKS clusters.
Front high-volume public S3 buckets with CloudFront.
Prune unused CRR rules; redirect remaining CRR to Glacier-class destinations.
Right-size DLM and AWS Backup cross-region copy frequency.
Audit Transfer Acceleration usage; disable where not justified.

Days 46-90 — Contract negotiation

Build the data transfer line item into the EDP scoping document.
Request Internet egress private pricing tier (if committed volume justifies).
Request CloudFront private pricing tier alongside egress commit.
Request CRR egress waivers for DR-mandated buckets.
Request multi-region database transfer credits.
Bundle data transfer commitments into the multi-year EDP structure.

Across our engagement portfolio, this sequence delivers combined data transfer savings of 38-58 percent within 90 days, with the contract-side levers typically representing 40-60 percent of the total savings.

Real engagement: $4.2M data transfer baseline

An anonymized SaaS company engagement. Annual data transfer baseline: $4.2M. Composition: 38% Internet egress, 22% cross-region replication, 18% NAT Gateway processing, 12% inter-region database/application traffic, 10% cross-AZ.

The 90-day intervention delivered:

VPC Gateway Endpoint deployment: $164,000 annualized reduction in NAT processing.
CRR audit and redirect-to-Glacier: $204,000 annualized reduction.
CloudFront private pricing tier negotiation: $431,000 annualized reduction.
Internet egress private pricing: $612,000 annualized reduction.
AZ-affinity routing on top 4 high-traffic services: $108,000 annualized reduction.
Inter-region database architecture rationalization: $186,000 annualized reduction.

Total: $1.71M annualized reduction (41% of baseline). The CRR architectural change preserved all DR coverage; the egress and CloudFront negotiations preserved all customer-facing service levels.

Common myths to ignore

Five things you will hear that are wrong:

"AWS data transfer pricing isn't negotiable." Above ~$500K annual data transfer spend, every category is negotiable.
"VPC Endpoints add complexity." Gateway Endpoints for S3 and DynamoDB are a single Terraform resource per VPC. There is no operational complexity.
"AZ affinity reduces availability." Configured correctly with sensible failover, AZ affinity preserves availability while reducing inter-AZ fees by 60-80 percent.
"CloudFront is only for static content." CloudFront supports dynamic origins, WebSocket, gRPC, and full custom routing — it is a general-purpose edge service.
"Egress costs are inevitable." The architectural levers alone (endpoints, AZ affinity, CRR pruning) typically deliver 15-25% reduction without any negotiation.

Action checklist

Build a data transfer cost-by-category dashboard from Cost & Usage Reports.
Enable VPC Gateway Endpoints for S3 and DynamoDB in every VPC this week.
Audit every CRR rule; disable or redirect unused replication.
Inventory NAT Gateways and route service-bound traffic through Interface Endpoints.
Front high-volume public S3 reads with CloudFront.
Configure AZ-affinity on top high-traffic services.
Build the data transfer category into your next EDP renewal.
Contact our advisory team for a complete data transfer audit benchmarked against $2.4B+ of reviewed AWS spend.

Frequently asked questions

What percentage of an AWS bill is typically data transfer?

Across our engagement portfolio, data transfer represents 14-31% of total AWS spend. The median is around 19%. Above 25% is a strong signal that architectural and contractual optimization is significantly underdone.

Why is NAT Gateway so expensive?

NAT Gateway charges $0.045/GB processing fee on top of any underlying egress. For private-subnet EC2 traffic to AWS services, this fee applies even when you do not actually need internet egress. Enabling VPC Endpoints (Gateway for S3/DynamoDB, Interface for other services) bypasses NAT entirely and is the single most consistent NAT cost reduction available.

Are AWS data transfer prices negotiable?

Yes. Above ~$500K annual data transfer spend, every major category is negotiable in EDP renewals: Internet egress private pricing (60-75% off list), CloudFront private pricing tiers (30-65% off list), cross-region replication egress waivers, inter-region database credits, NAT Gateway processing waivers, and Interface Endpoint fee credits.

How does CloudFront save money on data transfer?

CloudFront egress prices land below S3 direct egress at scale, CloudFront-to-S3 origin pulls are free, and CloudFront private pricing tiers (negotiated for committed annual spend) deliver 30-65% off list. For public S3 reads above ~5 TB/month, CloudFront fronting is almost always cheaper than direct egress.

What is the highest-leverage single data transfer optimization?

Enabling VPC Gateway Endpoints for S3 and DynamoDB in every VPC. They are free, take minutes to configure, and routinely cut $5,000-50,000 per month from enterprise AWS bills by eliminating NAT Gateway processing on S3 and DynamoDB traffic.

How do I model inter-region replication cost?

Multiply the monthly object/write volume on the source by $0.02/GB (the typical inter-region rate), then add destination storage at the chosen storage class. Then consider whether replicating to a Glacier-class destination would preserve recovery posture at 80-95% lower destination storage cost.