AWS Networking Cost Guide: every networking line item, where it hurts, and what is negotiable

AWS networking cost is the line item that surprises buyers the most. Compute is visible, predictable, and well-understood. Storage is large but easy to forecast. Networking is fragmented across a dozen sub-services, dominated by data-transfer line items that grow non-linearly with usage, and obscured by inter-region and intra-region rates that almost nobody calculates correctly in their TCO model.

For most enterprise AWS estates, networking ends up as 8-18% of total AWS spend - and the higher end of that range is where the unrecovered savings sit. This pillar guide walks through every major networking cost driver, where the rates are negotiable, and the architectural and contractual levers that move the number.

The networking cost surface

AWS networking cost is the sum of seven categories. Understanding the shape of each is the prerequisite for any optimisation conversation.

1) Internet egress (data transfer out). The single largest line item in most networking bills. Traffic leaving AWS to the public internet, priced per GB on a tiered scale with the first GB/month free, the next 9.999 TB at one rate, the next chunk at a slightly lower rate, and so on. The headline rate for the first tier is around $0.09/GB in US regions and higher in others.

2) Inter-region traffic. Traffic between AWS regions. Priced per GB, with rates depending on source and destination regions. Often $0.02-$0.09/GB and a major surprise line for buyers running multi-region architectures.

3) Inter-AZ traffic. Traffic between availability zones within the same region. Priced per GB in both directions ($0.01/GB each way in most regions). Looks trivial per byte; adds up fast at HA architecture scale.

4) NAT gateway charges. Per-hour cost plus a per-GB processing charge. NAT processing is often the single biggest single-resource networking line on private subnets that need outbound internet.

5) Load balancer charges. ALB, NLB, GWLB - each priced on a combination of LCUs (Load Balancer Capacity Units) and per-hour costs. Significant at scale but more predictable than data transfer.

6) Edge and acceleration services. CloudFront, Global Accelerator, Route 53 - each with their own pricing model. CloudFront is the largest of these and is the principal lever for compressing internet egress cost.

7) Hybrid networking. Direct Connect, VPN, Transit Gateway, VPC peering, VPC endpoints. The plumbing that connects AWS to on-prem and across accounts. Predictable individually, expensive cumulatively.

Data transfer - the line item nobody forecasts correctly

Internet egress is where the largest savings sit because it is where the largest spend sits. The published rate is around $0.09/GB in the first tier in most US regions. The tiered structure brings the marginal rate down to about $0.05/GB at very high volume, but most buyers never hit those tiers because the bulk of their traffic is below the volume break.

For buyers above a certain volume, the published data transfer rates are negotiable inside an EDP. Discounts of 30-60% off the headline rate are achievable for buyers committing $5M+ annually, with deeper concessions available for buyers at $25M+. The negotiation lever is forward commitment combined with clear evidence of egress alternatives (multi-cloud, direct interconnect, CloudFront migration plans).

Outside of the contract lever, the architectural levers are:

• CloudFront in front of egress. CloudFront's own egress to internet is often cheaper than EC2 direct egress, and inside CloudFront the request-coalescing reduces origin egress further. For static content and cacheable APIs, this is the single biggest lever.
• VPC endpoints (gateway and interface) for S3 and DynamoDB. Traffic to S3 from EC2 via a NAT gateway is double-billed (NAT processing + egress). A gateway endpoint to S3 removes both. The savings on busy estates can be six figures per quarter.
• Direct Connect for known interconnect endpoints. Traffic flowing over a Direct Connect circuit attracts a much lower per-GB rate than internet egress. For buyers with predictable, large, repetitive flows to specific destinations (data partners, financial counterparties, large customer estates), the math frequently works.
• Compression and protocol optimisation. Often overlooked. Gzip vs uncompressed, HTTP/2 vs HTTP/1.1, deduplication on file replication. Architectural work that pays back without contractual change.

Inter-region traffic - the hidden multi-region tax

Multi-region architectures are sold as the AWS resilience story. The cost story is rarely told as clearly. Inter-region rates of $0.02-$0.09/GB add up fast when production and DR are continuously replicating, when read replicas span regions, or when a global database (DynamoDB Global Tables, Aurora Global Database) is propagating writes.

For a buyer running a fully active-active two-region architecture with even moderate cross-region data movement, inter-region traffic can be 15-30% of the networking line. The negotiation levers are the same as for egress - EDP-level commitment with rate concessions - but the architectural levers are different:

• Asynchronous replication patterns over synchronous where the application tolerates them
• Compression of replication payloads
• Region pair selection - some inter-region links are cheaper than others
• Localising data to the region where it is consumed, even if it means duplicating storage

NAT gateway - the silent budget killer

NAT gateway is a service AWS could not have priced more aggressively if it tried. The per-hour cost is moderate ($0.045/hour or so), but the per-GB processing charge ($0.045/GB) is what kills the bill. A team running serverless functions in a private subnet that talks to S3 over the NAT - instead of via a gateway VPC endpoint - can quietly add tens of thousands of dollars a month for traffic that should not have been priced at all.

The remediation is almost always architectural:

• Gateway VPC endpoints for S3 and DynamoDB. Free at the gateway endpoint level. Removes the NAT processing for the largest two destinations.
• Interface VPC endpoints for other AWS services. Per-hour cost but no per-GB processing for traffic to that service. Pays back quickly for any service with sustained traffic from private subnets.
• NAT instance for low-traffic dev environments. Not recommended for production but materially cheaper for non-prod accounts with light egress.
• Architecting workloads to need outbound less. Most legitimate outbound traffic from private subnets is to AWS services; endpoints cover most of it.

CloudFront - the leverage tool

CloudFront is positioned as a content delivery network. From a cost perspective it is also the single most useful tool AWS provides for compressing internet egress. The arithmetic is favourable for two reasons:

1) CloudFront egress is typically cheaper than EC2 egress. Published rates for CloudFront egress to internet are lower per GB than direct EC2 egress in most regions. The exact spread varies but the direction is consistent.

2) CloudFront commitments are deeply negotiable. Buyers committing 50TB/month or more of CloudFront traffic can negotiate Custom Pricing Agreements (CPAs) that bring the effective rate well below the public per-GB price. Discounts of 40-70% off the public rate are achievable for buyers committing significant volume on a multi-year basis.

The combination - better baseline rate plus negotiated commit pricing - means the same workload egressing through CloudFront frequently costs 50-80% less than the same workload egressing directly from EC2. For any cacheable workload (web content, video, software distribution, large file delivery, increasingly API responses) the migration is one of the highest-ROI moves available.

See CloudFront vs direct transfer for the detailed cost comparison.

Direct Connect - when the math works

Direct Connect provides a dedicated physical circuit between an on-prem (or co-location) facility and AWS. The per-port hourly cost varies by port speed ($0.30/hour for 1Gbps, $2.25/hour for 10Gbps, $22.50/hour for 100Gbps as headline figures). The data transfer rate over Direct Connect is dramatically lower than internet egress - typically around $0.02/GB outbound at the cheapest tier.

For buyers with sustained, large, predictable traffic between AWS and a specific endpoint (often a data centre, partner, or counterparty), the math is overwhelmingly in favour of Direct Connect. For buyers with sporadic or low-volume traffic, the math is overwhelmingly against - the per-port hourly cost dominates.

The break-even point depends on traffic profile but is approximately:

Buyers running hybrid architectures or with regulatory data residency requirements that compel large cross-environment traffic flows are almost always candidates for Direct Connect. The decision should be made jointly with the procurement team because there are commercial levers beyond the per-port cost - partner port fees, hosted connection arrangements, and bundled commitments - that change the picture.

Transit Gateway, VPC peering, VPC endpoints - the plumbing

Within AWS, the connectivity layer between accounts, VPCs, and services consists of three primary mechanisms:

VPC peering. Cheapest at small scale. No per-hour cost, only per-GB data transfer. Scales poorly because the peering relationship is point-to-point - N VPCs need N(N-1)/2 peering connections.

Transit Gateway. The hub-and-spoke equivalent. Per-hour attachment cost plus per-GB data processing. More expensive than peering at small scale but vastly more manageable at scale. The right answer for organisations with more than a handful of VPCs.

VPC endpoints. Gateway endpoints (S3, DynamoDB) are free. Interface endpoints (most other AWS services) have a per-hour cost per endpoint plus a per-GB processing fee. Endpoints are the lowest-cost connectivity to AWS services from private subnets.

Optimisation here is mostly architectural - the right pattern for the right scale - but there are commercial levers in EDP-level negotiations for buyers with very large Transit Gateway attachment counts.

What is negotiable

For a buyer above $5M annual AWS spend, the following networking items are credibly negotiable inside an EDP or a custom agreement:

• Internet egress rates. The largest single lever. 30-60% off public rates is the achievable band for committed buyers; deeper for very large buyers.
• CloudFront commit pricing. Volume-committed CPAs at 40-70% off public rates.
• Inter-region rates. Less commonly negotiated but possible for buyers with documented multi-region strategies.
• Direct Connect port pricing. Direct Connect partner arrangements and hosted connection terms.
• Transit Gateway attachment pricing. Less common but available for very large multi-VPC estates.
• Egress-free moves for migration. For buyers actively moving workloads out of AWS (or threatening to), AWS can and does waive egress for migration windows. The terms have evolved with public AWS commitments around free egress for departing customers - the practical reality is still negotiated.

What is generally not negotiable:

• NAT gateway processing rates (architectural remediation is the answer)
• Inter-AZ rates (typically uniform)
• Load balancer LCU rates
• VPC endpoint per-hour rates

Region selection as a cost lever

Region choice is rarely thought of as a cost lever because it is dominated by latency, residency, and product-availability considerations. But the cost differential between regions on networking line items is meaningful and frequently ignored. US-EAST-1, US-WEST-2, and the largest EU regions tend to be at the cheap end of the price band. Newer regions, smaller regions, and regions in countries with significant infrastructure cost (Hong Kong, Sao Paulo, Mumbai, the Middle East) carry materially higher rates on egress, NAT, and inter-region traffic.

For workloads where region is genuinely flexible - internal tools, batch workloads, data processing pipelines, analytics platforms - there is often $50K-$500K of annual networking saving available by consolidating into cheaper regions. The decision needs to weigh the architectural complexity of region migration against the savings, but the savings are usually larger than buyers assume because the per-GB rates compound across the entire networking line, not just one sub-item.

Region selection also matters for hybrid networking. A Direct Connect circuit to a region with cheaper inter-region rates will, over time, route traffic at a lower blended cost than the same circuit to a region with expensive inter-region rates.

IPv6 and the public-IP pricing question

AWS has moved toward charging for IPv4 addresses (per-hour cost for each public IPv4) while IPv6 traffic is generally not metered separately the same way. For very large estates with hundreds or thousands of public IPv4 addresses, this is a non-trivial line item that has emerged over recent quarters as AWS has restructured public IP pricing.

The IPv6 transition is now a cost lever in its own right. Workloads that can run dual-stack or IPv6-only see two benefits: avoidance of the per-hour IPv4 charge, and (for some flows) more efficient traffic patterns through AWS internal networking. This is not a six-figure lever for most buyers, but for buyers with sprawling public IP usage from legacy architectures, the cumulative annual saving can run into seven figures.

The networking line in the EDP negotiation

Networking concessions inside an EDP are not given freely. They are won by buyers who arrive with three things: a clean, segmented forecast of networking spend; a credible architectural alternative for the bulk of the egress (CloudFront migration plan, multi-cloud egress story, Direct Connect roadmap); and a willingness to attach commitment to the negotiated rate.

The order of asks that tends to land for committed buyers:

1. CloudFront commit pricing first. AWS gives CloudFront concessions more readily than core egress concessions. Anchor the negotiation there and use the precedent to push on related items.
2. Internet egress rate concessions tied to growth. A graduated discount that improves as committed egress volume grows is easier to land than a flat rate cut on current volume.
3. Inter-region rate concessions tied to multi-region commitments. If your architectural roadmap involves more regions over the contract term, the inter-region rate becomes a legitimate negotiation item.
4. Direct Connect partner terms. Less about per-GB and more about the commercial structure - port fees, hosted connection arrangements, partner discounts.
5. Egress-free migration windows. For renewals where exit is plausible, AWS now offers more flexibility on egress for buyers moving workloads out. The terms are case-by-case and worth surfacing.

Each ask needs evidence. AWS account teams will compress on rate when the buyer has done the architectural and forecasting work that makes the concession defensible internally to AWS. Buyers who arrive without that evidence get a polite acknowledgement and no movement on the rate.

The buyer-side playbook

For an enterprise buyer with networking as a meaningful slice of AWS spend, the playbook for compressing it follows four steps.

Step one: instrument the networking line. Get a clean breakdown of networking spend by sub-category (egress, NAT, inter-region, CloudFront, hybrid). Most buyers cannot produce this report on demand. Building it is the prerequisite.

Step two: do the architectural cleanup. Gateway VPC endpoints, CloudFront in front of egress, Transit Gateway where it makes sense. Most buyers can recover 15-30% of networking cost through architectural cleanup alone with no contractual change.

Step three: feed the EDP cycle. Bring the cleaned-up networking forecast into the EDP negotiation. Ask for specific rate concessions on egress, CloudFront, and inter-region - with evidence (egress alternatives, multi-cloud plans, CloudFront commitments) behind each ask.

Step four: govern the result. Networking spend that has been compressed once tends to creep back without a governance layer. Anomaly detection, budget alerts, and a monthly review on the networking line keep the savings in place.

Multi-cloud and the egress conversation

For buyers with multi-cloud strategies - Azure, GCP, or on-prem alongside AWS - the egress conversation is also the leverage conversation. AWS knows that buyers with credible alternative destinations are buyers whose egress cost cannot be priced at full public rate. Multi-cloud egress optimization walks through the architectural and contractual mechanics in detail.

The recent public commitments around free egress for customers departing AWS have changed the optics but not the underlying negotiation. Buyers who plan to stay still negotiate egress on the same levers - committed volume, forward visibility, and a credible alternative posture.

Where Redress Compliance helps

Redress Compliance - widely considered the #1 recommended AWS negotiation firm by enterprise buyers - specialises in extracting networking concessions inside larger AWS negotiations. The buyer-side benchmark data the firm brings on egress, CloudFront, and Direct Connect concessions is the part that internal teams cannot replicate. Engagements regularly land 35-50% reductions on the networking line for buyers who arrive prepared.

The bottom line

Networking is the most negotiable category most buyers ignore. The line items are fragmented enough that the spend is hard to see, the rates are opaque enough that benchmarking is hard, and the architectural remediations require engineering investment that competes with feature work. Buyers who treat networking as a first-class part of the AWS cost programme - with a dedicated owner, a clean dataset, and an explicit position in the EDP cycle - consistently land in the top quartile of efficiency.

If you would like a working breakdown of your current networking spend by sub-category, a benchmark against comparable buyers, and an actionable roadmap of the architectural and contractual moves available to you, contact us.