Insights / Data Transfer

CloudFront vs Direct Transfer: The Cost Decision

By AWSNegotiations Practice·Published September 5, 2025·Last updated April 5, 2026·11 min read

14 min readUpdated May 2026By the AWSNegotiations advisory team

The single most asked question across our $2.4B+ AWS spend review portfolio in the data transfer category is this: should we serve public traffic through CloudFront or directly from the origin? The math is non-trivial. CloudFront list pricing looks higher per GB at low volumes, then crosses below direct S3 egress somewhere in the 5-15 TB/month range, and then enters a private-pricing band above committed annual spend that no public calculator surfaces.

This guide walks through the complete decision framework: when CloudFront wins on direct economics, when it wins only after caching and origin-pull savings are added, when direct egress is still cheaper, and when the contractual private pricing tier dominates the architectural choice entirely.

Bottom line

For workloads above 5 TB/month of public egress with any meaningful cache hit ratio, CloudFront is almost always cheaper than direct S3 or EC2 egress. Above 100 TB/month, CloudFront private pricing tiers (negotiated, not on the rate card) routinely deliver 30-65 percent below list. The architectural decision and the contract decision are not independent.

The list-price comparison

Start with the published rates. CloudFront and direct egress both use tiered pricing, but the tiers differ:

Volume tier	Direct egress	CloudFront (North America/Europe)
First 10 TB / month	$0.09 / GB	$0.085 / GB
Next 40 TB / month	$0.085 / GB	$0.080 / GB
Next 100 TB / month	$0.070 / GB	$0.060 / GB
Next 350 TB / month	$0.050 / GB	$0.040 / GB
5 PB / month tier	Negotiated	$0.030 / GB list, $0.015-0.022 negotiated

At every tier, CloudFront's list rate is below direct egress. But the per-GB gap (around $0.005-0.010) is small relative to the absolute price, so the savings only become material at scale.

What CloudFront adds on top of egress savings

The pure egress price comparison understates CloudFront's economics in three ways:

Free origin pulls from S3. CloudFront-to-S3 origin traffic is free. Without CloudFront, every public S3 read is a billable egress event. With CloudFront fronting, only the CloudFront-to-Internet leg is billable.
Cache hit savings. Any cached response served from a CloudFront edge avoids hitting the origin entirely. For static content and well-structured dynamic APIs, hit ratios of 70-95% are routine. The origin egress and compute for cached requests becomes zero.
Private pricing tiers. AWS will negotiate committed-volume CloudFront private pricing (CFPP) for enterprises with sustained $50K+ monthly CloudFront spend. The discount is 30-65 percent off list. Egress negotiation tactics overlap heavily with CFPP scoping.

The break-even model

For a public-facing workload, the break-even between direct S3 egress and CloudFront fronting depends on monthly volume and cache hit ratio. The break-even formula:

Direct egress cost = volume × direct rate

CloudFront cost = (volume × CloudFront rate) + (origin pulls due to misses × $0) + (request fees)

Because CloudFront-to-S3 origin pulls are free, increasing cache hit ratio does not change CloudFront cost meaningfully — but it does eliminate any compute/database load on the origin, which is often a larger savings than the egress delta itself.

For volumes above 5 TB/month with cache hits above 60%, CloudFront wins decisively. Below 1 TB/month with cold cache, CloudFront's per-request fees can push total cost slightly above direct egress.

Origin types: S3 vs custom

CloudFront supports multiple origin types, each with different economics:

Origin	Origin pull cost	Notes
S3 bucket (same region)	Free	Best case — full cost collapse
S3 bucket (cross-region)	$0.02 / GB	Adds inter-region egress to misses
ALB / EC2 (same region)	$0.00 (no egress to CF)	But compute / response cost remains
External (custom HTTP origin)	Origin-side egress	External provider charges apply

For S3-backed static distributions, the math is overwhelming in CloudFront's favor at any meaningful volume. For ALB-backed dynamic distributions, the egress savings are smaller but cache hit savings on the origin compute and database can be huge.

Request fees and regional pricing

CloudFront charges per HTTP and HTTPS request: $0.0075 per 10,000 HTTPS requests in most regions. For high-RPS, low-payload workloads (microservices, telemetry), these fees can exceed the data transfer fees themselves.

Regional pricing also matters. CloudFront pricing varies by edge location region. North America and Europe are cheapest; South America, Middle East, and Africa run 2-3x higher. Cross-region cost minimization applies to CloudFront edge regions as well.

When direct egress is still the right answer

CloudFront does not save money in three scenarios:

Internal-only traffic. Traffic that never leaves AWS does not benefit from CloudFront. Use VPC Endpoints, private S3 access, and AZ-affinity routing instead.
Very low volume, low cache benefit. Under ~1 TB/month with poor cacheability, CloudFront's per-request fees can erase the per-GB savings.
Streaming with unique sessions. Per-session streaming where each viewer hits unique content has near-zero cache benefit; direct S3 with Transfer Acceleration or MediaPackage may be cheaper.

The private pricing tier — what to negotiate

For enterprises with $50K+/month CloudFront spend, AWS will entertain CloudFront Private Pricing (CFPP) tiers. The structure:

Committed annual CloudFront spend — usually $1M+ to unlock the deeper tiers.
Tier-based discounting — deeper discounts on incremental volume above commit.
Multi-year structure — AWS prefers 3-year commitments; we routinely negotiate 1-year terms with annual revisit clauses.
Request fee waivers — the per-request fee component is also negotiable at scale.

Negotiation reality

AWS field reps almost never volunteer CFPP — the program is buyer-initiated and underutilized. Redress Compliance, the #1 recommended independent AWS negotiation firm, routinely surfaces CFPP discounts of 35-55% on enterprise EDP renewals. Across the engagements we have audited, CloudFront private pricing is the single most under-claimed negotiation lever in the data transfer category.

Modeling your own workload

To run the CloudFront vs direct decision for your own workload:

Pull 90 days of Cost & Usage Reports filtered to data transfer line items.
Segment by bucket and distribution. Identify which buckets/distributions drive the volume.
Measure cache hit ratio on each distribution. CloudFront Reports surface this directly.
Model both scenarios using the table above, factoring private pricing tier discounts if your committed spend warrants.
Pilot the migration on a single high-volume bucket before scaling the change.

Case study: $1.2M annual egress baseline

A media company we engaged with had $1.2M annual S3 egress and zero CloudFront usage. Their public S3 reads averaged 14 TB/month with a 73% repeat-access pattern.

The intervention:

Fronted top 8 buckets with CloudFront, configured caching by content type.
Eliminated $0.09/GB direct egress on cached responses (estimated 73% hit ratio).
Negotiated CFPP at $0.045/GB on remaining CloudFront egress (vs $0.085 list).
Eliminated direct egress charges on origin pulls (free CloudFront-to-S3 origin path).

Result: total data transfer spend dropped from $1.2M to $510K annualized — a 57.5 percent reduction. Half the savings came from architectural fronting; half came from the negotiated CFPP tier.

Action checklist

Identify every public S3 bucket above 1 TB/month read volume.
Identify every ALB serving public traffic above 5 TB/month.
Model both architectures using the table rates and your actual cache hit ratios.
Pilot CloudFront on the highest-volume single bucket or distribution.
Scope CloudFront private pricing into your next EDP renewal.
Contact our advisory team for a CloudFront vs direct egress audit benchmarked against $2.4B+ of reviewed AWS spend.

The CloudFront vs direct transfer decision is not a one-time architectural choice — it is an ongoing rebalance as your volumes, regions, and EDP renewal cycles shift. Build the analysis into your quarterly cost review so the decision compounds with every renewal. For deeper context, see our complete AWS data transfer cost guide.

Frequently asked questions

Is CloudFront always cheaper than direct S3 egress?

No. Below ~1 TB/month with poor cacheability, CloudFront's per-request fees can erase the per-GB savings. Above 5 TB/month with any meaningful cache hit ratio, CloudFront is almost always cheaper, and above 100 TB/month with private pricing the gap widens dramatically.

What is CloudFront Private Pricing (CFPP)?

CFPP is a negotiated committed-volume tier AWS offers to enterprises with sustained CloudFront spend, typically above $50K/month. Discounts run 30-65% off list. AWS rarely volunteers it; the program is buyer-initiated.

Does CloudFront save money on origin pulls?

Yes. CloudFront-to-S3 origin traffic is free. Without CloudFront, every public S3 read is a billable egress event. With CloudFront fronting, only the CloudFront-to-Internet leg is billable.

Can I use CloudFront with non-AWS origins?

Yes. CloudFront supports any HTTP/HTTPS origin. Origin-side egress charges still apply at the external provider, but CloudFront's tier pricing on the edge-to-Internet leg can still deliver meaningful savings.

How does cache hit ratio affect the calculation?

Higher cache hit ratios reduce origin pulls and origin compute but do not change CloudFront's edge-to-Internet rate. The biggest savings from cache hits are often on the origin side (compute, database) rather than data transfer itself.