01
EDP Egress Concession
Egress discount inside EDP renewal. 30-60% off list is routine for committed customers with credible alternatives.
Pricing Guide · Networking
AWS Networking & CloudFront Pricing Guide.
Data transfer is the most-negotiable line on the AWS bill — and the most-overlooked. This guide walks through egress, CloudFront, NAT Gateway, VPC endpoints, and the EDP levers that turn an unexamined cost into a negotiated one.
$2.4B+
AWS spend reviewed
500+
Engagements
38%
Average reduction
$340M+
Client savings
The Networking Stack
Where the bill actually accumulates.
AWS networking costs aggregate across data transfer, dedicated network appliances, and content delivery. Most networking bills break down roughly as 50-65% data transfer (egress and cross-region), 20-30% NAT Gateway, 10-15% CloudFront, and the remainder in VPC endpoints, PrivateLink, Direct Connect, and Transit Gateway. The relative size depends entirely on workload mix — but for SaaS, media, and analytics workloads, egress alone can exceed every other AWS service line.
| Component | List Price (US-East-1) | Negotiability |
|---|---|---|
| Internet egress (first 10TB/mo) | $0.09/GB | High inside EDP |
| Internet egress (150TB+/mo) | $0.05/GB | High inside EDP |
| CloudFront egress (first 10TB/mo) | $0.085/GB | High via private pricing |
| NAT Gateway (hourly) | $0.045/hour | Low |
| NAT Gateway (data processed) | $0.045/GB | Low |
| Cross-AZ traffic | $0.01/GB each direction | Architectural, not negotiable |
| Cross-region traffic | $0.02-$0.09/GB | Moderate inside EDP |
| VPC Endpoints (interface) | $0.01/hour + $0.01/GB | Cheaper than the alternative |
| Transit Gateway | $0.05/hour per attachment + $0.02/GB | Low |
Egress is the negotiation
Internet egress at list pricing is one of the worst values in cloud computing — roughly 10x what Cloudflare and Bunny charge for equivalent delivery. AWS knows. Inside an EDP, egress is consistently negotiable to 30-60% off list with the right leverage and the right disclosure. The most reliable lever is a credible Azure or GCP proposal, paired with workload portability evidence. See our multi-cloud leverage service for the playbook.
The second lever is volume tiering. AWS will negotiate a higher volume tier transition than the published rate card — moving you to the $0.05 tier at 50TB instead of 150TB, for instance. This is a quieter ask than a percentage discount and is frequently granted to existing committed customers without much friction.
NAT Gateway is the silent killer
NAT Gateway pricing combines an hourly charge and a per-GB data-processing charge. For private-subnet workloads with high outbound traffic — typical for microservice estates pulling container images, third-party APIs, and S3 reads — the data-processing fee dominates. A single NAT Gateway processing 10TB/month costs $450/month in hourly fees plus $450/month in data processing. Most enterprise estates run multiple NAT Gateways per region; the cumulative spend is significant.
The mitigations are operational. VPC Gateway Endpoints for S3 and DynamoDB are free and remove that traffic from the NAT Gateway. VPC Interface Endpoints for other services cost more per hour but save the NAT data-processing fee on the affected traffic. Architecturally, route table audit and endpoint deployment usually reclaims 30-50% of NAT spend with no negotiation required.
CloudFront economics
CloudFront pricing is lower than direct S3 or EC2 egress for any cacheable content. For media, static asset, and API caching workloads, CloudFront in front of origin is almost always cheaper than direct egress. The bigger lever is the CloudFront Security Bundle (formerly the private pricing addendum), which is heavily negotiable for committed customers. We have repeatedly secured CloudFront pricing 35-55% below published.
Optimization Levers
Where networking savings actually live.
02
CloudFront Private Pricing
Custom pricing addendum for high-volume CloudFront customers. Bundle with EDP for stacked discount.
03
VPC Gateway Endpoints
S3 and DynamoDB Gateway Endpoints are free. Deploying them removes that traffic from NAT Gateway entirely.
04
NAT Gateway Audit
Audit private-subnet traffic. Replace heavy NAT users with Interface Endpoints for AWS services. Significant per-region savings.
05
AZ-Affinity Architecture
Cross-AZ traffic at $0.01/GB each direction adds up. Route same-AZ traffic same-AZ where latency allows.
06
Direct Connect Cost-Out
For high-egress on-prem-to-AWS flows, Direct Connect data transfer is materially cheaper than internet egress.
Frequently Asked
Questions on networking pricing.
01Is egress really negotiable, or is that wishful thinking?+
Genuinely negotiable, and increasingly so. AWS has materially softened on egress since 2023, in response to public criticism and competitive pressure from Azure and GCP. We have secured 30-60% egress reductions on dozens of EDPs in the last 18 months. The negotiation requires a credible alternative and the right disclosure path — see our multi-cloud leverage service. It is the single highest-leverage line on most enterprise AWS bills.
02Should we put CloudFront in front of everything?+
For cacheable content, yes. CloudFront egress is cheaper than direct origin egress, and the negotiated CloudFront rate via private pricing addendum can stack on top of that. For non-cacheable traffic (real-time APIs with personalized responses), CloudFront adds latency without saving meaningful cost. We map cacheability before recommending.
03How much can NAT Gateway audits save?+
In untouched microservice estates, NAT Gateway audits routinely reclaim 30-50% of NAT spend. The mechanism is mostly VPC Endpoint deployment — S3 and DynamoDB Gateway Endpoints are free and significant, and Interface Endpoints for high-traffic services (ECR, STS, KMS) pay back quickly. The work is one-time architectural; the savings are permanent.
04What about Direct Connect?+
Direct Connect makes economic sense when on-prem-to-AWS egress exceeds roughly 5TB/month consistently. The fixed port fees are non-trivial; below that threshold, internet egress is cheaper. For high-volume hybrid architectures, Direct Connect can save 40-60% on the affected traffic. The contract terms (port commitment, MACsec, multiple locations for redundancy) are negotiable as part of an EDP.
05Can networking spend be bundled into an EDP commit?+
Yes. Most networking spend qualifies toward EDP commit, including data transfer, NAT Gateway, CloudFront, and Direct Connect. The discount tier applies, and specific concessions on egress are negotiable on top. We model the networking portion of every EDP negotiation we run.
Egress is the line
nobody negotiates.
500+ engagements. $340M+ client savings. We audit data transfer, push egress concessions inside EDPs, and architect NAT and VPC Endpoint patterns that reduce the bill structurally.