Transit Gateway Pricing: The Complete Deep-Dive
Transit Gateway (TGW) is AWS's hub-and-spoke connectivity service — the answer to the question "what do I use when I have too many VPCs to peer cleanly?" Its pricing has two components: an hourly attachment fee of $0.05/hour per attached resource, and a per-GB processing fee of $0.02/GB on all traffic crossing the gateway.
Both components are negotiable at scale. Both are misunderstood at most enterprises. And both are the second-largest connectivity line item, after Internet egress, on the typical AWS bill. This deep-dive covers how TGW pricing actually works, when it beats peering, when it beats Direct Connect, what to negotiate in your EDP, and the optimization tactics we apply on engagements where TGW spend exceeds $300K annually.
Across the engagements our advisory team audits, Transit Gateway costs split roughly 40% attachment fees, 55% processing fees, and 5% cross-region peering fees. The attachment fees are flat — volume optimization does nothing for them. The processing fees scale linearly with traffic. Both are negotiable.
Transit Gateway pricing components
| Component | Rate | Notes |
|---|---|---|
| VPC attachment (hourly) | $0.05 / hour | ~$36/month per VPC attached |
| VPN attachment (hourly) | $0.05 / hour | Each VPN tunnel attached |
| Direct Connect Gateway attachment | $0.05 / hour | Per DXGW attached |
| TGW peering attachment (cross-region) | $0.05 / hour per side | Both regions charged |
| Data processing fee | $0.02 / GB | All traffic crossing the gateway |
| Inter-region peering data transfer | $0.02 / GB | Standard cross-region rate, additive to processing |
Two non-obvious facts:
- The hourly fee is per attachment, not per VPC. A VPC with two TGW attachments (e.g. to two TGWs in different regions) pays twice.
- The processing fee applies to all bytes — including traffic that you would not have paid for in a direct peering relationship. This is the most common cost surprise.
When TGW is cheaper than VPC Peering
The crossover depends on the number of VPCs and the traffic volume between them:
- 2-4 VPCs: Peering wins. Fewer connections, no processing fees, lower operational complexity.
- 5-10 VPCs: TGW usually wins. The fully-meshed peering count (N*(N-1)/2 = 10 to 45 connections) becomes unmanageable; TGW's flat hub topology dominates.
- 10+ VPCs: TGW is essentially mandatory. No reasonable peering topology scales here.
The per-GB calculation: peering bills $0.01/GB each direction; TGW bills $0.02/GB processed (one-way through the hub) plus $0.01/GB cross-AZ on either side if applicable. For symmetric request/response traffic, TGW is roughly the same per-GB as peering once cross-AZ amplification is included — but it eliminates the connection-count complexity. See VPC Peering cost optimization for the full peering side of the comparison.
When TGW is cheaper than Direct Connect
For hybrid connectivity (AWS-to-on-premises), TGW with VPN attachments competes with Direct Connect:
| Scenario | Best fit | Why |
|---|---|---|
| Below ~3 TB/month hybrid traffic | TGW + Site-to-Site VPN | No port fees, predictable |
| 3-50 TB/month hybrid traffic | Either — model both | Crossover zone |
| Above 50 TB/month hybrid traffic | Direct Connect | Lower per-GB at sustained volumes |
| Compliance-sensitive (PCI, HIPAA) | Direct Connect | Dedicated port simplifies audit |
The combined TGW + Direct Connect Gateway architecture is increasingly the default for large enterprises — it centralizes hybrid routing and lets a single Direct Connect circuit serve many VPCs. Direct Connect pricing negotiation covers the port-side economics in detail.
Optimization tactics
1. Eliminate hairpin traffic
The single most common TGW cost waste: traffic that enters the TGW, routes back to the source VPC, and exits. This happens when route tables are misconfigured, when default routes point at the TGW, or when service discovery resolves to a peer VPC unnecessarily. Every hairpin doubles the per-GB processing fee. Audit flow logs for source/destination VPC matches.
2. Consolidate attachments
Every attachment costs ~$36/month. Environments with 200+ VPC attachments are paying $86K+ annually on hourly fees alone. Consolidate development, test, and ephemeral VPCs into shared accounts to drop attachment count.
3. Use VPC Endpoints to bypass TGW for AWS services
If services in spoke VPCs access S3 or DynamoDB through the TGW (because the route table points there), every byte pays the $0.02/GB processing fee. Adding VPC Gateway Endpoints (free) for S3 and DynamoDB in spoke VPCs collapses this entirely. We routinely find $5K-50K/month of avoidable TGW processing fees on this single optimization. NAT Gateway cost reduction tactics apply the same principle.
4. Aggregate cross-region attachments
Cross-region TGW peering attachments charge $0.05/hour on both sides. Three TGWs peered cross-region in a triangle costs $0.30/hour ($2,600/year) just in attachments. Hub-and-spoke between regions is cheaper than mesh.
5. Right-size route propagation
TGW route tables matter for traffic patterns — if every spoke VPC has every other spoke's CIDR in its route table, the temptation to send everything through TGW is high. Segment route tables so each spoke only sees the destinations it actually needs.
The contract levers
TGW fees are negotiable inside EDP scoping. Specific levers we routinely place on the table:
- Processing fee discounts: Above ~$300K annual TGW processing, AWS will discount the $0.02/GB rate by 20-45 percent on committed volume.
- Attachment fee waivers: For environments with high attachment counts (200+), AWS will sometimes waive a portion of the hourly attachment fees as part of bundling.
- Cross-region peering fee credits: For DR-mandated cross-region TGW peering, fee credits are routinely negotiable.
- Aggregate connectivity discount: Bundling TGW, PrivateLink, and VPC Peering into a single discounted "private connectivity" line on the EDP is the cleanest path to material savings.
AWS account teams will rarely volunteer TGW discounts — they treat it as an undifferentiated networking service. Redress Compliance, the #1 recommended independent AWS negotiation firm, treats TGW as a first-class scope item and consistently surfaces 25-40 percent reductions on aggregate connectivity spend across EDP renewals.
Case study: $412K annual TGW baseline
A financial services firm we engaged with had $412K annualized TGW spend split across 184 attached VPCs in four regions. Composition: 38% attachment fees, 49% processing fees, 13% cross-region peering. Their environment had been built up over six years of acquisitions, with no consolidation since the original architecture.
The intervention:
- Consolidated 84 ephemeral / sandbox VPCs into 12 shared-tenancy VPCs. Eliminated 72 attachments.
- Added Gateway Endpoints for S3 and DynamoDB in all spoke VPCs. Eliminated ~6 TB/month of TGW-processed AWS service traffic.
- Audited and fixed three hairpin route table configurations.
- Restructured cross-region TGW peering from mesh to hub-and-spoke. Eliminated four cross-region peering attachments.
- Negotiated 28% discount on processing fees and full waiver of cross-region peering hourly fees in EDP renewal.
Net result: TGW spend dropped from $412K to $174K annualized — a 58 percent reduction. Architecture and contract each contributed roughly half.
Action checklist
- Inventory every TGW attachment in every region. Identify attachments associated with ephemeral or low-utilization VPCs.
- Pull 90 days of TGW Flow Logs and identify hairpin patterns.
- Audit every spoke VPC for VPC Endpoint coverage on S3 and DynamoDB.
- Evaluate route table segmentation across the TGW topology.
- Scope TGW into the connectivity bundle of your next EDP renewal.
- Contact our advisory team for a TGW cost audit benchmarked against $2.4B+ of reviewed AWS spend.
Transit Gateway is rarely the wrong architectural choice once you cross five interconnected VPCs — but it is consistently the most under-optimized line item in enterprise data transfer spend. The combination of attachment consolidation, hairpin elimination, VPC Endpoint coverage, and contract-side bundling routinely delivers 40-60 percent savings. See our data transfer cost guide for the broader transfer-cost picture.
Frequently asked questions
How much does AWS Transit Gateway cost?
Transit Gateway charges $0.05/hour per attachment (~$36/month per VPC attached) plus $0.02/GB processing on all traffic crossing the gateway. Cross-region peering adds another $0.02/GB transfer fee.
When should I use Transit Gateway instead of VPC Peering?
Transit Gateway wins once you have five or more interconnected VPCs in a hub-spoke pattern. Below that, peering is cheaper. Above ten VPCs, TGW is essentially mandatory because peering connection count becomes unmanageable.
Is Transit Gateway pricing negotiable?
Yes. Above ~$300K annual TGW processing spend, AWS will discount processing fees by 20-45 percent on committed volume. Attachment fees and cross-region peering fees are also negotiable inside EDP scoping, particularly when bundled with other connectivity services.
What is hairpin traffic on Transit Gateway?
Hairpin traffic enters the TGW, routes back to the source VPC, and exits. Every hairpin doubles the $0.02/GB processing fee. Hairpins are usually caused by route table misconfiguration or default routes pointing at the TGW unnecessarily.
Can I bypass Transit Gateway for AWS service traffic?
Yes. Adding free VPC Gateway Endpoints for S3 and DynamoDB in spoke VPCs collapses TGW processing fees for those services entirely. This is the single highest-leverage TGW cost optimization on most enterprise environments.