Understanding AWS Data Egress Pricing

Data egress—the transfer of data out of AWS—is charged on a tiered, pay-as-you-go model starting at $0.09 per gigabyte for the first 10TB per month, declining to $0.05 per gigabyte at higher volumes. This pricing applies when data moves from AWS to the internet, to another AWS region, or to on-premises infrastructure. In contrast, data ingress is free, and intra-region data transfer is free, creating a natural incentive to keep data within AWS boundaries.

In one engagement, a global retail enterprise discovered $280,000 in annual AWS data egress charges—costs that had never been forecast. Redress restructured their CloudFront configuration, activated VPC Gateway Endpoints, and negotiated egress credits into the EDP renewal. Annual egress cost dropped to under $45,000. The engagement fee was less than 3% of the first-year savings.

AWS provides 100GB of free egress per month , but this threshold is quickly exceeded by any serious workload. For example, a customer with just 500GB of monthly data egress faces approximately $20,000 in annual egress charges alone, assuming an average rate of $0.07/GB. Scale this to multi-region deployments or data-intensive applications, and egress becomes a line item that rivals compute costs.

The insidious aspect of egress pricing is its invisibility during architectural design. Teams focus on compute costs (EC2, RDS pricing) and storage (S3, EBS), treating egress as a residual cost. By the time billing arrives, the surprise is substantial. Many enterprises discover egress costs retroactively in their first cloud bill, leading to budget overruns and contract renegotiations.

Multi-Region Egress: The Compounding Problem

Organizations deploying applications across multiple AWS regions face egress costs for inter-region data replication, failover traffic, and cross-region API calls. Each egress event is charged separately, and the costs compound rapidly in architectures that weren't designed with egress in mind.

A common scenario: a primary application in us-east-1 replicates data to eu-west-1 for compliance or disaster recovery. Data written in the primary region incurs egress charges when replicated to the secondary region. If that secondary region serves users in Europe, their API calls trigger additional egress charges from eu-west-1 to the internet. The result is double egress charges for the same data—once for replication, again for user access.

Multi-region egress is unavoidable in distributed architectures, but the cost can be optimized through intentional design. Understanding these patterns and negotiating egress credits during EDP discussions is essential for avoiding surprises.

"Egress is the forgotten dimension of cloud architecture. Teams optimize compute and storage relentlessly, but treat egress as a rounding error until it shows up as a five-figure line item on the bill."

CloudFront: The 98% Reduction Path

AWS CloudFront, the content delivery network (CDN), dramatically reduces egress costs by caching content at edge locations globally. Instead of serving all requests from origin AWS regions, CloudFront intercepts requests, serves cached content from nearby edge locations, and only fetches from origin when cache misses occur.

The economics are compelling: CloudFront egress rates range from $0.0075 to $0.08 per GB , but more importantly, CloudFront-to-origin data transfer is free if the origin is an S3 bucket in the same region as the CloudFront distribution. This eliminates the egress charges that would otherwise apply to origin fetches.

For customers with global audiences and cacheable content (static files, APIs with stable responses), CloudFront can reduce egress costs by 90-98%. A media company with 5TB of monthly video downloads might face $250,000 in annual egress costs without CloudFront but only $10,000-$15,000 with CloudFront caching. This justifies CloudFront subscription costs and often becomes the highest ROI optimization in the cloud architecture.

The implementation is straightforward: place S3 buckets behind CloudFront, set appropriate cache TTLs, and monitor cache hit ratios. For APIs and dynamic content, CloudFront can still cache time-sensitive responses (5-60 second TTLs), capturing high hit rates for real-time applications.

VPC Gateway Endpoints: The Free Alternative

VPC Gateway Endpoints provide private connectivity to AWS services (S3, DynamoDB) without crossing the internet gateway. Traffic through VPC Gateway Endpoints to S3 or DynamoDB incurs zero egress charges. This is a critical cost lever for applications that exchange large volumes of data with S3 or DynamoDB but don't require internet routing.

For example, an application server in EC2 writing 100GB of monthly data to S3 incurs $7 in egress charges through the internet gateway but $0 through a VPC Gateway Endpoint. The performance is identical; the difference is purely in cost.

VPC Gateway Endpoints are a lightweight change that can be implemented with a few routing table modifications. Any application that moves substantial data to or from S3 or DynamoDB should route through a VPC Gateway Endpoint. This is one of the easiest egress optimizations with high impact.

Direct Connect: The Multi-Region Option

AWS Direct Connect provides dedicated network connections from on-premises infrastructure to AWS, eliminating internet gateway routes and the associated egress charges. Organizations with hybrid deployments (on-premises plus AWS) can reduce egress costs substantially by using Direct Connect for cross-boundary traffic.

Direct Connect is not free—it costs $0.30/hour for the dedicated connection plus data transfer charges, but egress over Direct Connect costs significantly less than internet egress (typically $0.02/GB versus $0.05-$0.09/GB). For organizations with consistent hybrid traffic patterns, Direct Connect pays for itself through egress savings alone.

Direct Connect is most effective for organizations with 50+ GB of daily hybrid traffic. Below that threshold, the fixed connection costs exceed the egress savings. For those above the threshold, Direct Connect becomes a material cost control lever alongside architectural optimization.

Data Compression: The 60-80% Reduction

Compressing data before transmission reduces the volume of egress, directly reducing egress charges. Gzip compression typically achieves 40-60% reduction for text data; Brotli compression can achieve 60-80% reduction with slightly higher CPU overhead.

For applications transmitting JSON, HTML, logs, or other text-based data, implementing transparent compression at the application layer costs minimal engineering effort but yields substantial savings. A 70% reduction in data volume translates directly to 70% savings on egress charges.

The challenge is consistency. Compression must be applied uniformly across all data flows to maximize benefit. Teams that compress API responses but not cache invalidation traffic, or compress in one region but not others, capture only partial savings. Architectural discipline is required.

EDP and Egress Credits

Most standard EDP agreements do not include egress discounts or include only minimal ones (10-15% versus the 15-22% headline EDP discount). However, AWS is willing to negotiate separate egress credits for customers with $2 million+ EDP commitments .

The negotiation strategy is straightforward: conduct a baseline egress analysis (what is your current monthly egress volume?), project forward (how will egress scale with planned growth?), and request an egress discount or credit as part of the broader EDP negotiation. AWS rarely volunteers egress discounts, but they almost always accept them when explicitly requested by large customers.

Egress credits are typically structured as either a percentage discount (5-15% off on-demand egress rates) or a fixed dollar credit (e.g., $50,000 annual egress credit). Fixed dollar credits are often preferable because they create an incentive for the team to optimize egress below the credit amount—any optimization "locks in" savings.

Layering EDP, Savings Plans, and Reserved Instances with Egress

The optimal cost structure combines EDP discounts on compute and storage, Savings Plans for additional compute flexibility, Reserved Instances for static workloads, and targeted egress reductions through CloudFront, VPC Gateway Endpoints, and egress credits.

For a $5 million annual cloud bill, the breakdown might be: $3 million compute/storage at 15% EDP discount = $450,000 savings; $1 million compute via Savings Plans at 25% discount = $250,000 savings; $1 million egress at baseline = $0 due to VPC Endpoints and CloudFront optimization; $200,000 egress credit from EDP negotiation = $200,000 savings. Total: approximately $900,000 annual savings through layered discounts and architectural optimization.

This layering approach requires coordination across finance, engineering, and vendor management functions. The finance team drives EDP and Savings Plans negotiations; the engineering team drives architectural optimization (CloudFront, VPC Endpoints, compression); and vendor management coordinates both streams.

Egress costs caught your team off guard? Redress Compliance helps enterprises architect egress-efficient cloud deployments and negotiate egress credits in EDP agreements.

Get a baseline egress analysis and optimization roadmap from AWS advisors.
Schedule Consultation →

Architectural Patterns That Eliminate Egress Surprises

Certain architectural patterns are known to generate high egress costs. Understanding and avoiding these patterns is the foundation of cost control. Edge-first architectures, where content is served from CloudFront or regional caches, eliminate egress costs for the primary data flow. Data lakes in S3 accessed via VPC Gateway Endpoints eliminate cross-region egress. Hybrid deployments using Direct Connect instead of internet gateways control hybrid egress.

Conversely, anti-patterns generate egress problems. Hub-and-spoke architectures where all traffic routes through a central region generate redundant egress charges. Uncompressed API responses and debug logs being transmitted cross-region generate avoidable egress. Replicating data across regions without cache-first design generates duplication costs.

The best time to address egress is during architecture design, not post-deployment. AWS Well-Architected reviews should include an explicit egress cost analysis. CloudFront should be default for any publicly-facing content. VPC Gateway Endpoints should be default for S3 and DynamoDB access. Direct Connect should be evaluated for hybrid scenarios. This architectural discipline prevents egress surprises entirely.

Monitoring and Forecasting Egress Costs

AWS provides detailed egress cost data through Cost Explorer and AWS Billing. Teams should establish baseline egress measurements (current monthly egress by region, service, and data direction) and monitor trends quarterly. Egress cost growth that outpaces traffic growth signals architectural inefficiency and warrants investigation.

Forecasting egress is more challenging than forecasting compute because egress depends on user distribution, content size, replication patterns, and architecture choices. A conservative approach is to forecast egress growth in proportion to total cloud spend growth, then apply 10-15% discounts from architectural optimization (CloudFront, VPC Endpoints) to yield a realistic projection.

During EDP negotiations, include egress in the forecast. Present AWS with a three-year egress projection showing baseline costs (current architecture, no optimization), optimized costs (with CloudFront and VPC Endpoints), and the dollar value of egress credits required to achieve target savings. This data-driven approach strengthens the negotiation case.