Why AWS Egress Costs Spiral Out of Control
AWS data egress costs are a blind spot for most enterprises. When you sign a contract with AWS, the focus is usually on compute, storage, and Reserved Instances. Egress costs sit in the fine print. Yet for data-intensive workloads—especially those moving data between regions, to on-premises systems, or through multiple service layers—egress can easily rival or exceed compute spend.
The problem is structural. Default AWS architecture routes traffic through NAT Gateways, cross-AZ service calls, and internet-facing endpoints. Each hop has a price: $0.045/GB for NAT Gateway processing, $0.01/GB for cross-AZ transfers, $0.09/GB for internet egress. A typical mid-market enterprise moving 1,000 TB/month across these patterns is leaving $50,000–$150,000 on the table annually.
Most teams don't realise these costs are negotiable or even eliminable. That's where these seven strategies come in. They range from zero-cost deployments (VPC Gateway Endpoints) to architectural shifts that compound savings across your entire portfolio. Combined with proper AWS EDP negotiation strategy, they're the foundation of a serious cost reduction program.
Strategy 1: Deploy VPC Gateway Endpoints for S3 and DynamoDB (Zero Cost, 40–70% NAT Savings)
Start here. VPC Gateway Endpoints are free, require zero code changes, and eliminate NAT Gateway charges for S3 and DynamoDB traffic.
How it works: Instead of routing S3 or DynamoDB requests through your NAT Gateway (incurring $0.045/GB), a Gateway Endpoint provides a direct path within AWS's private network. No internet hop, no NAT processing fee.
Financial impact: If your workload moves 500 TB/month through a NAT Gateway to S3, you're paying $22,500/month in NAT fees alone. A Gateway Endpoint eliminates that entirely. Typical enterprises see 40–70% NAT Gateway cost reduction when endpoints are properly deployed.
Deployment: Create a Gateway Endpoint in your VPC (AWS console or Terraform in five minutes), attach it to your route tables, and verify traffic in CloudTrail. There is no hourly charge, no per-GB fee. It just works.
Gotchas: Ensure your S3 bucket policy permits access from the endpoint. Test failover scenarios if you're mixing NAT and endpoint traffic. For DynamoDB, endpoints work identically but are less commonly used—audit your architecture.
Strategy 2: Replace NAT Gateway with Interface Endpoints (PrivateLink) for AWS Service Traffic (Cost Reduction: 79% Possible)
This is where dramatic savings emerge. Interface Endpoints (powered by AWS PrivateLink) cost $0.01/hour + $0.01/GB, compared to NAT Gateway's $0.045/hour + $0.045/GB. For high-volume AWS service calls, PrivateLink delivers a 55–79% cost reduction.
Real case study: A programmatic bidding platform was moving 1,080 TB/month to SQS, SNS, and Lambda APIs from within a private VPC. Monthly NAT Gateway spend: $102,600. After migrating to Interface Endpoints, spend dropped to $21,600/month. Savings: $81,000/month, or 79% reduction.
When to use it: Any high-volume programmatic access to AWS services from private EC2 instances, containers, or on-premises systems. SQS, SNS, Lambda, EC2 API, Secrets Manager, and Systems Manager all benefit.
Cost calculation: Interface Endpoint: $0.01/hour (≈ $7.20/month per endpoint) + $0.01/GB. NAT Gateway: $0.045/hour (≈ $32.40/month) + $0.045/GB. At 100 GB/month, NAT costs $32.40 + $4.50 = $36.90. Interface Endpoint costs $7.20 + $1.00 = $8.20. At 1,000 TB/month, the leverage becomes transformative.
Operational considerations: Interface Endpoints are stable but require DNS name awareness. Test your application's connectivity before cutting over. ALB-based load balancing works seamlessly with Interface Endpoints. Monitor DNS query patterns to avoid surprises.
"Egress costs are rarely the first line item scrutinised in AWS contracts, yet they often represent the single easiest reduction target. A single architectural shift—Gateway Endpoints or PrivateLink—can save more than discounts or Reserved Instances."
Strategy 3: Use CloudFront for Content Delivery (Low-Cost Caching, Free Origin Transfer)
CloudFront egress is $0.085/GB (cheaper than direct EC2 internet egress at $0.09/GB), but the real win is eliminating origin-to-edge transfer, which is free. For any content served repeatedly, CloudFront multiplies savings by your cache hit ratio.
How it compresses costs: If 80% of your traffic is cache hits, you're only paying egress for 20% of your actual data volume. An 80% cache hit rate on 500 TB/month of egress becomes 100 TB at CloudFront rates (plus free origin transfer).
Best for: Static assets (images, CSS, JavaScript), API response caching, and downstream content distribution. Less effective for highly personalised or volatile content (though CloudFront's cache key features are improving this).
Configuration tips: Set appropriate Cache-Control headers. Use CloudFront origin shields (additional $0.005/GB) in high-traffic scenarios to consolidate origin requests and improve cache hit rates. For APIs, consider API Gateway caching first, then CloudFront.
Strategy 4: Reduce Cross-AZ Traffic via Topology-Aware Routing (Low-Friction, High-ROI for Microservices)
Cross-AZ egress costs $0.01/GB in each direction. For chatty microservices, this accumulates rapidly. A cluster with 5,000 inter-service calls/second across AZs can generate $10,000–$30,000/month in cross-AZ charges alone.
Tactical fix: Enable Topology Aware Routing Hints (TAHR) in Kubernetes or use same-AZ placement policies in ECS. AWS SDKs prioritise endpoints in the same AZ, dramatically reducing cross-AZ hops.
Effort vs. savings: Minimal code changes (usually a configuration flag). ROI emerges immediately for dense microservices architectures. Not meaningful for mostly stateless, request-response workloads.
Strategy 5: AWS Direct Connect for High-Volume Hybrid Workloads ($0.02/GB Egress vs. $0.09/GB Internet)
Direct Connect is a dedicated network connection from your data centre to AWS. Egress costs $0.02/GB, a 78% reduction vs. internet egress at $0.09/GB. It also improves latency and provides predictable performance.
When it's worth it: Steady high-volume hybrid workloads (1 TB+/day replicating to on-premises or AWS). The upfront commitment (port charges: $0.30/hour) requires ROI justification, but breakeven is typically 2–6 months for qualifying workloads.
Real scenario: A financial services firm with 2 TB/day replication to on-premises saves: (0.09 − 0.02) × 2000 GB/day × 30 days = $42,000/month in egress alone, offset by ~$2,000/month in Direct Connect port charges. Net monthly saving: $40,000.
Strategy 6: Compress Data Before Transfer (Passive Savings, 60–80% Reduction for Text/JSON)
Apply gzip or Brotli compression to API responses and bulk data transfers. Text and JSON compress 60–80%. The CPU cost is negligible; the bandwidth savings are real.
Implementation: Enable compression at the API Gateway level (API Gateway natively supports gzip). For custom services, add compression middleware. For bulk data, apply compression before S3 upload or cross-region replication.
Measurement: A microservices platform moving 200 TB/month of JSON APIs saves 60% of egress by enabling compression: 120 TB/month not transferred, worth $5,400–$10,800/month depending on cost category.
Strategy 7: Audit and Right-Size Inter-Region Architecture (Structural Review, Strategic Savings)
Many enterprises default to active-active multi-region or replicate every dataset across regions. Cross-region replication costs $0.015/GB, plus destination storage. It's expensive and often unnecessary.
Strategic questions: Does every dataset need active-active replication? Are you replicating for failover (passive standby is cheaper) or for geographic latency? Can you centralise origins with CloudFront origin shields instead of multi-region active deployment?
Tactical approach: Audit your S3 Cross-Region Replication (CRR) policies. Disable replication for non-critical data. Use CloudFront origin shields to consolidate origin requests before replicating. Use synchronous read-from-origin for non-critical failover scenarios.
Example: A SaaS platform replicating 500 TB/month to a secondary region (CRR + destination storage) was paying $11,250/month. After disabling CRR for non-critical analytics data and using CloudFront origin shields for failover, costs dropped to $3,000/month. Net savings: $8,250/month.
Prioritisation Framework: Quick Wins vs. Long-Term Moves
Not all strategies have equal effort or payoff. Here's how to sequence them:
| Strategy | Effort | Typical Savings | Timeline | Priority |
|---|---|---|---|---|
| VPC Gateway Endpoints (S3, DynamoDB) | Low | $3K–$50K/month | Days | Start here |
| Data Compression | Low | $2K–$15K/month | Days | Quick win |
| Topology-Aware Routing | Low | $5K–$30K/month | Weeks | High ROI |
| PrivateLink / Interface Endpoints | Medium | $20K–$100K/month | Weeks | Major impact |
| CloudFront Optimisation | Medium | $10K–$50K/month | Weeks | Content-dependent |
| Direct Connect | High | $20K–$60K/month | Months | Strategic |
| Multi-Region Audit | Medium | $5K–$100K/month | Weeks | Architecture-dependent |
Cost Comparison: NAT Gateway vs. Interface Endpoints
Here's the detailed cost breakdown for high-volume AWS service traffic:
| Transfer Volume | NAT Gateway Cost | Interface Endpoint Cost | Monthly Savings | Annual Savings |
|---|---|---|---|---|
| 100 GB/month | $36.90 | $8.20 | $28.70 | $344 |
| 500 GB/month | $168.00 | $12.20 | $155.80 | $1,870 |
| 1 TB/month | $322.00 | $17.20 | $304.80 | $3,658 |
| 100 TB/month | $4,822.00 | $87.20 | $4,734.80 | $56,818 |
| 1,000 TB/month (1,080 TB case study) | $102,600.00 | $21,600.00 | $81,000.00 | $972,000 |
These architectural strategies work best when paired with commercial leverage. Download our playbook to understand how to negotiate egress cost terms with AWS before signing your next EDP.
Download the AWS EDP Negotiation PlaybookIntegrating Egress Reduction into Your AWS Commercial Strategy
These seven strategies are technical. But they're most powerful when integrated into your broader AWS EDP negotiation strategy.
Here's why: AWS's Enterprise Discount Programme (EDP) is negotiable, including data transfer terms. If you can demonstrate that you're engineering cost efficiency (Gateway Endpoints, PrivateLink, CloudFront optimization) and have a credible plan to reduce egress, AWS will often agree to better per-GB rates or committed discounts. Conversely, if you're negotiating without understanding your egress baseline, you'll accept standard rates and miss easy leverage.
The commercial sequence:
- Measure current egress: quantify total egress spend by source (NAT, cross-AZ, internet, inter-region).
- Deploy quick wins: Gateway Endpoints, compression, topology awareness. Establish a 6–12 month improvement trajectory.
- Negotiate from strength: tell AWS, "We're reducing egress by 40–60% through architectural improvements. What egress pricing can you offer to support this commitment?" AWS will move.
- Combine with broader EDP talks: egress reduction pairs well with AWS Reserved Instances and Savings Plan optimisation and AWS Support plan negotiation to unlock a comprehensive, compounding discount package.
Many enterprises layer these strategies: they deploy PrivateLink, optimize multi-region architecture, and negotiate a 10–15% egress discount. Combined impact: 60–70% total egress cost reduction.
For enterprises using the AWS Marketplace procurement strategy, egress cost reduction also impacts software licensing and cost allocation. A reduction in underlying AWS egress translates to better unit economics for any marketplace applications.
Measurement and Ongoing Optimisation
Document your baseline. Use CloudWatch metrics and Cost Explorer to track:
- NAT Gateway bytes out: Track pre- and post-Gateway Endpoint deployment.
- Cross-AZ bytes: Monitor for topology-aware routing effectiveness.
- Inter-region data transfer: Audit CRR policies quarterly.
- Internet egress: Target for CloudFront or PrivateLink offload.
Set up monthly cost tracking. Share egress metrics with engineering teams; most cost reductions come from architectural awareness, not one-off optimisations.
The Bottom Line
AWS egress costs are engineered into your bill by default. Most of this cost is eliminable or dramatically reducible through architecture patterns that AWS itself recommends. Start with Gateway Endpoints and compression (zero effort, real savings). Move to PrivateLink and topology optimization (medium effort, transformative savings). Then layer commercial negotiation on top. Combined, these approaches compress egress costs by 50–79% for typical workloads.
If your enterprise is moving significant data through AWS—whether within AWS services, to the internet, or across regions—these seven strategies are non-negotiable due diligence. Your AWS egress cost reduction specialists can help operationalise them at scale.