AI Summary - 20-sec read - Reviewed by experts
- Data transfer is the AWS line item teams skip, because it is buried under EC2 and has no single dashboard - yet on busy accounts it quietly becomes one of the largest charges.
- The money leaks in four places: NAT gateway processing and hourly fees, cross-AZ traffic between your own services, internet egress to users, and cross-Region or inter-service chatter.
- NAT gateway is the most common surprise - every byte from a private subnet to S3, DynamoDB or the internet is charged twice (per-GB processing plus the hourly rate) unless you add VPC endpoints.
- The fixes are architectural, not a discount call: VPC gateway endpoints for S3 and DynamoDB, AZ-aware service placement, a CDN in front of egress-heavy traffic, and keeping chatty services in one Region.
- Short on time? Book a free call.
Short on time? Book a free call.
Open any large AWS bill and the line that gets the least attention is data transfer. Compute and storage have owners, dashboards and reserved-capacity plans. Data transfer has none of that - it is spread across services, has no single console view, and grows quietly with traffic until it is one of your biggest charges and nobody can say why. The frustrating part is that most of it is avoidable with a few architecture changes, not a negotiation with AWS.
This is the diagnostic we run for UK and US teams when the transfer line looks too high. The four places the money actually leaks - NAT gateways, cross-AZ traffic, internet egress, and cross-Region chatter - how to spot each one in your own bill, and the specific fix that cuts it without re-platforming anything.
Why data transfer is the bill's blind spot
Three things make transfer easy to miss. It has no single home in the console - charges appear under EC2, under the NAT gateway, under each Region - so there is no one screen that says "you spent this much moving bytes." It scales with traffic, so it creeps rather than spikes, and a creeping number rarely triggers a review. And the pricing is counter-intuitive: a lot of teams assume traffic inside AWS is free, when in fact crossing an Availability Zone, leaving a Region, or going through a NAT gateway all cost money. Put those together and transfer becomes the charge that grows for a year before anyone asks the question.
The four places the money leaks
1. NAT gateway processing and hourly charges
This is the most common surprise. A NAT gateway lets resources in a private subnet reach the internet - and AWS charges both an hourly rate for the gateway and a per-GB fee on every byte that passes through it. The trap: traffic from a private subnet to S3 or DynamoDB also routes through the NAT gateway by default, so you pay the per-GB processing fee to reach a service that is sitting inside AWS already. On a data-heavy workload that single oversight can be a large share of the transfer bill. The fix is a VPC gateway endpoint for S3 and DynamoDB - it routes that traffic privately, bypasses the NAT gateway entirely, and the endpoints themselves are free. Interface endpoints do the same for many other AWS services.
Transfer line climbing and no one can explain it?
Get a free audit. We trace your data-transfer and NAT gateway spend to the exact source - endpoints, AZ placement, egress, Region hops - and give you the fix for each, ranked by saving. No re-platforming, no pitch, reply in 2 hrs, no card needed, NDA on request.
Get a free audit2. Cross-AZ traffic you didn't know you were paying for
Spreading workloads across Availability Zones is the right call for resilience - but every byte that crosses an AZ boundary is charged in both directions. When an application server in one AZ talks to a database, cache or another service in a different AZ on every request, that chatter adds up fast. The fix is not to abandon multi-AZ resilience; it is to be deliberate about placement. Keep tightly-coupled, high-traffic components AZ-aware so the hot path stays within a zone where it safely can, use read replicas or caches local to each AZ, and reserve cross-AZ traffic for the replication and failover it is actually there for. The goal is resilience without paying AZ-crossing fees on every routine call.
3. Internet egress and the CDN you should be using
Data leaving AWS for the public internet - responses to users, file downloads, API payloads, video - is billed per GB, and the rate is higher than internal transfer. For an application serving a lot of outbound content directly from EC2 or an Application Load Balancer, that egress is often the single largest transfer line. The fix is a CDN. Putting CloudFront in front of egress-heavy traffic means content is cached at the edge and served from there, so you pay CloudFront's lower egress rate and serve repeat requests without touching your origin at all. For any UK or US audience pulling content repeatedly, a CDN usually pays for itself on the transfer saving alone, before you count the latency win.
4. Cross-Region and inter-service chatter
The last leak is traffic between Regions. Replicating data to a second Region, calling a service that lives in another Region, or backing up across Regions all incur inter-Region transfer fees, which are higher again than cross-AZ. Sometimes that cost is justified - disaster recovery, data residency, latency for a distant audience. Often it is accidental: a service deployed in the wrong Region calling back to its dependencies, or a backup target chosen without thinking about the transfer cost. Map which of your cross-Region flows are deliberate and which are accidental, then collapse the accidental ones by co-locating services that talk constantly. Keep cross-Region traffic for the things that genuinely need to span Regions.
Takeaways
- Data transfer has no single dashboard, scales with traffic, and is not free inside AWS - which is why it grows unnoticed.
- NAT gateway is the usual surprise: add VPC gateway endpoints for S3 and DynamoDB so that traffic bypasses NAT processing fees.
- Cross-AZ chatter is billed both ways - keep hot-path components AZ-aware while preserving multi-AZ resilience.
- Put a CDN in front of internet egress; cached edge delivery cuts the largest outbound line.
- Audit cross-Region flows and collapse the accidental ones by co-locating chatty services.
Want your transfer bill traced to its source?
We map every data-transfer and NAT gateway charge to the flow that creates it, then hand you the fix for each ranked by saving against your own bill. No pitch, reply in 2 hrs.
Book a free callHow to find it in your own bill (read-only)
You can diagnose all of this without changing a thing. Start in Cost Explorer grouped by usage type, and look for the transfer codes - the ones containing DataTransfer, the NAT gateway bytes-processed line, and the per-Region out lines. That tells you the shape of the problem: NAT-heavy, AZ-heavy, egress-heavy or Region-heavy. Then enable VPC Flow Logs on the busiest subnets to see which flows actually generate the bytes, so you fix the real source instead of guessing. This is the same measure-first discipline behind every cost win - identify the largest line before you touch anything, exactly as in our walkthrough of the line items to check when your AWS bill spikes and the storage-side version in cutting your S3 bill.
Where transfer fits the wider cloud bill
Data transfer rarely gets a reserved-capacity plan or a quarterly review the way compute does, which is exactly why it drifts. Treating it as a first-class line - endpoints in place, AZ-aware placement, a CDN on egress, deliberate Region choices - is part of ongoing AWS consulting and the kind of managed cloud operation where someone owns the bill month to month. Fix the four leaks once and transfer stops being the mystery line and becomes a number you can predict.
FAQ
Why is my AWS NAT gateway so expensive?
A NAT gateway charges an hourly rate plus a per-GB fee on all traffic that passes through it. The usual reason the bill is high is that traffic from private subnets to S3 and DynamoDB routes through the NAT by default, paying the processing fee to reach a service already inside AWS. Adding free VPC gateway endpoints for S3 and DynamoDB routes that traffic privately and removes it from the NAT, which often cuts the charge sharply.
Is data transfer between Availability Zones free on AWS?
No. Traffic crossing an Availability Zone boundary is charged, in both directions. Multi-AZ is still the right choice for resilience, but if tightly-coupled services in different AZs talk on every request, that cross-AZ traffic adds up. Keep hot-path components AZ-aware and reserve cross-AZ traffic for replication and failover.
How do I reduce AWS internet egress costs?
Put a CDN such as CloudFront in front of outbound content. Caching at the edge serves repeat requests without hitting your origin and bills egress at the CDN's lower rate, which usually makes it the biggest single lever for egress-heavy workloads. Compressing payloads and trimming over-fetching helps at the margin.
How can I see what is driving my data-transfer bill?
Use Cost Explorer grouped by usage type to find the specific transfer codes - DataTransfer lines, NAT gateway bytes processed, per-Region out - then turn on VPC Flow Logs for the busiest subnets to identify the exact flows generating the bytes. That tells you whether the problem is NAT, AZ, egress or Region before you change any architecture.
The bottom line: AWS data transfer grows in the dark because it has no dashboard and is not free inside the cloud. Add VPC endpoints so private traffic skips the NAT gateway, keep hot-path components AZ-aware, put a CDN on internet egress, and make your cross-Region flows deliberate. Diagnose it read-only first with Cost Explorer and Flow Logs, fix the largest leak, then measure the next cycle - and the line nobody checks becomes one you control.
Founder and CEO of Braincuber. Has scoped and shipped 500+ Odoo, AI, and cloud projects for US mid-market and global brands. Takes every founder call personally — no SDR layer between buyers and the people building the system.