Cost-Optimized Network Routing in AWS
Configuring appropriate network routes to minimize network transfer costs (for example, Region to Region, Availability Zone to Availability Zone, private to public, AWS Global Accelerator, VPC endpoints)
Cost-Optimized Network Routing in AWS
This guide focuses on the strategic configuration of network routes within AWS to minimize data transfer charges, a critical skill for the SAA-C03 exam. We will explore how choosing the right "path" for your data—whether through VPC endpoints, across Availability Zones, or via the global backbone—impacts your monthly bill.
Learning Objectives
- Identify the cost implications of data transfer across different AWS boundaries (AZ, Region, Internet).
- Differentiate between Gateway Endpoints and Interface Endpoints (PrivateLink) from a cost perspective.
- Evaluate the cost-benefit of using a single NAT Gateway vs. multi-AZ NAT Gateways.
- Determine when to use AWS Global Accelerator vs. Amazon CloudFront for cost-effective global delivery.
- Design architectures that prioritize private IP communication to eliminate "Data Transfer Out" (DTO) charges.
Key Terms & Glossary
- Data Transfer Out (DTO): Traffic leaving the AWS network to the internet. This is almost always the most expensive type of traffic.
- VPC Endpoint: A private connection between your VPC and supported AWS services without requiring an internet gateway or NAT device.
- Anycast IP: An IP address used by AWS Global Accelerator that is advertised from multiple edge locations simultaneously to route traffic to the nearest healthy endpoint.
- Peering (VPC Peering): A networking connection between two VPCs that enables you to route traffic between them using private IPv4 or IPv6 addresses.
- PrivateLink: The technology powering Interface Endpoints, allowing private access to services over the AWS backbone.
The "Big Idea"
[!IMPORTANT] The fundamental rule of AWS networking cost optimization is: Keep it Local, Keep it Private. Traffic stays cheapest when it remains within the same Availability Zone (AZ) and becomes progressively more expensive as it crosses AZ boundaries, Region boundaries, or exits to the Public Internet.
Formula / Concept Box
| Traffic Type | Cost Profile | Best Practice |
|---|---|---|
| Intra-AZ (Private IP) | $0.00 / GB | Keep high-chatty app components in the same AZ if possible. |
| Inter-AZ (Same Region) | $0.01 / GB (In/Out) | Balance High Availability (HA) requirements against this cost. |
| Inter-Region | Variable (Approx $0.02+) | Use compression or regional replicas to minimize cross-region sync. |
| Data Transfer In (Internet) | $0.00 / GB | No action needed; standard for all services. |
| Data Transfer Out (Internet) | ~$0.09 / GB (Tiered) | Use CloudFront to lower DTO costs via caching and lower rates. |
Hierarchical Outline
- VPC-Level Routing Costs
- NAT Gateways: Hourly charge ($0.045) + Data Processing ($0.045/GB). High cost for high-volume data.
- NAT Instances: Cheaper for low volume (only EC2 cost), but lack managed scalability.
- AWS Service Access (Endpoints)
- Gateway Endpoints: Free of charge. Available ONLY for S3 and DynamoDB.
- Interface Endpoints (PrivateLink): Hourly charge + Data Processing charge. Use for all other AWS services.
- Cross-Boundary Connectivity
- VPC Peering: Charges for data transfer across AZs, but no hourly "gateway" fee.
- Transit Gateway: High management simplicity, but carries an hourly fee per attachment + data processing fee.
- Global Traffic Optimization
- Global Accelerator: Best for non-HTTP (TCP/UDP) performance; fixed hourly fee + Data Transfer Premium (DTP).
- CloudFront: Best for static/dynamic web content; reduces cost by caching at the edge.
Visual Anchors
Data Transfer Cost Hierarchy
Private vs. Public Routing
\begin{tikzpicture}[node distance=2cm, every node/.style={draw, rectangle, rounded corners, align=center, fill=blue!10}] % Nodes \node (ec2) {EC2 Instance$Private Subnet)}; \node (vpce) [right of=ec2, xshift=2cm, fill=green!10] {Gateway Endpoint$S3/DynamoDB)}; \node (nat) [below of=vpce, yshift=-0.5cm, fill=red!10] {NAT Gateway}; \node (s3) [right of=vpce, xshift=2cm] {Amazon S3}; \node (igw) [right of=nat, xshift=2cm] {Internet Gateway};
% Arrows
\draw[->, thick, green!60!black] (ec2) -- node[above, draw=none, fill=none] {FREE} (vpce);
\draw[->, thick, green!60!black] (vpce) -- (s3);
\draw[->, thick, red!60!black] (ec2) |- (nat);
\draw[->, thick, red!60!black] (nat) -- node[below, draw=none, fill=none] {\dlr 0.045/GB} (igw);
\draw[->, thick, red!60!black] (igw) -| (s3);\end{tikzpicture}
Definition-Example Pairs
- Gateway Endpoint: A routing target in your VPC route table that directs S3/DynamoDB traffic over the AWS backbone for free.
- Example: A fleet of EC2 instances backing up 10TB of data to S3 daily. Using a Gateway Endpoint saves $450/day compared to a NAT Gateway.
- Availability Zone (AZ) Affinity: Designing applications to prefer communicating with resources in the same AZ.
- Example: An Application Load Balancer (ALB) with "Cross-Zone Load Balancing" disabled can reduce costs if the targets behind it are scaled appropriately in each AZ.
- AWS Global Accelerator: A service that uses anycast IPs to onboard user traffic onto the AWS global network as close to the user as possible.
- Example: A gaming company using Global Accelerator to reduce jitter and latency for international players while paying a Data Transfer Premium (DTP) instead of standard internet rates.
Worked Examples
Scenario 1: The S3 Backup Trap
Problem: A company has a private subnet with 100 EC2 instances. They perform nightly backups to S3, totaling 5,000 GB per month. Currently, they use a NAT Gateway. Calculation:
- NAT Gateway Data Processing: $5,000 GB \times $0.045 = $225.00$
- NAT Gateway Hourly: $720 \text{ hours} \times $0.045 = $32.40$
- Total: $257.40 / month$
Solution: Implement a Gateway VPC Endpoint for S3.
- The route table is updated to send S3 traffic directly to the endpoint.
- New Cost: $0.00 (Gateway Endpoints are free).
- Savings: $257.40 / month.
Scenario 2: Cross-AZ Chatty Apps
Problem: A microservices architecture sends 1,000 GB of data between Service A (AZ-1) and Service B (AZ-2) using Private IPs. Calculation:
- In AWS, you pay for data transfer both out of the source AZ and into the destination AZ.
- Cost: $1,000 \text{ GB} \times $0.01 = $10.00 (In).
- Total: $20.00. Optimization: Align services to the same AZ where possible or use VPC Peering (though peering across AZs still incurs the $0.01/GB charge, it avoids the NAT Gateway processing fees).
Checkpoint Questions
- Which two AWS services can be accessed via a "Gateway" VPC endpoint at no cost?
- True or False: Data transfer into an EC2 instance from the internet is free.
- If you use a NAT Gateway in us-east-1a to serve instances in us-east-1b, what extra cost do you incur for every GB processed?
- What is the main cost benefit of using Amazon CloudFront for a high-traffic image-hosting site?
- When using AWS Transit Gateway, are you charged for the data passing through it in addition to the hourly attachment fee?
▶Click to see Answers
- Amazon S3 and Amazon DynamoDB.
- True.
- You incur the Inter-AZ data transfer fee ($0.01/GB) because the data must cross from the instance's AZ to the NAT Gateway's AZ.
- CloudFront Data Transfer Out (DTO) rates are typically lower than standard EC2 DTO rates, and the first 1TB is often free.
- Yes, there is a per-GB data processing charge for Transit Gateway ($0.02/GB in many regions).