AWS Networking & Data Transfer Cost Optimization

This guide explores the financial architecture of AWS networking, focusing on the cost-efficiency of hybrid connectivity, internal VPC mechanisms, and content delivery strategies relevant to the SAP-C02 exam.

Learning Objectives

• Analyze the pricing components of VPC-related services (NAT Gateways, Traffic Mirroring).
• Evaluate the cost-benefit ratio between AWS Managed VPN and Direct Connect (DX).
• Determine the most cost-effective Data Transfer Out (DTO) paths for global workloads.
• Calculate potential savings when migrating from internet-based transfers to private circuits.

Key Terms & Glossary

• Data Transfer Out (DTO): Data leaving AWS to the internet or an on-premises location. This is usually the primary driver of networking costs.
• Port Hour: A fixed hourly fee for an active physical or logical connection (common in DX and VPN).
• NAT Gateway Processing: A usage-based fee ($ per GB) for data passing through a Network Address Translation gateway.
• DX Location: A physical colocation facility where AWS hardware meets a customer or partner network.
• Traffic Mirroring: An advanced VPC feature used for deep packet inspection, charged per hour per Elastic Network Interface (ENI).

The "Big Idea"

In AWS, Data Transfer In (DTI) is almost always free, but Data Transfer Out (DTO) is where the bill scales. Optimization is not just about choosing cheaper services, but about selecting the shortest, most private path for data to travel. A common architectural pivot is moving from a VPN (standard internet rates) to Direct Connect (significantly reduced DTO rates) as data volume increases.

Formula / Concept Box

[!IMPORTANT] DTO Cost Rule: DX DTO < Internet/VPN DTO. The price for DX DTO varies specifically by the combination of the source AWS Region and the destination DX Location.

Hierarchical Outline

1. VPC-Level Costs
   • NAT Gateways: Incur both an hourly uptime charge and a per-GB throughput charge.
   • Traffic Mirroring: Charged per ENI; expensive if applied to all instances without filtering.
2. Hybrid Connectivity Costs
   • VPN: Low entry cost, high DTO cost. Ideal for occasional use or low volumes.
   • Direct Connect (DX): High entry cost (Port + Circuit), significantly lower DTO. Ideal for high bandwidth and consistency.
3. Content Delivery (CloudFront)
   • Charged based on volume of data transferred to the internet and number of requests.
   • Can reduce costs by offloading origin server traffic.

Visual Anchors

Hybrid Connectivity Decision Flow

Data Flow Cost Mapping

\begin{tikzpicture}[node distance=2cm] \draw[thick, fill=blue!10] (0,0) rectangle (4,3) node[pos=.5] {\textbf{AWS Region}}; \draw[thick, fill=gray!10] (6,0) rectangle (10,3) node[pos=.5] {\textbf{On-Premises}};

% Data In \draw[->, ultra thick, green!70!black] (6,2) -- (4,2) node[midway, above] {\mbox{Data In ($0.00)}};

% Data Out \draw[->, ultra thick, red!70!black] (4,1) -- (6,1) node[midway, below] {\mbox{DTO ($)}};

% NAT Gateway detail \node[draw, fill=yellow!20, font=\scriptsize] at (2,0.5) {NAT Gateway}; \draw[->] (1.5, 0.7) -- (1.5, 1.3) node[left, font=\tiny] {Processing Fee}; \end{tikzpicture}

Definition-Example Pairs

• NAT Gateway Processing Fee: The cost per GB of data that passes through the NAT gateway regardless of destination.
  • Example: If a web server in a private subnet downloads a 10GB update from the internet via a NAT Gateway, you pay for the 10GB of processing plus the standard DTO (if applicable).
• Direct Connect Port Hour: The cost to keep a physical or hosted connection active at the DX location.
  • Example: Maintaining a 10Gbps dedicated connection costs a set amount per hour, even if 0 bytes of data are sent.

Worked Examples

Scenario: Comparing VPN vs. DX for 50 TB of Monthly Data Transfer

Assumption:

• VPN DTO = $0.09 per GB
• DX DTO = $0.02 per GB
• VPN Connection = $0.05 / hour
• DX 1G Port = $0.30 / hour

1. VPN Cost Calculation:

• Connection: $0.05 \times 720 hours = $36$
• DTO: $50,000 \text{ GB} \times $0.09 = $4,500$
• Total: $4,536 / month

2. DX Cost Calculation:

• Port: $0.30 \times 720 hours = $216$
• DTO: $50,000 \text{ GB} \times $0.02 = $1,000$
• Total: $1,216 / month

[!TIP] Conclusion: Even with higher fixed port costs, DX saves over $3,300 per month in this scenario due to the DTO discount.

Checkpoint Questions

1. True or False: Data sent from an on-premises data center into an AWS VPC via Direct Connect incurs an hourly port charge but no data transfer charge.
2. Which service is cheaper for DTO: A VPN connection over the public internet or a Direct Connect connection?
3. Name two costs associated with using a NAT Gateway.
4. How does geography affect DX pricing?

▶Click for Answers

1. True. Data In is free.
2. Direct Connect. DTO over DX is typically much lower than internet rates.
3. Hourly uptime charge and Per-GB processing charge.
4. DTO costs for DX vary based on the specific AWS Region and the DX Location being used.

Muddy Points & Cross-Refs

• The "Free" VPC Myth: While creating a VPC and Subnets is free, the resources that make them functional (NAT Gateways, ENI Mirroring, Transit Gateways) are not.
• DX Location vs. Region: A common point of confusion is that DTO is cheapest when the DX Location is in the same "home" region as the data, but you can use DX Gateway to reach other regions (at a higher cost).
• Inter-AZ Transfer: While not explicitly in the source, remember that data transfer between Availability Zones in the same region usually incurs a cost (typically $0.01/GB in each direction).

Comparison Tables

Hybrid Connectivity Comparison