AWS data transfer charges are the most common thing I find in cost audits that nobody can explain.
The bill shows “Data Transfer” — usually a few thousand dollars a month. People assume it’s internet egress. They look at their CloudFront usage, shrug, and move on. The charges keep growing.
Here’s what’s actually happening — and what to do about it.
Why data transfer charges are hard to read
AWS charges for data transfer in multiple contexts:
- Internet egress — data leaving AWS to the internet
- Cross-AZ transfer — data moving between Availability Zones within a region
- Cross-region transfer — data moving between AWS regions
- PrivateLink / VPC endpoint — data traversing interface endpoints
All of these show up under similar line items in Cost Explorer. Without drilling into usage type breakdowns, there’s no obvious way to tell which is which.
The trap: most teams focus on internet egress (the obvious one) and miss the others entirely.
The one that surprises everyone: cross-AZ transfer
Cost: $0.01/GB each direction
That sounds trivial. At scale, it isn’t.
If two services are in different Availability Zones and calling each other thousands of times per minute, you’re paying $0.02 per GB of data exchanged — $0.01 out of AZ-A and $0.01 into AZ-B. For a microservices architecture with high-frequency internal calls, this compounds fast.
Real example: A company with a message queue consumer in us-east-1a pulling from a broker in us-east-1b. 50GB/day of internal traffic × $0.02 = $1/day = $365/year. Not enormous — but that’s one service pair. An account with 20 such pairs is spending $7,000/year on avoidable charges.
How to find it
In Cost Explorer:
- Go to Explore → Cost and Usage
- Group by Usage Type
- Filter for usage types containing
DataTransfer-Regional-Bytes
This breaks down cross-AZ transfer by service. Sort by cost, descending. The top items are your investigation targets.
You can also use AWS Cost and Usage Reports (CUR) for more granular line-item data — but Cost Explorer is sufficient to find the major offenders.
How to fix it
Option 1: Co-locate services in the same AZ. For stateless services, deploy replicas in each AZ independently — don’t have AZ-A call AZ-B. This is the cleanest fix but requires deployment changes.
Option 2: VPC endpoints. For AWS service calls (S3, DynamoDB, SQS, etc.), traffic routes through the internet gateway by default. Adding a Gateway Endpoint for S3 and DynamoDB is free and eliminates cross-AZ transfer for those services.
Option 3: Interface endpoints (PrivateLink). For other AWS services, VPC Interface Endpoints route traffic privately. There’s a small hourly charge (~$7.20/month per endpoint) but it’s almost always worth it if you’re seeing significant cross-AZ charges.
Internet egress: find what’s actually leaving AWS
Internet egress (data going from AWS to the internet) is charged at $0.09/GB for most regions. This one people usually know about — but they don’t always know what is generating the traffic.
Common culprits:
EC2 instances serving traffic directly. If you’re not behind CloudFront, your EC2 or ALB is paying full egress rates. CloudFront charges $0.0085–$0.02/GB (depending on region and volume) vs. $0.09 from EC2 directly. For high-traffic sites, the delta is significant.
S3 without CloudFront. Direct S3 egress for public assets is expensive. S3 → CloudFront egress is free. If you’re serving images, videos, or downloads directly from S3, you’re paying more than you need to.
Log aggregation. Sending logs from EC2 to an external service (Datadog, Splunk, Papertrail) generates egress charges for every byte of logs shipped. If you’re shipping verbose application logs, this can be meaningful. Consider filtering at the CloudWatch Logs level before forwarding.
How to find it
In Cost Explorer, filter for usage types containing DataTransfer-Out-Bytes. Group by Service to see which services are generating outbound traffic. Cross-reference against what you’d expect — a large S3 egress number for a “static assets” bucket probably means CloudFront isn’t in front of it.
Cross-region transfer: usually intentional but worth auditing
Cross-region data transfer is charged at $0.02/GB for most region pairs. Common causes:
- DR replication. RDS cross-region read replicas, S3 Cross-Region Replication (CRR), DynamoDB global tables. These are usually intentional.
- Accidental cross-region calls. A service in
us-east-1calling an API endpoint or data source inus-west-2. This happens when teams have resources scattered across regions without realizing it.
Check: in Cost Explorer, group by Region and look for unexpected non-primary regions generating significant costs. Then investigate what’s in those regions.
The quick wins checklist
If your AWS bill has a data transfer line you can’t explain, work through this:
Enable VPC Gateway Endpoints for S3 and DynamoDB — Free. Eliminates cross-AZ charges for those services and internet egress for S3. Takes 10 minutes.
Put CloudFront in front of S3 assets — Reduces egress cost 80–90% for public files. If you’re serving files directly from S3, this is usually worth doing.
Check for EC2 serving traffic without CloudFront — If ALB or EC2 egress is high and you’re not on CloudFront, evaluate the switch.
Audit cross-AZ service topology — Identify the top 3–5 service pairs generating cross-AZ traffic. Can they be co-located or rerouted?
Review log forwarding volume — If you’re shipping verbose logs to an external service, add a filter to reduce volume before it leaves AWS.
When to bring in help
Data transfer optimization is detective work. You know the charges are there; you need to trace them to specific service interactions. The path from “line item in Cost Explorer” to “here’s the service pair and here’s the fix” takes familiarity with AWS networking and some time with CUR data.
If your bill has a data transfer line that’s been growing and nobody knows why, that’s a cost audit. I run them as a flat-fee engagement: I find the sources, quantify the savings, and give you a prioritized list of fixes with effort estimates.
Contact me or email nick@coldsmokeconsulting.com.
Nick Allevato is an AWS Certified Solutions Architect Professional with 20 years of infrastructure experience. He runs Cold Smoke Consulting, an independent AWS consulting practice.