Cloud Networking Costs: The Hidden Traps That Blow Your Budget

The Networking Tax Nobody Warns You About

Cloud networking costs are the silent budget killer. Unlike compute and storage, which appear as clear line items you can anticipate, networking charges are scattered across dozens of billing dimensions that interact in non-obvious ways. A team that carefully right-sizes its EC2 instances and manages its S3 lifecycle policies can still get blindsided by a five-figure networking bill from NAT Gateway data processing, cross-AZ traffic between microservices, idle load balancers, and DNS query volume.

This article catalogs the most common networking cost traps across AWS, Azure, GCP, and OCI, explains the mechanics behind each charge, and provides concrete strategies to reduce or eliminate them. These are not theoretical concerns — they are patterns observed repeatedly in production cloud environments, and fixing them typically saves 20 to 40 percent on the networking portion of your cloud bill.

NAT Gateway Data Processing Charges

NAT Gateways are the single most common source of unexpected networking costs on AWS. Every gigabyte of traffic processed through a NAT Gateway costs $0.045 on top of the $0.045 per hour existence charge. A single NAT Gateway processing 5 TB per month costs approximately $257 — $32 for the hourly charge plus $225 for data processing. Deploy one per AZ across three availability zones, as best practices recommend for high availability, and you are paying $771 per month.

The trap is that much of this traffic does not need to go through the NAT Gateway at all. Traffic to AWS services like S3, DynamoDB, SQS, SNS, CloudWatch, and Kinesis can be routed through VPC Gateway Endpoints (free for S3 and DynamoDB) or Interface Endpoints (charged per hour plus per-GB, but typically much cheaper than NAT Gateway processing). A common pattern is an application that writes logs to CloudWatch and pushes metrics to S3 — routing that traffic through a NAT Gateway adds processing charges that Interface Endpoints would avoid.

Azure has a similar dynamic with NAT Gateway, though the pricing structure differs slightly. Azure NAT Gateway charges per hour and per GB of data processed. The per-GB charge is $0.045, matching AWS. GCP's Cloud NAT charges $0.045 per hour per gateway plus $0.045 per GB processed, plus an additional charge for the number of VM instances using the gateway. OCI charges for NAT Gateway on a per-hour basis but includes data processing in the overall network pricing, making it generally less expensive than the other three providers.

Cross-AZ Data Transfer

On AWS, data transfer between availability zones within the same region costs $0.01 per GB in each direction — $0.02 per GB round trip. This charge applies to all traffic between instances in different AZs, including traffic between Kubernetes pods on nodes in different AZs, traffic between microservices deployed across AZs for high availability, and database replication traffic.

For a microservices architecture where services communicate frequently across AZs, these costs accumulate rapidly. Consider a service mesh with ten services, each handling 1,000 requests per second with 10 KB average payload size. If traffic is evenly distributed across three AZs, roughly two-thirds of traffic crosses AZ boundaries. That works out to approximately 17 TB per month of cross-AZ traffic, costing $340 per month just for inter-service communication. Add database replication, cache synchronization, and message queue traffic, and cross-AZ costs can easily exceed $1,000 per month for a moderately busy system.

Azure charges similarly for cross-zone traffic within a region, though the pricing varies by region. GCP does not charge for cross-zone traffic within a region, which is a significant cost advantage for distributed architectures. OCI also does not charge for cross-availability-domain traffic within a region, making it another cost-effective choice for multi-AZ deployments.

To reduce cross-AZ costs on AWS, consider zone-aware routing in your service mesh or load balancer, which prefers sending traffic to endpoints in the same AZ. Kubernetes topology-aware routing can achieve this for cluster-internal traffic. For read-heavy database workloads, deploy read replicas in each AZ so that application instances read from a local replica rather than crossing AZ boundaries. Cache aggressively to reduce the volume of cross-AZ calls.

Load Balancer Idle Charges

Application Load Balancers on AWS cost approximately $0.0225 per hour ($16.50/month) plus $0.008 per LCU-hour based on new connections, active connections, bandwidth, and rule evaluations. Even a load balancer receiving zero traffic still incurs the base hourly charge. Teams that create separate ALBs for development branches, staging environments, or individual microservices often accumulate dozens of idle or near-idle load balancers.

A common anti-pattern is creating one ALB per service in a microservices architecture. If you have 15 services, that is $247 per month in ALB base charges before any traffic flows. A single ALB with path-based or host-based routing rules can serve all 15 services for $16.50 per month plus LCU charges. The LCU charges for moderate traffic levels are typically much less than the base charges for additional ALBs.

Azure Application Gateway has a similar pricing model with a fixed hourly charge plus per-unit consumption. The Standard_v2 SKU costs approximately $0.246 per hour ($180/month) for the fixed component, making idle Azure Application Gateways even more expensive than idle AWS ALBs. Azure Front Door and Azure Load Balancer Standard also have fixed monthly charges. GCP load balancers charge per rule and per GB processed, with no separate hourly base charge per forwarding rule in most configurations, which makes them cheaper for low-traffic scenarios. OCI load balancers have a base charge but OCI's overall pricing tends to be lower.

DNS Query Costs

DNS query charges are another cost that surprises teams at scale. AWS Route 53 charges $0.40 per million standard queries and $0.60 per million latency-based or geolocation queries. For a busy application serving 100 million DNS queries per month, that is $40-$60 per month just for DNS resolution. If your application makes excessive DNS lookups due to short TTLs, no client-side caching, or high-volume service-to-service calls, these costs compound.

Azure DNS charges $0.40 per million queries after the first billion queries per zone per month. GCP Cloud DNS charges $0.40 per million queries. OCI DNS is included at no additional charge for standard DNS zones, which is an often-overlooked cost advantage.

To reduce DNS costs, increase TTL values on records that do not change frequently. Implement client-side DNS caching in your applications. For Kubernetes workloads, NodeLocal DNSCache can reduce the volume of DNS queries that leave each node. Consider using private hosted zones for internal service discovery rather than relying on public DNS for everything.

Egress Charges and the Egress Tax

Data transfer out of any cloud to the internet — egress — is one of the most discussed cloud costs. AWS charges approximately $0.09 per GB for the first 10 TB per month, with volume discounts beyond that. Azure and GCP have similar pricing structures. OCI charges $0.0085 per GB for egress in most regions, making it roughly ten times cheaper than AWS for data transfer out to the internet.

The egress tax hits hardest for content-heavy applications: video streaming, file sharing, large API responses, and software distribution. A SaaS application serving 50 TB of API responses per month pays approximately $4,350 in AWS egress charges. The same workload on OCI would cost approximately $425 — a tenfold reduction. This pricing difference is one of OCI's strongest competitive advantages and is worth evaluating seriously for egress-heavy workloads.

To reduce egress costs, use CDN services like CloudFront, Azure CDN, or Cloud CDN. CloudFront egress pricing is lower than direct EC2 egress pricing on AWS, so routing traffic through CloudFront can actually save money even for dynamic content. Compress API responses using gzip or Brotli. Implement pagination and field selection in APIs to reduce response sizes. For data transfer between clouds or to on-premises, evaluate dedicated interconnect services (Direct Connect, ExpressRoute, Cloud Interconnect, FastConnect) which offer lower per-GB pricing at scale.

Elastic IP and Public IP Charges

Starting in February 2024, AWS began charging $0.005 per hour ($3.60/month) for all public IPv4 addresses, including those attached to running EC2 instances. Previously, attached Elastic IPs were free. This change affected every AWS customer with public-facing resources. An organization with 100 public IPs now pays $360 per month just for IP addresses.

Azure charges for public IP addresses at similar rates, with Standard SKU static IPs costing approximately $0.005 per hour. GCP charges for static external IP addresses at $0.004 per hour when attached and $0.010 per hour when unattached. OCI includes a certain number of public IPs for free with compute instances.

To reduce public IP costs, audit your resources for unnecessary public IPs. Use private endpoints and VPC/VNet connectivity for inter-service communication rather than routing through public IPs. Consider IPv6 for workloads where client support permits — IPv6 addresses are free on AWS. For Kubernetes workloads, a single load balancer with a single public IP can serve all externally accessible services through ingress routing.

VPN and Interconnect Charges

Site-to-site VPN connections have per-hour charges across all providers. AWS charges $0.05 per hour per VPN connection ($36/month). Azure VPN Gateway charges vary by SKU from $0.04 per hour (Basic, being retired) to $1.25 per hour (VpnGw5). GCP Cloud VPN charges $0.075 per hour per tunnel. OCI IPSec VPN is included for free with the DRG (Dynamic Routing Gateway).

Dedicated interconnect services like AWS Direct Connect, Azure ExpressRoute, GCP Cloud Interconnect, and OCI FastConnect have port charges, partner charges, and data transfer charges. A 1 Gbps Direct Connect port costs $0.30 per hour ($220/month) plus data transfer. These costs are justified for high-volume, latency-sensitive hybrid workloads, but teams sometimes provision dedicated connections when a VPN would suffice, or maintain connections to environments that no longer need them.

Audit your VPN and interconnect connections quarterly. Delete connections to decommissioned on-premises environments. For development and test environments that need infrequent access to on-premises resources, consider client VPN solutions rather than site-to-site tunnels. Evaluate whether you need dedicated interconnect bandwidth or whether VPN over the internet provides sufficient performance for your workload.

Strategies for Controlling Networking Costs

The most effective strategy is visibility. Tag your networking resources, enable cost allocation tags for data transfer, and set up budget alerts specifically for networking line items. AWS Cost Explorer can filter by usage type to show NAT Gateway processing, cross-AZ transfer, and egress separately. Azure Cost Analysis and GCP Billing Reports offer similar filtering.

Architect for cost awareness from the start. Design your VPC and subnet layout with data flow in mind. Place services that communicate frequently in the same AZ. Use VPC endpoints for AWS service access. Implement CDN for content delivery. Compress all API responses. Use connection pooling to reduce the overhead of establishing new connections through load balancers.

Review networking costs monthly. Unlike compute and storage costs that tend to be stable, networking costs often grow with traffic volume and can spike unexpectedly. A new feature that increases API response sizes, a misconfigured service that retries failed requests, or a data pipeline that pulls data across regions can all cause sudden networking cost increases.