Amazon VPC pricing is deceptively simple on the surface: the VPC itself is free. But the networking components you put inside it (NAT Gateways, public IPv4 addresses, VPC endpoints, data transfer) are where the real charges accumulate. And AWS doesn't make it easy. VPC pricing is scattered across at least four separate pricing pages, each with its own rate tables and billing quirks.
This guide consolidates every VPC cost component into a single reference with current 2026 pricing, monthly cost examples, and optimization strategies. Whether you're budgeting a new deployment or figuring out why your networking bill spiked, you'll find the answers here. For a quick estimate, use the VPC pricing calculator to model your specific architecture.
All pricing below reflects US East (N. Virginia) rates as of March 2026 unless noted otherwise. Rates vary by Region.
Is Amazon VPC Free? (What Costs and What Doesn't)
The short answer: yes, the VPC itself is free. You can create VPCs, subnets, route tables, security groups, and network ACLs without paying anything for the VPC service. But that's like saying the highway is free while ignoring the tolls at every on-ramp.
Here's what you get at no charge.
Free VPC Components
These core networking components are included at no cost:
- VPC creation and management (up to 5 per Region by default, adjustable)
- Subnets (public, private, isolated)
- Route tables and route entries
- Security groups and rules
- Network ACLs
- Internet Gateways
- Gateway VPC endpoints (S3 and DynamoDB only)
- VPC peering connections (the connection itself, data transfer may apply)
- VPC IPAM Free Tier (including Public IP Insights)
- VPC Block Public Access
- Network Address Usage (NAU) monitoring
That free list is longer than most people realize. The important callout is gateway endpoints for S3 and DynamoDB: they're free and should be in every VPC. I'll explain why later.
Paid VPC Components (Quick Reference Table)
Here's every VPC component that costs money, with its billing model and a rough monthly estimate to set expectations:
| Component | Pricing Model | Approximate Monthly Cost |
|---|---|---|
| NAT Gateway | $0.045/hr + $0.045/GB | ~$37-78 per gateway |
| Public IPv4 addresses | $0.005/IP/hr | ~$3.65 per IP |
| Interface VPC endpoints | $0.01/hr/AZ + $0.01/GB | ~$7.30 per endpoint |
| AWS Transit Gateway | $0.05/hr per attachment + $0.02/GB | ~$36.50 per attachment |
| Site-to-Site VPN | $0.05/hr per connection | ~$36.50 per connection |
| Client VPN | $0.10/hr + $0.05/hr per connection | Varies by users |
| VPC Lattice | $0.025/hr + $0.025/GB + $0.10/1M req | ~$18.25+ per service |
| Traffic Mirroring | Per-ENI hourly | Varies |
| VPC IPAM Advanced | $0.00027/active IP/hr | Varies by IP count |
| Reachability Analyzer | $0.10/analysis | Per use |
| Network Access Analyzer | $0.002/ENI/assessment | Per use |
| VPC Encryption Controls | Hourly per VPC (new March 2026) | TBD |
| Data transfer (cross-AZ) | $0.01/GB each direction | Varies by volume |
Now let's dig into the biggest cost driver in most VPCs: the NAT Gateway.
NAT Gateway Pricing
NAT Gateway consistently shows up as the largest line item on VPC bills. It's the service that lets resources in private subnets reach the internet, and AWS charges you from three directions simultaneously.
Pricing Breakdown (us-east-1)
| Charge Type | Rate |
|---|---|
| NAT Gateway hourly | $0.045 per gateway-hour |
| Data processing | $0.045 per GB processed |
| Public IPv4 address (EIP) | $0.005 per IP per hour |
Partial hours count as full hours. So if you spin up a NAT Gateway for testing and delete it 10 minutes later, you're paying for the entire hour. The data processing charge applies to every gigabyte flowing through the gateway, regardless of direction.
Monthly Cost Example: Two-AZ Deployment
A typical production setup with two NAT Gateways (one per AZ) processing 100 GB/month in us-east-1:
| Line Item | Calculation | Monthly Cost |
|---|---|---|
| NAT Gateway hourly | $0.045/hr x 730 hrs x 2 gateways | $65.70 |
| Data processing | $0.045/GB x 100 GB | $4.50 |
| Public IPv4 (EIPs) | $0.005/IP/hr x 730 hrs x 2 IPs | $7.30 |
| Total | $77.50 |
$77.50/month for two NAT Gateways with modest traffic. And that's before data transfer out to the internet. Scale to 1 TB of processing and the data charge alone jumps to $45. For a deeper breakdown with region-specific pricing, check out the detailed NAT Gateway pricing guide or use the NAT Gateway pricing calculator.
Regional NAT Gateway (November 2025)
AWS introduced a regional availability mode for NAT Gateways in November 2025. Instead of deploying one gateway per AZ manually, a regional NAT Gateway automatically expands and contracts across AZs based on where your workloads are running.
A few things that make this interesting:
- It doesn't require public subnets (unlike zonal NAT Gateways)
- Supports up to 32 IP addresses per AZ (vs. 8 for zonal)
- Billing adjusts automatically when an AZ is removed, so you stop paying for AZs your workloads aren't using
This could reduce costs for workloads that don't maintain presence in every AZ at all times. If your dev environments only run during business hours in one or two AZs, the billing scales down accordingly.
Network Firewall Waiver
Here's one most people miss: when you pair a NAT Gateway with AWS Network Firewall in a service chain within the same account, the standard NAT Gateway hourly and data processing charges are waived on a one-to-one basis with Network Firewall endpoint charges. If you're already paying for Network Firewall, you might be paying for the NAT Gateway twice. Check your architecture.
NAT Gateways aren't the only per-IP charge. Since February 2024, every public IPv4 address in your account costs money too.
Public IPv4 Address Pricing
Starting February 1, 2024, AWS charges for all public IPv4 addresses across every service. This was a big change. Previously, in-use Elastic IPs were free, and only idle ones incurred charges. Now everything costs money.
The $3.65/Month Per-IP Charge
$0.005 per IP per hour, which works out to roughly $3.65 per public IPv4 address per month. This applies to:
- EC2 instances with public IPs
- RDS instances with public endpoints
- EKS nodes
- NAT Gateways (their Elastic IPs)
- Elastic Load Balancers
- Any other AWS service with a public IPv4 address
It doesn't matter whether the IP is attached to a running resource or sitting idle. Both cost the same. That said, there are different tiers:
| Address Type | Rate |
|---|---|
| In-use public IPv4 (standard) | $0.005/IP/hr |
| Idle public IPv4 (unattached or stopped resource) | $0.005/IP/hr |
| Amazon-provided contiguous IPv4 block | $0.008/IP/hr |
| BYOIP (Bring Your Own IP) | Free |
If you've brought your own IP addresses via BYOIP, those are exempt from the charge. Something to factor in for large-scale deployments where the savings add up.
Free Tier and Exceptions
The AWS Free Tier for EC2 includes 750 hours of public IPv4 address usage per month for the first 12 months. That covers one public IP running continuously. Usage beyond 750 hours per month is charged at the standard rate.
How to Find IPv4 Charges in Your Bill
Two ways to track these charges:
- Cost Explorer: Filter by usage type
PublicIPv4:InUseAddress (Hrs)for active IPs andPublicIPv4:IdleAddress (Hrs)for idle ones - VPC IPAM Public IP Insights: A free tool that provides organization-wide visibility into public IPv4 usage, helping you identify IPs you can consolidate or remove
If you're running an EC2 pricing analysis, don't forget to factor in the IPv4 charges. For larger estates, you can find and delete unused Elastic IPs across all regions to eliminate idle address costs.
Public IPv4 charges are one reason to look at VPC endpoints. They keep traffic private and off the public internet entirely.
VPC Endpoint and PrivateLink Pricing
VPC endpoints are how you connect to AWS services without routing through the internet (or your NAT Gateway). There are two types, and the pricing difference between them matters a lot.
Gateway Endpoints (Free)
Gateway endpoints for S3 and DynamoDB are completely free. No hourly charges. No data processing charges. Standard S3/DynamoDB request and storage charges still apply, but the endpoint itself costs nothing.
This is the single easiest cost optimization in any VPC. If you're routing S3 or DynamoDB traffic through a NAT Gateway, you're paying $0.045/GB in data processing for something that should cost $0.00/GB. At 1 TB/month, that's $45 in unnecessary charges.
One limitation to be aware of: gateway endpoints don't work from on-premises networks, peered VPCs in other Regions, or through Transit Gateway. For those scenarios, you need interface endpoints.
Interface Endpoints (PrivateLink)
Interface endpoints provide private connectivity to over 100 AWS services. They're not free, but they're cheaper than routing through NAT Gateway for high-traffic services.
| Charge Type | Rate |
|---|---|
| Endpoint hourly | $0.01 per endpoint per AZ per hour |
| Data processing | $0.01 per GB |
Each partial hour is billed as a full hour. An interface endpoint in two AZs running 24/7 costs about $14.60/month in hourly charges alone, plus $0.01/GB for data processed.
Here's the cost comparison that matters. For 100 GB/month to a single AWS service:
- Through NAT Gateway: $0.045/GB x 100 = $4.50 processing + $32.85 hourly = $37.35
- Through interface endpoint: $0.01/GB x 100 = $1.00 processing + $7.30 hourly = $8.30
- Savings: ~78%
Worth noting: some AWS services absorb the interface endpoint cost into their own pricing. Check the PrivateLink pricing page for the current list.
Cross-Region Interface Endpoints
When an interface endpoint in one Region connects to a VPC endpoint service in another Region, costs add up:
- Data processing: $0.01/GB (standard)
- Inter-Region data transfer: $0.02/GB out from source Region (both directions)
- Endpoint service owner pays an additional $0.05/hr per remote Region with attached endpoints
Cross-Region PrivateLink gets expensive fast. Design for same-Region connections where possible.
Resource Endpoints (December 2024)
Resource endpoints are newer, launched in December 2024. They enable private access to specific VPC resources (IP addresses, domain names, RDS databases) in other VPCs:
| Charge Type | Rate |
|---|---|
| Per resource per hour | $0.02 |
| Data processing (first 1 PB) | $0.01/GB |
| Data processing (next 4 PB) | $0.006/GB |
| Data processing (over 5 PB) | $0.004/GB |
Useful for accessing shared databases or services across VPC boundaries without full VPC peering.
Endpoints handle service-to-service traffic, but what about the data flowing between your own resources? That's where data transfer charges come in.
Data Transfer Costs
Data transfer pricing is the most confusing part of VPC costs. The charge depends on where the traffic starts, where it ends, and which path it takes. Here's the complete breakdown.
Within Your VPC
| Transfer Type | Cost |
|---|---|
| Same AZ, same VPC | Free |
| Same AZ, between EC2/RDS/ElastiCache and ENIs | Free |
| Cross-AZ, same Region | $0.01/GB each direction ($0.02/GB round-trip) |
That cross-AZ charge is easy to overlook. If your application server in AZ-1 talks to a database in AZ-2, every request-response cycle costs $0.02/GB. At scale, this adds up. I've covered strategies for reducing cross-AZ costs like AZ affinity in a separate context, but the key takeaway is: keep chatty services in the same AZ when possible.
VPC Peering
| Transfer Type | Cost |
|---|---|
| VPC peering connection itself | Free |
| Data transfer staying within same AZ | Free |
| Data transfer crossing AZs (same Region) | $0.01/GB each direction |
| Cross-Region peering | ~$0.02/GB out from source Region |
VPC peering is one of the most cost-effective ways to connect two VPCs. The connection is free, and same-AZ traffic is free. You only pay when traffic crosses AZ or Region boundaries.
As of April 2025, AWS simplified VPC peering billing with dedicated usage types (Region_Name-VpcPeering-In/Out-Bytes) in Cost Explorer and Cost and Usage Reports. Previously, peering costs were bundled under generic intra-regional data transfer, making them hard to isolate. If you've been struggling to attribute peering costs, check the updated billing view.
To and From the Internet
Inbound data from the internet is always free. Outbound is where it costs:
| Transfer Type | Cost |
|---|---|
| Data transfer in (from internet) | Free |
| Data transfer out (first 100 GB/month, aggregated) | Free (AWS Free Tier) |
| Data transfer out (next 10 TB/month) | $0.09/GB |
| Data transfer out (next 40 TB/month) | $0.085/GB |
| Data transfer out (next 100 TB/month) | $0.07/GB |
| Data transfer out (over 150 TB/month) | $0.05/GB |
Inter-Region data transfer runs about $0.02/GB from the source Region. There's no charge for data arriving at the destination Region.
For organizations connecting more than a handful of VPCs, Transit Gateway becomes the routing hub, with its own pricing model.
Transit Gateway Pricing
Transit Gateway is the hub-and-spoke model for connecting VPCs, VPNs, and Direct Connect gateways. It simplifies routing at the cost of per-attachment and per-GB charges.
Attachment and Data Processing Costs
| Charge Type | Rate |
|---|---|
| VPC attachment | $0.05/hr (billed to VPC owner) |
| VPN attachment | $0.05/hr (billed to TGW owner) |
| Direct Connect attachment | $0.05/hr (billed to DX gateway owner) |
| Peering attachment | $0.05/hr (billed to each TGW owner) |
| Data processing | $0.02/GB sent to TGW |
A single VPC attachment costs about $36.50/month before any data flows. The data processing charge of $0.02/GB applies to traffic sent to the Transit Gateway but not to traffic arriving via a peering attachment or Transit Gateway Connect (SD-WAN).
Who pays depends on the attachment type. VPC attachments are billed to the VPC account owner. VPN attachments go to the Transit Gateway owner. Direct Connect attachments are billed to the DX gateway owner. This matters in multi-account environments where different teams own different pieces.
Cross-Region Peering Example
Sending 1 GB from an EC2 instance in VPC on TGW#1 (N. Virginia) to TGW#2 (Oregon) over peering:
| Charge | Amount |
|---|---|
| TGW#1 data processing | $0.02 |
| Inter-Region data transfer out | $0.02 |
| TGW#2 data processing (peering inbound) | $0.00 (free) |
| Total | $0.04 |
Flexible Cost Allocation (November 2025)
AWS launched Flexible Cost Allocation (FCA) for Transit Gateway in November 2025. This gives you granular control over how data processing costs get attributed:
- Source attachment account (sender pays, the traditional model)
- Destination attachment account (receiver pays)
- Transit Gateway account (central infrastructure team absorbs everything)
You can set policies at the attachment level or even individual flow level. FCA doesn't cost anything extra and doesn't affect traffic flow. It just changes who sees the charge on their bill. For organizations running a shared networking account, this is a significant improvement for cost attribution.
When to Use Transit Gateway vs VPC Peering
This is a question I get a lot, and the answer comes down to scale. For 2 VPCs exchanging 500 GB/month (same Region, cross-AZ):
| Method | Monthly Cost |
|---|---|
| VPC Peering | ~$10.00 (data transfer only) |
| PrivateLink | ~$21.60 ($14.60 hourly + $5.00 data + $2.00 cross-AZ) |
| Transit Gateway | ~$83.00 ($73.00 attachment + $10.00 data processing) |
VPC Peering wins by a landslide for simple point-to-point connectivity. Transit Gateway becomes cost-effective when you're connecting 10+ VPCs, because managing a full mesh of peering connections becomes operationally painful. The $73/month premium is the price of simplified routing and centralized management.
There's a brand new VPC cost that started today. If you're using VPC Encryption Controls, here's what to expect on your next bill.
VPC Encryption Controls Pricing (New for 2026)
VPC Encryption Controls are a November 2025 launch that audit and enforce encryption in transit for all traffic within and across VPCs in a Region. They ran on a free period through February 28, 2026.
How Pricing Works
Starting March 1, 2026 (today), AWS charges a fixed hourly rate per VPC with Encryption Controls enabled (either monitor or enforce mode) that has at least one network interface. The charge also applies when you enable Encryption Controls on a Transit Gateway, with the same hourly rate per VPC attached to that TGW.
As of this writing, the exact per-VPC hourly rate hasn't been published on the pricing page yet. I'll update this section when AWS publishes the final rate. If you enabled Encryption Controls during the free preview period, keep an eye on your bill for the first charges appearing in March.
Cost Projection for Multi-VPC Environments
Even without the exact rate, you can plan for the cost structure. If you have 10 VPCs with Encryption Controls enabled in a single Region, you'll pay:
10 VPCs x hourly rate x 730 hours = monthly cost
For enterprises running 50+ VPCs across multiple Regions, this could become a meaningful line item. I'd recommend enabling Encryption Controls selectively: production VPCs handling sensitive data first, with dev and test environments added only if compliance requires it.
Beyond the major components above, several smaller VPC services carry their own charges. Here's a quick rundown.
VPN, Lattice, and Other VPC Components
These components are less common in everyday VPC architectures, but each has its own billing model worth knowing about.
Site-to-Site VPN and Client VPN
Site-to-Site VPN connects your on-premises network to AWS:
| Type | Rate |
|---|---|
| Standard (1.25 Gbps) per connection-hour | $0.05/hr |
| 5 Gbps per connection-hour | $0.60/hr |
| VPN Concentrator per hour | $1.95/hr |
A standard Site-to-Site VPN connection running 24/7 costs about $36/month. If it's attached to Transit Gateway, add the TGW attachment charge ($0.05/hr) on top.
Client VPN for remote user access charges $0.10/hr per subnet association plus $0.05/hr per active client connection. Ten users connected for 8 hours through one subnet costs about $4.10 for that session.
VPC Lattice
VPC Lattice is the application-layer networking service for service-to-service communication:
| Charge Type | Rate |
|---|---|
| Per service per hour | $0.025/hr |
| Data processing | $0.025/GB |
| HTTP/HTTPS requests | $0.10 per 1M requests |
The first 300,000 HTTP requests per hour are free. One service running 24/7 costs about $18.25/month in hourly charges alone, before data or requests. At 100 services, you're looking at $1,825/month just for the hourly component, so plan accordingly.
Traffic Mirroring, IPAM, and Network Analysis Tools
Traffic Mirroring charges an hourly rate per elastic network interface (ENI) with mirroring enabled. Here's the catch: charges continue even if the source instance is stopped or terminated. You must explicitly delete the mirroring session to stop charges. I've seen teams get bitten by this when decommissioning instances but forgetting about attached mirror sessions.
VPC IPAM has two tiers:
- Free Tier: Includes Public IP Insights for organization-wide visibility. No cost.
- Advanced Tier: $0.00027 per active IP per hour. Adds features like IPAM policies for RDS and ALB (added January 2026).
Network analysis tools:
- Reachability Analyzer: $0.10 per analysis
- Network Access Analyzer: $0.002 per ENI analyzed per assessment
VPC Flow Logs
Flow Logs are classified as "vended logs" and billed through your delivery destination:
| Delivery Target | Starting Rate |
|---|---|
| CloudWatch Logs | $0.50/GB (first 10 TB), tiers down to $0.05/GB |
| Amazon S3 | ~$0.25/GB (cheaper starting rate, plus S3 storage) |
| Amazon Data Firehose | Vended log charges + Firehose ingestion |
For audit and compliance workloads, S3 delivery is cheaper. For operational analysis where you need CloudWatch Logs Insights and metric filters, CloudWatch Logs is more practical despite the higher cost. Using Apache Parquet format for S3 delivery reduces storage costs and improves query performance with Athena.
Now that you know what each component costs individually, let's put it all together. What does a real VPC actually cost per month?
What Does a VPC Actually Cost? (Real-World Scenarios)
Nobody searches "VPC pricing" to learn about individual rate cards. They want to know: what will my VPC cost? Here are three architecture-based estimates to give you a realistic range. For a custom estimate based on your actual setup, use the VPC pricing calculator.
Startup: Simple Web App VPC
Architecture: 1 VPC, 2 AZs, 1 NAT Gateway (cost savings), 3 public IPs, S3 gateway endpoint, 50 GB egress/month.
| Component | Monthly Cost |
|---|---|
| NAT Gateway (1x, hourly) | $32.85 |
| NAT Gateway data processing (50 GB) | $2.25 |
| Public IPv4 addresses (3x) | $10.95 |
| S3 gateway endpoint | $0.00 |
| Data transfer out (50 GB, within free tier) | $0.00 |
| Total | ~$46 |
Not bad. The NAT Gateway is two-thirds of the bill. If you don't need internet access from private subnets, you can eliminate it entirely with VPC endpoints.
Production: Multi-AZ with Endpoints
Architecture: 1 VPC, 2 AZs, 2 NAT Gateways (one per AZ), 10 public IPs, S3 + DynamoDB gateway endpoints, 3 interface endpoints (ECR, CloudWatch Logs, STS), 500 GB egress/month.
| Component | Monthly Cost |
|---|---|
| NAT Gateways (2x, hourly) | $65.70 |
| NAT Gateway data processing (300 GB after endpoints) | $13.50 |
| Public IPv4 addresses (10x) | $36.50 |
| Interface endpoints (3x in 2 AZs) | $43.80 |
| Gateway endpoints (S3, DynamoDB) | $0.00 |
| Interface endpoint data processing (200 GB) | $2.00 |
| Data transfer out (500 GB) | $36.00 |
| Total | ~$198 |
The interface endpoints cost $43.80/month but save significant NAT Gateway data processing by offloading ECR image pulls, CloudWatch log shipping, and STS calls. Without them, all 500 GB would flow through the NAT Gateways at $0.045/GB instead of $0.01/GB.
Enterprise: Multi-Account with Transit Gateway
Architecture: 5 VPCs, Transit Gateway with 5 attachments, 20 public IPs, 10 interface endpoints across VPCs, 2 TB cross-VPC traffic, 500 GB internet egress.
| Component | Monthly Cost |
|---|---|
| Transit Gateway attachments (5x) | $182.50 |
| TGW data processing (2 TB) | $40.96 |
| NAT Gateways (5x, one per VPC for non-prod, 2x for prod) | ~$230.00 |
| Public IPv4 addresses (20x) | $73.00 |
| Interface endpoints (10x in 2 AZs) | $146.00 |
| Data transfer out (500 GB) | $36.00 |
| Total | ~$708 |
At this scale, the Transit Gateway and NAT Gateways together account for over 60% of the networking bill. This is where centralized egress architecture and the new Flexible Cost Allocation start paying for themselves.
Those numbers add up. Here's how to bring them down.
How to Reduce Your VPC Costs
I've worked through enough VPC cost optimization exercises to know where the biggest savings consistently come from. Here are the strategies that actually move the needle, ranked by impact.
Use Gateway Endpoints for S3 and DynamoDB (Free)
This is the lowest-hanging fruit in all of AWS networking. Gateway endpoints for S3 and DynamoDB are free. If your private subnets route S3 or DynamoDB traffic through a NAT Gateway, you're paying $0.045/GB for something that should cost $0.00.
At 1 TB/month to S3, that's $45/month in unnecessary data processing charges.
Every VPC should have gateway endpoints for S3 and DynamoDB. No exceptions. Here's what it looks like in CDK:
// Free: Gateway endpoint for S3 (avoid NAT Gateway data processing)
vpc.addGatewayEndpoint('S3Endpoint', {
service: ec2.GatewayVpcEndpointAwsService.S3,
});
// Free: Gateway endpoint for DynamoDB
vpc.addGatewayEndpoint('DynamoDbEndpoint', {
service: ec2.GatewayVpcEndpointAwsService.DYNAMODB,
});
And in Terraform:
# Free: Gateway endpoint for S3
resource "aws_vpc_endpoint" "s3" {
vpc_id = module.vpc.vpc_id
service_name = "com.amazonaws.us-east-1.s3"
route_table_ids = module.vpc.private_route_table_ids
}
For more patterns like this, check out AWS CDK best practices.
Replace NAT Gateway Traffic with Interface Endpoints
If your NAT Gateway traffic analysis shows heavy usage of specific AWS services (ECR, CloudWatch, STS, Secrets Manager, SSM), interface endpoints can reduce those costs significantly.
The math for 100 GB/month to a single AWS service:
- NAT Gateway route: $37.35/month ($32.85 hourly + $4.50 processing)
- Interface endpoint: $8.30/month ($7.30 hourly + $1.00 processing)
- Savings: ~78%
The AWS Knowledge Center guide on reducing NAT Gateway costs walks through how to analyze your NAT Gateway traffic to identify which services are driving the most data processing charges.
The crossover point is straightforward: if a service is sending more than a few GB/month through your NAT Gateway, an interface endpoint pays for itself.
Adopt IPv6 to Eliminate Public IPv4 Charges
Each public IPv4 address costs $3.65/month. If you have 50 public IPs, that's $182.50/month just for the addresses. IPv6 with Egress-Only Internet Gateways (free) and dual-stack ELBs eliminates per-address charges entirely.
This is a bigger lift than adding gateway endpoints, but for workloads with many public-facing resources, the savings justify the migration effort.
Right-Size NAT Gateways for Non-Production
Production should maintain one NAT Gateway per AZ for resilience. But dev and staging environments? A single NAT Gateway saves ~$32/month per removed gateway. If you have separate dev, staging, QA, and sandbox environments each with two NAT Gateways, you could save $128/month by consolidating to one gateway each.
In CDK, it's a one-line change:
// Dev/Staging: Single NAT Gateway to reduce costs
const devVpc = new ec2.Vpc(this, 'DevVpc', {
maxAzs: 2,
natGateways: 1, // Single NAT Gateway saves ~$32/month per removed gateway
});
In Terraform:
module "vpc_dev" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 5.0"
enable_nat_gateway = true
single_nat_gateway = true # Cost optimization for non-production
}
Choose VPC Peering Over Transit Gateway for Simple Topologies
If you're connecting 2-5 VPCs with straightforward routing, VPC Peering is dramatically cheaper. No attachment charges, no data processing charges. Same-AZ traffic is free. You only pay for cross-AZ data transfer at $0.01/GB.
Transit Gateway makes sense at 10+ VPCs where managing a full mesh of peering connections becomes operationally unsustainable. Below that threshold, the $36.50/month per attachment plus $0.02/GB data processing is hard to justify.
Monitor with IPAM Public IP Insights (Free)
VPC IPAM's Public IP Insights gives you organization-wide visibility into public IPv4 usage at no cost. Use it to list all active resources in a VPC, find idle Elastic IPs, identify unnecessary public IPs on internal resources, and spot consolidation opportunities.
Two more strategies worth mentioning:
- CloudFront for outbound data: CloudFront pricing for data transfer out is lower than direct EC2/VPC egress rates, plus you get caching benefits. CloudFront VPC Origins (launched November 2024) let you serve content from private subnets at no additional CloudFront-specific charge.
- Centralized egress architecture: For multi-VPC environments, a centralized egress VPC with Transit Gateway can consolidate NAT Gateway usage and reduce the total number of gateways, trading per-gateway costs for Transit Gateway data processing costs.
Taking a shift-left approach to cloud costs means catching VPC cost decisions during code review, before they turn into monthly charges. If you're provisioning VPCs through CDK or Terraform, the code examples above give you cost-optimized defaults to start from.
Let's wrap up with the questions I see most often about VPC pricing.
Amazon VPC Pricing: Key Takeaways
Amazon VPC pricing comes down to a handful of cost drivers that vary based on your architecture:
- The VPC itself is free. Costs come from NAT Gateways (typically the biggest driver), public IPv4 addresses, interface endpoints, data transfer, and newer components like Encryption Controls.
- Gateway endpoints for S3 and DynamoDB are free and should be deployed in every VPC. This alone can save $45/month per TB of S3 traffic.
- Interface endpoints can reduce costs by 78%+ compared to routing AWS service traffic through NAT Gateways. Evaluate this for ECR, CloudWatch, STS, and other high-traffic services.
- Data transfer pricing depends on AZ placement. Same-AZ is free, cross-AZ adds $0.01/GB each way. Keep chatty services in the same AZ.
- VPC Encryption Controls started charging March 1, 2026. Check your bill if you enabled them during the free preview period.
Use the VPC pricing calculator to estimate costs for your specific architecture. And if you want to go deeper on the biggest cost component, check out the NAT Gateway pricing guide with its dedicated calculator.
What VPC cost surprises have you run into? Anything I missed or that you'd like to see covered in more detail? Let me know in the comments.
Stop Deploying Blind: Get Cost Visibility in Every PR
CloudBurn analyzes your infrastructure changes and posts cost estimates directly in pull requests. Works with AWS CDK and Terraform. Free during beta.