---
title: Amazon VPC Pricing: The VPC Is Free — Everything Around It Bills
description: The VPC itself, subnets, security groups, and route tables are free. The bill comes from what you attach: public IPv4 at $3.60/month per address (since Feb 2024), Interface VPC Endpoints at $0.01/hour per AZ, Transit Gateway at $0.05/hour per attachment, VPN at $0.05/hour, and inter-AZ data transfer at $0.01/GB each way. A modest production VPC easily lands at $500–$2,000/month.
url: https://www.factualminds.com/blog/amazon-vpc-pricing-endpoints-peering-transit-gateway/
datePublished: 2026-06-13T00:00:00.000Z
dateModified: 2026-06-13T00:00:00.000Z
author: palaniappan-p
category: Cost Optimization & FinOps
tags: aws-vpc, vpc-pricing, aws-pricing, cost-optimization, finops, networking
---

# Amazon VPC Pricing: The VPC Is Free — Everything Around It Bills

> The VPC itself, subnets, security groups, and route tables are free. The bill comes from what you attach: public IPv4 at $3.60/month per address (since Feb 2024), Interface VPC Endpoints at $0.01/hour per AZ, Transit Gateway at $0.05/hour per attachment, VPN at $0.05/hour, and inter-AZ data transfer at $0.01/GB each way. A modest production VPC easily lands at $500–$2,000/month.

import PricingHeroStats from '~/components/blog/PricingHeroStats.astro';
import PricingDimensionTable from '~/components/blog/PricingDimensionTable.astro';
import BillSurpriseCallout from '~/components/blog/BillSurpriseCallout.astro';
import PricingDecisionCard from '~/components/blog/PricingDecisionCard.astro';

Amazon VPC has the longest list of free-to-create resources of any AWS service — the VPC itself, subnets, route tables, security groups, NACLs, internet gateways, virtual private gateways, all free. The bill comes from what you attach to those resources: public IPv4 addresses (every one of them billable since February 2024), Interface VPC Endpoints per AZ, NAT Gateways, Transit Gateways, VPN connections, Direct Connect, VPC Lattice service networks, and the easily-overlooked $0.01/GB each way for inter-AZ data transfer on every byte that crosses AZ boundaries.

<PricingHeroStats
  stats={[
    { value: 'Free', label: 'VPC, subnets, SGs', note: 'Routing primitives are zero cost' },
    { value: '$3.60', label: 'IPv4 / address / month', note: 'New since Feb 2024 — every address bills' },
    { value: '$0.01/GB', label: 'Inter-AZ each way', note: 'Both sender and receiver pay' },
    { value: 'Free', label: 'S3 + DynamoDB Gateway Endpoints', note: 'Should be in every VPC' },
  ]}
  caption="us-east-1 list prices, June 2026. Verify against the AWS VPC pricing page for your region."
/>

This post is the bill story. For the operational angle — VPC design, subnet layout, security group hygiene, multi-account network architecture — see our [VPC networking best practices guide](/blog/aws-vpc-networking-best-practices-for-production/). NAT Gateway pricing (one of the most consequential VPC-related lines) has its own dedicated post at [NAT Gateway billing](/blog/aws-nat-gateway-billing-idle-cost-alternatives/).

## The 10 VPC-Adjacent Billing Dimensions

<PricingDimensionTable
  title="VPC pricing breakdown — us-east-1, June 2026"
  intro="The VPC primitives are free. The bill comes from attached resources and data movement."
  region="us-east-1"
  dimensions={[
    {
      name: 'VPC, subnets, route tables, security groups, NACLs',
      unitPrice: 'Free',
      example: 'Standard 3-AZ production VPC',
      monthly: '$0.00',
      note: 'Free to create and operate',
    },
    {
      name: 'Public IPv4 address (attached or unattached)',
      unitPrice: '$0.005 / hour = $3.60 / month',
      example: '20 public IPs across fleet',
      monthly: '$72',
      note: 'New as of Feb 2024 — audit and consolidate',
      highlight: true,
    },
    {
      name: 'Elastic IP (unattached)',
      unitPrice: '$0.005 / hour',
      example: '5 orphaned EIPs',
      monthly: '$18',
      note: 'Release unattached EIPs immediately',
    },
    {
      name: 'NAT Gateway',
      unitPrice: '$0.045/hour + $0.045/GB processed',
      example: '3-AZ HA setup',
      monthly: '$98.55 base + data',
      note: 'See dedicated post for alternatives',
    },
    {
      name: 'Gateway VPC Endpoints (S3, DynamoDB)',
      unitPrice: 'Free',
      example: 'Endpoint per VPC for S3 + DynamoDB',
      monthly: '$0.00',
      note: 'Every VPC should have these',
      highlight: true,
    },
    {
      name: 'Interface VPC Endpoint (PrivateLink)',
      unitPrice: '$0.01/hour/AZ + $0.01/GB',
      example: '10 service endpoints × 3 AZs',
      monthly: '$216 + data',
      note: 'Per service per AZ; HA multiplies by 3',
      highlight: true,
    },
    {
      name: 'VPC Peering connection',
      unitPrice: 'Free (data transfer billed standard rates)',
      example: '5 peering connections',
      monthly: '$0 + data transfer',
      note: 'Inter-VPC same-region: $0.01/GB each way',
    },
    {
      name: 'Transit Gateway VPC attachment',
      unitPrice: '$0.05/hour + $0.02/GB processed',
      example: '10 VPCs attached',
      monthly: '$360 + data',
      note: 'Multi-VPC hub-and-spoke',
    },
    {
      name: 'Site-to-Site VPN connection',
      unitPrice: '$0.05/hour',
      example: '2 VPNs for HA',
      monthly: '$72',
      note: 'Plus data transfer out at standard rates',
    },
    {
      name: 'Direct Connect dedicated (1 Gbps)',
      unitPrice: '~$0.30/hour port + data',
      example: '1 Gbps dedicated',
      monthly: '$216 + data',
      note: 'Hosted DC at lower port rates',
    },
    {
      name: 'VPC Lattice service network',
      unitPrice: '$0.025/hour per network + $0.025/hour per service + $0.025/GB',
      example: '50 services on Lattice',
      monthly: '~$900 + data',
      note: 'Modern service mesh primitive',
    },
    {
      name: 'Inter-AZ data transfer',
      unitPrice: '$0.01/GB each way',
      example: '1 TB cross-AZ / month',
      monthly: '$20 total',
      note: 'Both sender and receiver charged',
      highlight: true,
    },
    {
      name: 'VPC Flow Logs to CloudWatch',
      unitPrice: 'CloudWatch ingestion rate ($0.50/GB)',
      example: '50 GB flow logs / month',
      monthly: '$25',
      note: 'Cheaper to ship to S3 for retention',
    },
    {
      name: 'Reachability Analyzer',
      unitPrice: '$0.10 per analysis',
      example: '20 troubleshooting analyses',
      monthly: '$2',
      note: 'Useful debugging tool; cheap per use',
    },
  ]}
  footnote="The NAT Gateway dimension is covered in depth in its own pricing post; the IPv4 dimension is the most recent material change to the VPC bill."
/>

## The IPv4 Address Charge: The Bill Change That Surprised Everyone

In February 2024, AWS introduced a charge for every public IPv4 address in use. Before the change, public IPv4 was free as long as it was attached to a running resource. After: every public IP, attached or not, bills $0.005/hour ($3.60/month per address).

The fleet-wide impact on accounts that have not audited:

- Every public-facing EC2 instance with an Elastic IP: $3.60/month each.
- Every NAT Gateway: $3.60/month for its public IP, on top of the NAT Gateway charges themselves.
- Every public-facing Application Load Balancer: an IP per AZ × $3.60/month.
- Every old Elastic IP attached to terminated instances: $3.60/month, forever, until released.

A medium-sized organization with ~100 public-facing endpoints saw the line item appear from zero to $360/month overnight in February 2024 with no warning beyond the AWS announcement.

<BillSurpriseCallout variant="surprise" title="Unattached Elastic IPs accumulated over years" amount="$3.60/month each, forever">
  Find orphaned EIPs with `aws ec2 describe-addresses --query "Addresses[?!AssociationId]"`. Every EIP without an association bills indefinitely. Release them via `aws ec2 release-address --allocation-id <id>`. Audit quarterly to catch new orphans as instances are terminated without their EIPs being released.
</BillSurpriseCallout>

## Gateway Endpoints Are Free — Use Them

VPC Gateway Endpoints for S3 and DynamoDB are completely free — no hourly charge, no per-GB processing. They route traffic between resources in your VPC and the service without going through a NAT Gateway or the public internet.

The economic impact: a workload that accesses 1 TB/month of S3 via a NAT Gateway pays ~$45 in NAT data processing fees. The same workload with an S3 Gateway Endpoint pays $0. Every VPC with workloads that access S3 or DynamoDB should have Gateway Endpoints for both. The configuration is one-time, free, non-controversial.

<BillSurpriseCallout variant="optimization" title="Add S3 + DynamoDB Gateway Endpoints to every VPC" amount="$45+/month per 1 TB of S3 traffic">
  `aws ec2 create-vpc-endpoint --vpc-id <vpc> --vpc-endpoint-type Gateway --service-name com.amazonaws.<region>.s3 --route-table-ids <rt-ids>`. The endpoint becomes immediately effective for all subnets associated with the listed route tables. Repeat for DynamoDB. The change is non-destructive — traffic that was going via NAT will route via the Gateway Endpoint automatically, and the NAT processing fees drop accordingly.
</BillSurpriseCallout>

## Interface Endpoints: The Hidden Per-AZ Multiplier

Interface VPC Endpoints (PrivateLink) cost $0.01/hour per endpoint per AZ plus $0.01/GB of data processed. A workload using 10 AWS services privately (Secrets Manager, SQS, SNS, ECR API, ECR Docker, KMS, CloudWatch Logs, etc.) across a 3-AZ deployment costs $216/month just for the endpoint hours before data.

The decision is per-service: when does the Interface Endpoint pay off vs routing the same traffic via NAT Gateway?

<PricingDimensionTable
  title="Interface Endpoint vs NAT Gateway — break-even per service per AZ"
  intro="Interface Endpoints win when the per-GB savings on NAT processing exceeds the per-hour endpoint cost."
  region="us-east-1"
  dimensions={[
    {
      name: 'Endpoint cost',
      unitPrice: '$0.01/hr/AZ',
      example: '3 AZs × 1 month',
      monthly: '$21.60 / service',
      note: 'Plus $0.01/GB data processing',
    },
    {
      name: 'NAT Gateway processing avoided',
      unitPrice: '$0.045/GB',
      example: 'Per GB routed via endpoint instead',
      monthly: 'Saves $0.045 per GB',
      note: 'Direct cost saving',
    },
    {
      name: 'Break-even traffic per service',
      unitPrice: 'Calculation',
      example: '$21.60 / ($0.045 - $0.01)',
      monthly: '~620 GB / month / service',
      note: 'Below this, NAT is cheaper for that service',
      highlight: true,
    },
    {
      name: 'High-volume service (5 TB/mo, e.g. CloudWatch Logs)',
      unitPrice: 'Interface Endpoint wins',
      example: '5000 GB × $0.035 saved',
      monthly: 'Saves $175/mo per service',
      note: 'Plus latency improvement',
    },
  ]}
  footnote="The 620 GB/month break-even is per service per AZ. Many AWS services see well under this volume from a typical VPC; for those, NAT Gateway processing is cheaper than dedicated Interface Endpoints."
/>

The decision is service-by-service. Most VPCs benefit from Interface Endpoints for high-volume services (CloudWatch Logs, ECR, S3 via Interface if Gateway is not enough) and stay on NAT for low-volume services (KMS, IAM, Secrets Manager at small volume).

## Inter-AZ Data Transfer: The Quietest Bill Driver

Inter-AZ data transfer bills $0.01/GB in each direction — both the sender and receiver pay. A microservices architecture with 3-AZ EKS clusters routinely sees 1–10 TB/month of inter-AZ traffic as services in one AZ call services in another. The bill is not large on a per-GB basis, but it compounds across services and is largely invisible without explicit measurement.

Mitigations:

- **EKS Topology Aware Hints** route Kubernetes service traffic to same-AZ pods preferentially. Enabled at the service level.
- **Topology spread constraints** ensure replicas of the same service spread across AZs so callers in any AZ have a local replica.
- **AWS Local Zones** for latency-sensitive single-AZ workloads where the multi-AZ overhead is not justified.
- **Cluster-aware service discovery** (Consul, custom DNS) that prefers local-AZ endpoints.

For chatty service pairs (a frontend and its backend, for example), explicit single-AZ placement is often the cheapest answer at the cost of losing the multi-AZ redundancy on that specific service pair.

## VPC Peering vs Transit Gateway: The 5–10 VPC Crossover

VPC Peering is free for the connection itself; data transfer bills the standard $0.01/GB inter-AZ rate (or $0.02/GB inter-region for cross-region peering). Transit Gateway charges $0.05/hour per VPC attachment ($36/month per VPC) plus $0.02/GB processed through the TGW.

For 2–3 VPCs needing point-to-point connectivity, peering is cheaper and operationally simpler — the cost is purely data transfer at standard rates. For 5+ VPCs needing full-mesh connectivity, peering's n² connection complexity becomes operationally untenable; Transit Gateway's hub-and-spoke model simplifies management at the cost of per-VPC attachment fees.

The crossover is roughly 5–10 VPCs depending on traffic patterns. Below: stay on peering. Above: Transit Gateway's operational simplicity is worth the per-attachment cost.

## VPC Lattice: The Modern Service Mesh

VPC Lattice is AWS's managed service-mesh primitive — service network at $0.025/hour, services at $0.025/hour each, $0.025/GB processed. A 50-service workload on Lattice costs roughly $900/month for the service and network charges, plus data processing.

The comparison vs running Istio on EKS:

- **Istio**: no per-service AWS charge, but adds control-plane operational overhead (Istio mesh management, configuration drift, sidecar resource overhead on every pod, certificate management).
- **Lattice**: per-service AWS charge, but zero operational overhead — service discovery, auth, observability are managed.

The right choice depends on team capacity. Teams with strong service-mesh operational expertise can run Istio at scale; teams without that capacity will find Lattice's managed model worth the per-service rate.

## When to Use Each VPC Connectivity Pattern

<PricingDecisionCard
  headline="Gateway Endpoints for S3/DynamoDB always; Interface Endpoints for high-volume services; Peering for few VPCs; Transit Gateway for many."
  useWhen={[
    'Gateway Endpoints (S3, DynamoDB) in every VPC — free and saves NAT processing',
    'Interface Endpoints for services with consistent traffic above ~620 GB/month per AZ',
    'VPC Peering when 2–4 VPCs need connectivity — free connections',
    'Transit Gateway when 5+ VPCs need full-mesh — operational simplicity outweighs per-attachment cost',
    'Site-to-Site VPN for hybrid connectivity under 500 GB/month — cheap entry point',
    'Direct Connect when bandwidth exceeds 500 GB/month consistently and latency predictability matters',
    'VPC Lattice when service-mesh capability is needed without operating Istio yourselves',
  ]}
  avoidWhen={[
    'Public IPv4 addresses left attached when workload could use IPv6 or be consolidated behind ALB/NLB',
    'Unattached Elastic IPs — release immediately',
    'Interface Endpoints for low-traffic services where NAT Gateway processing would be cheaper',
    'VPC Peering scaling beyond 5 VPCs — operational complexity becomes worse than Transit Gateway cost',
    'NAT Gateways without S3 + DynamoDB Gateway Endpoints in the VPC — paying NAT processing for traffic that could be free',
    'Inter-AZ chatty service pairs without topology-aware routing — silent compounding bill',
  ]}
  footnote="Most VPC bill problems are configuration choices, not architecture choices. Audit the IPv4 line, the endpoint coverage, and inter-AZ traffic patterns quarterly."
/>

## A 30-Day VPC Bill Cleanup Plan

**Week 1 — IPv4 audit.** Find every public IPv4 address in the account: `aws ec2 describe-addresses` for EIPs, `aws ec2 describe-instances --filters Name=ip-address` for instance public IPs. Release unattached EIPs immediately. Consolidate public-facing endpoints behind ALB/NLB where multiple instances currently have their own public IPs.

**Week 2 — Add Gateway Endpoints.** Audit every VPC for the presence of S3 and DynamoDB Gateway Endpoints. Add to every VPC that doesn't have them. The change is non-destructive and immediately reduces NAT processing fees for S3/DynamoDB traffic.

**Week 3 — Interface Endpoint break-even.** For each Interface Endpoint currently provisioned, check actual data processed (CloudWatch metric `BytesProcessed` per endpoint). If under ~620 GB/month per AZ, consider removing and routing through NAT. Conversely, for high-volume services currently routing through NAT, consider adding an Interface Endpoint.

**Week 4 — Inter-AZ topology.** For EKS workloads, audit Topology Aware Hints adoption. For chatty service pairs, evaluate explicit single-AZ placement vs the multi-AZ redundancy trade-off. Use VPC Flow Logs to identify the highest-volume inter-AZ traffic patterns.

## What This Post Doesn't Cover

- **NAT Gateway pricing details and alternatives (fck-nat, VPC endpoints, NAT instances)** — covered in the dedicated [NAT Gateway billing post](/blog/aws-nat-gateway-billing-idle-cost-alternatives/).
- **Cross-region data transfer rates** for specific service pairs — covered in the [data transfer costs post](/blog/aws-data-transfer-costs-startups/).
- **Direct Connect pricing in depth** including hosted vs dedicated and LAG configurations — covered in our hybrid connectivity content.
- **VPC Flow Logs cost optimization** patterns (S3 vs CloudWatch vs Firehose destinations) — covered in our observability content.

## If You Only Do One Thing This Week

Add S3 and DynamoDB Gateway Endpoints to every VPC in your account that doesn't have them. The change is one IaC line or one CLI command per VPC, costs nothing, and immediately starts saving on NAT Gateway data processing fees for S3 and DynamoDB traffic. Cross-check the NAT Gateway impact in our [NAT Gateway billing post](/blog/aws-nat-gateway-billing-idle-cost-alternatives/) — the two changes (Gateway Endpoints + a NAT audit) typically compound to recover 20–40% of the networking-related bill on accounts that haven't done either recently.

For the broader networking architecture decisions — multi-account network setup, Transit Gateway design, hybrid connectivity — the [VPC networking best practices guide](/blog/aws-vpc-networking-best-practices-for-production/) covers the design side.

## FAQ

### Why am I suddenly paying $3.60 per IPv4 address per month?
AWS introduced a charge for all public IPv4 addresses in February 2024 — $0.005/hour, $3.60/month per address. This applies to every public IPv4 in use (attached to EC2 instances, ELBs, NAT Gateways, RDS public endpoints) and to every unattached Elastic IP. The change converted a previously-free resource into a billable one across the entire AWS account inventory. The mitigations: migrate workloads to IPv6 where supported, consolidate public-facing endpoints behind ALB/NLB to reduce IP count, audit unattached EIPs and release them, and use AWS Global Accelerator (which pools IPs) for multi-region public endpoints.

### Are VPC Gateway Endpoints really free?
Yes. Gateway VPC Endpoints for S3 and DynamoDB are completely free — no hourly charge, no per-GB data charge. They route traffic between resources in your VPC and S3 or DynamoDB within the same region without going through a NAT Gateway. Every VPC with workloads accessing S3 or DynamoDB should have Gateway Endpoints for both. The saving is dramatic: routing 1 TB/month of S3 traffic through a NAT Gateway costs ~$45 in processing fees; routing the same traffic through a Gateway Endpoint costs $0.

### How do Interface VPC Endpoints differ from Gateway endpoints in cost?
Interface Endpoints (which use AWS PrivateLink under the hood) cost $0.01/hour per endpoint per AZ, plus $0.01/GB of data processed. For high availability across 3 AZs, that is $0.03/hour or $21.60/month per service endpoint before data processing. A workload using 10 AWS services privately (Secrets Manager, SQS, SNS, ECR, KMS, etc.) across 3 AZs costs $216/month just for the endpoints. The break-even vs NAT Gateway data processing varies — Interface Endpoints win when service traffic volume is moderate; NAT Gateways can be cheaper for low-volume internal AWS service access. Run the math per service.

### When does Transit Gateway pay off vs VPC Peering?
VPC Peering is free for the connection itself; data transfer between peered VPCs in the same region bills at $0.01/GB each way. Transit Gateway charges $0.05/hour per VPC attachment ($36/month per VPC) plus $0.02/GB processed. For two or three VPCs that need to communicate, peering is dramatically cheaper. Transit Gateway wins on operational simplicity and on multi-VPC architectures where the n² connection complexity of peering becomes untenable. The crossover is usually around 5–10 VPCs that need full-mesh connectivity — below that, peering is cheaper; above, Transit Gateway is simpler and the per-VPC attachment cost is amortized.

### What does inter-AZ data transfer actually cost?
Traffic between AZs in the same region bills $0.01/GB in each direction — both the sender and receiver pay $0.01/GB. The same traffic measured at 1 TB/month is $20 total. On microservices architectures with many cross-AZ calls (a typical 3-AZ EKS cluster has services routinely talking to pods in other AZs), inter-AZ transfer can hit hundreds or thousands per month. Mitigations: use topology-aware routing (Kubernetes topology spread constraints, AWS Local Zones for latency-sensitive single-AZ workloads), enable EKS Topology Aware Hints to route service traffic to same-AZ pods, and place chatty service pairs in the same AZ deliberately.

### Is VPC Lattice cheaper than running an Istio service mesh?
For service-mesh-style internal-traffic routing, VPC Lattice bills $0.025/hour per service network ($18/month) + $0.025/hour per service ($18/month per service) + $0.025/GB processed. A 50-service workload on Lattice costs $900/month for the service charges + service network + data processing. Istio on EKS has no AWS service charge but adds operational complexity (control plane sidecars, configuration management) and data-plane CPU/memory overhead on every pod. Lattice is the right choice when the operational simplicity is worth the per-service rate; Istio is the right choice for workloads with strong open-source mesh requirements and the team to manage it.

### What is the cheapest way to connect on-premises networks to AWS?
Site-to-Site VPN at $0.05/hour ($36/month) per VPN connection is the cheapest entry point for low-bandwidth needs (under ~1 Gbps). Each VPN supports two tunnels for HA. Direct Connect dedicated connections start at ~$0.30/hour ($216/month) for 1 Gbps + data transfer fees; the all-in cost only makes sense when bandwidth demands are substantial (>500 GB/month consistent) and the latency / predictable performance matters. Most teams start with VPN and migrate to Direct Connect when traffic patterns justify the dedicated pipe.

---

*Source: https://www.factualminds.com/blog/amazon-vpc-pricing-endpoints-peering-transit-gateway/*