Amazon VPC Pricing: The VPC Is Free — Everything Around It Bills

Amazon VPC has the longest list of free-to-create resources of any AWS service — the VPC itself, subnets, route tables, security groups, NACLs, internet gateways, virtual private gateways, all free. The bill comes from what you attach to those resources: public IPv4 addresses (every one of them billable since February 2024), Interface VPC Endpoints per AZ, NAT Gateways, Transit Gateways, VPN connections, Direct Connect, VPC Lattice service networks, and the easily-overlooked $0.01/GB each way for inter-AZ data transfer on every byte that crosses AZ boundaries.

This post is the bill story. For the operational angle — VPC design, subnet layout, security group hygiene, multi-account network architecture — see our VPC networking best practices guide. NAT Gateway pricing (one of the most consequential VPC-related lines) has its own dedicated post at NAT Gateway billing.

The 10 VPC-Adjacent Billing Dimensions

VPC pricing breakdown — us-east-1, June 2026

Prices in us-east-1

The VPC primitives are free. The bill comes from attached resources and data movement.

Dimension	Unit price	Example workload	Monthly cost
VPC, subnets, route tables, security groups, NACLs Free to create and operate	Free	Standard 3-AZ production VPC	$0.00
Public IPv4 address (attached or unattached) New as of Feb 2024 — audit and consolidate	$0.005 / hour = $3.60 / month	20 public IPs across fleet	$72
Elastic IP (unattached) Release unattached EIPs immediately	$0.005 / hour	5 orphaned EIPs	$18
NAT Gateway See dedicated post for alternatives	$0.045/hour + $0.045/GB processed	3-AZ HA setup	$98.55 base + data
Gateway VPC Endpoints (S3, DynamoDB) Every VPC should have these	Free	Endpoint per VPC for S3 + DynamoDB	$0.00
Interface VPC Endpoint (PrivateLink) Per service per AZ; HA multiplies by 3	$0.01/hour/AZ + $0.01/GB	10 service endpoints × 3 AZs	$216 + data
VPC Peering connection Inter-VPC same-region: $0.01/GB each way	Free (data transfer billed standard rates)	5 peering connections	$0 + data transfer
Transit Gateway VPC attachment Multi-VPC hub-and-spoke	$0.05/hour + $0.02/GB processed	10 VPCs attached	$360 + data
Site-to-Site VPN connection Plus data transfer out at standard rates	$0.05/hour	2 VPNs for HA	$72
Direct Connect dedicated (1 Gbps) Hosted DC at lower port rates	~$0.30/hour port + data	1 Gbps dedicated	$216 + data
VPC Lattice service network Modern service mesh primitive	$0.025/hour per network + $0.025/hour per service + $0.025/GB	50 services on Lattice	~$900 + data
Inter-AZ data transfer Both sender and receiver charged	$0.01/GB each way	1 TB cross-AZ / month	$20 total
VPC Flow Logs to CloudWatch Cheaper to ship to S3 for retention	CloudWatch ingestion rate ($0.50/GB)	50 GB flow logs / month	$25
Reachability Analyzer Useful debugging tool; cheap per use	$0.10 per analysis	20 troubleshooting analyses	$2

VPC, subnets, route tables, security groups, NACLs

$0.00

Free to create and operate

Unit price

Free

Example workload

Standard 3-AZ production VPC

Public IPv4 address (attached or unattached)

$72

New as of Feb 2024 — audit and consolidate

Unit price

$0.005 / hour = $3.60 / month

Example workload

20 public IPs across fleet

Elastic IP (unattached)

$18

Release unattached EIPs immediately

Unit price

$0.005 / hour

Example workload

5 orphaned EIPs

NAT Gateway

$98.55 base + data

See dedicated post for alternatives

Unit price

$0.045/hour + $0.045/GB processed

Example workload

3-AZ HA setup

Gateway VPC Endpoints (S3, DynamoDB)

$0.00

Every VPC should have these

Unit price

Free

Example workload

Endpoint per VPC for S3 + DynamoDB

Interface VPC Endpoint (PrivateLink)

$216 + data

Per service per AZ; HA multiplies by 3

Unit price

$0.01/hour/AZ + $0.01/GB

Example workload

10 service endpoints × 3 AZs

VPC Peering connection

$0 + data transfer

Inter-VPC same-region: $0.01/GB each way

Unit price

Free (data transfer billed standard rates)

Example workload

5 peering connections

Transit Gateway VPC attachment

$360 + data

Multi-VPC hub-and-spoke

Unit price

$0.05/hour + $0.02/GB processed

Example workload

10 VPCs attached

Site-to-Site VPN connection

$72

Plus data transfer out at standard rates

Unit price

$0.05/hour

Example workload

2 VPNs for HA

Direct Connect dedicated (1 Gbps)

$216 + data

Hosted DC at lower port rates

Unit price

~$0.30/hour port + data

Example workload

1 Gbps dedicated

VPC Lattice service network

~$900 + data

Modern service mesh primitive

Unit price

$0.025/hour per network + $0.025/hour per service + $0.025/GB

Example workload

50 services on Lattice

Inter-AZ data transfer

$20 total

Both sender and receiver charged

Unit price

$0.01/GB each way

Example workload

1 TB cross-AZ / month

VPC Flow Logs to CloudWatch

$25

Cheaper to ship to S3 for retention

Unit price

CloudWatch ingestion rate ($0.50/GB)

Example workload

50 GB flow logs / month

Reachability Analyzer

$2

Useful debugging tool; cheap per use

Unit price

$0.10 per analysis

Example workload

20 troubleshooting analyses

The NAT Gateway dimension is covered in depth in its own pricing post; the IPv4 dimension is the most recent material change to the VPC bill.

The IPv4 Address Charge: The Bill Change That Surprised Everyone

In February 2024, AWS introduced a charge for every public IPv4 address in use. Before the change, public IPv4 was free as long as it was attached to a running resource. After: every public IP, attached or not, bills $0.005/hour ($3.60/month per address).

The fleet-wide impact on accounts that have not audited:

• Every public-facing EC2 instance with an Elastic IP: $3.60/month each.
• Every NAT Gateway: $3.60/month for its public IP, on top of the NAT Gateway charges themselves.
• Every public-facing Application Load Balancer: an IP per AZ × $3.60/month.
• Every old Elastic IP attached to terminated instances: $3.60/month, forever, until released.

A medium-sized organization with ~100 public-facing endpoints saw the line item appear from zero to $360/month overnight in February 2024 with no warning beyond the AWS announcement.

Gateway Endpoints Are Free — Use Them

VPC Gateway Endpoints for S3 and DynamoDB are completely free — no hourly charge, no per-GB processing. They route traffic between resources in your VPC and the service without going through a NAT Gateway or the public internet.

The economic impact: a workload that accesses 1 TB/month of S3 via a NAT Gateway pays ~$45 in NAT data processing fees. The same workload with an S3 Gateway Endpoint pays $0. Every VPC with workloads that access S3 or DynamoDB should have Gateway Endpoints for both. The configuration is one-time, free, non-controversial.

Interface Endpoints: The Hidden Per-AZ Multiplier

Interface VPC Endpoints (PrivateLink) cost $0.01/hour per endpoint per AZ plus $0.01/GB of data processed. A workload using 10 AWS services privately (Secrets Manager, SQS, SNS, ECR API, ECR Docker, KMS, CloudWatch Logs, etc.) across a 3-AZ deployment costs $216/month just for the endpoint hours before data.

The decision is per-service: when does the Interface Endpoint pay off vs routing the same traffic via NAT Gateway?

Interface Endpoint vs NAT Gateway — break-even per service per AZ

Prices in us-east-1

Interface Endpoints win when the per-GB savings on NAT processing exceeds the per-hour endpoint cost.

Dimension	Unit price	Example workload	Monthly cost
Endpoint cost Plus $0.01/GB data processing	$0.01/hr/AZ	3 AZs × 1 month	$21.60 / service
NAT Gateway processing avoided Direct cost saving	$0.045/GB	Per GB routed via endpoint instead	Saves $0.045 per GB
Break-even traffic per service Below this, NAT is cheaper for that service	Calculation	$21.60 / ($0.045 - $0.01)	~620 GB / month / service
High-volume service (5 TB/mo, e.g. CloudWatch Logs) Plus latency improvement	Interface Endpoint wins	5000 GB × $0.035 saved	Saves $175/mo per service

Endpoint cost

$21.60 / service

Plus $0.01/GB data processing

Unit price

$0.01/hr/AZ

Example workload

3 AZs × 1 month

NAT Gateway processing avoided

Saves $0.045 per GB

Direct cost saving

Unit price

$0.045/GB

Example workload

Per GB routed via endpoint instead

Break-even traffic per service

~620 GB / month / service

Below this, NAT is cheaper for that service

Unit price

Calculation

Example workload

$21.60 / ($0.045 - $0.01)

High-volume service (5 TB/mo, e.g. CloudWatch Logs)

Saves $175/mo per service

Plus latency improvement

Unit price

Interface Endpoint wins

Example workload

5000 GB × $0.035 saved

The 620 GB/month break-even is per service per AZ. Many AWS services see well under this volume from a typical VPC; for those, NAT Gateway processing is cheaper than dedicated Interface Endpoints.

The decision is service-by-service. Most VPCs benefit from Interface Endpoints for high-volume services (CloudWatch Logs, ECR, S3 via Interface if Gateway is not enough) and stay on NAT for low-volume services (KMS, IAM, Secrets Manager at small volume).

Inter-AZ Data Transfer: The Quietest Bill Driver

Inter-AZ data transfer bills $0.01/GB in each direction — both the sender and receiver pay. A microservices architecture with 3-AZ EKS clusters routinely sees 1–10 TB/month of inter-AZ traffic as services in one AZ call services in another. The bill is not large on a per-GB basis, but it compounds across services and is largely invisible without explicit measurement.

Mitigations:

• EKS Topology Aware Hints route Kubernetes service traffic to same-AZ pods preferentially. Enabled at the service level.
• Topology spread constraints ensure replicas of the same service spread across AZs so callers in any AZ have a local replica.
• AWS Local Zones for latency-sensitive single-AZ workloads where the multi-AZ overhead is not justified.
• Cluster-aware service discovery (Consul, custom DNS) that prefers local-AZ endpoints.

For chatty service pairs (a frontend and its backend, for example), explicit single-AZ placement is often the cheapest answer at the cost of losing the multi-AZ redundancy on that specific service pair.

VPC Peering vs Transit Gateway: The 5–10 VPC Crossover

VPC Peering is free for the connection itself; data transfer bills the standard $0.01/GB inter-AZ rate (or $0.02/GB inter-region for cross-region peering). Transit Gateway charges $0.05/hour per VPC attachment ($36/month per VPC) plus $0.02/GB processed through the TGW.

For 2–3 VPCs needing point-to-point connectivity, peering is cheaper and operationally simpler — the cost is purely data transfer at standard rates. For 5+ VPCs needing full-mesh connectivity, peering’s n² connection complexity becomes operationally untenable; Transit Gateway’s hub-and-spoke model simplifies management at the cost of per-VPC attachment fees.

The crossover is roughly 5–10 VPCs depending on traffic patterns. Below: stay on peering. Above: Transit Gateway’s operational simplicity is worth the per-attachment cost.

VPC Lattice: The Modern Service Mesh

VPC Lattice is AWS’s managed service-mesh primitive — service network at $0.025/hour, services at $0.025/hour each, $0.025/GB processed. A 50-service workload on Lattice costs roughly $900/month for the service and network charges, plus data processing.

The comparison vs running Istio on EKS:

• Istio: no per-service AWS charge, but adds control-plane operational overhead (Istio mesh management, configuration drift, sidecar resource overhead on every pod, certificate management).
• Lattice: per-service AWS charge, but zero operational overhead — service discovery, auth, observability are managed.

The right choice depends on team capacity. Teams with strong service-mesh operational expertise can run Istio at scale; teams without that capacity will find Lattice’s managed model worth the per-service rate.

When to Use Each VPC Connectivity Pattern

Gateway Endpoints for S3/DynamoDB always; Interface Endpoints for high-volume services; Peering for few VPCs; Transit Gateway for many.

Use when

• ✓ Gateway Endpoints (S3, DynamoDB) in every VPC — free and saves NAT processing
• ✓ Interface Endpoints for services with consistent traffic above ~620 GB/month per AZ
• ✓ VPC Peering when 2–4 VPCs need connectivity — free connections
• ✓ Transit Gateway when 5+ VPCs need full-mesh — operational simplicity outweighs per-attachment cost
• ✓ Site-to-Site VPN for hybrid connectivity under 500 GB/month — cheap entry point
• ✓ Direct Connect when bandwidth exceeds 500 GB/month consistently and latency predictability matters
• ✓ VPC Lattice when service-mesh capability is needed without operating Istio yourselves

Avoid when

• ✗ Public IPv4 addresses left attached when workload could use IPv6 or be consolidated behind ALB/NLB
• ✗ Unattached Elastic IPs — release immediately
• ✗ Interface Endpoints for low-traffic services where NAT Gateway processing would be cheaper
• ✗ VPC Peering scaling beyond 5 VPCs — operational complexity becomes worse than Transit Gateway cost
• ✗ NAT Gateways without S3 + DynamoDB Gateway Endpoints in the VPC — paying NAT processing for traffic that could be free
• ✗ Inter-AZ chatty service pairs without topology-aware routing — silent compounding bill

Most VPC bill problems are configuration choices, not architecture choices. Audit the IPv4 line, the endpoint coverage, and inter-AZ traffic patterns quarterly.

A 30-Day VPC Bill Cleanup Plan

Week 1 — IPv4 audit. Find every public IPv4 address in the account: aws ec2 describe-addresses for EIPs, aws ec2 describe-instances --filters Name=ip-address for instance public IPs. Release unattached EIPs immediately. Consolidate public-facing endpoints behind ALB/NLB where multiple instances currently have their own public IPs.

Week 2 — Add Gateway Endpoints. Audit every VPC for the presence of S3 and DynamoDB Gateway Endpoints. Add to every VPC that doesn’t have them. The change is non-destructive and immediately reduces NAT processing fees for S3/DynamoDB traffic.

Week 3 — Interface Endpoint break-even. For each Interface Endpoint currently provisioned, check actual data processed (CloudWatch metric BytesProcessed per endpoint). If under ~620 GB/month per AZ, consider removing and routing through NAT. Conversely, for high-volume services currently routing through NAT, consider adding an Interface Endpoint.

Week 4 — Inter-AZ topology. For EKS workloads, audit Topology Aware Hints adoption. For chatty service pairs, evaluate explicit single-AZ placement vs the multi-AZ redundancy trade-off. Use VPC Flow Logs to identify the highest-volume inter-AZ traffic patterns.

What This Post Doesn’t Cover

• NAT Gateway pricing details and alternatives (fck-nat, VPC endpoints, NAT instances) — covered in the dedicated NAT Gateway billing post.
• Cross-region data transfer rates for specific service pairs — covered in the data transfer costs post.
• Direct Connect pricing in depth including hosted vs dedicated and LAG configurations — covered in our hybrid connectivity content.
• VPC Flow Logs cost optimization patterns (S3 vs CloudWatch vs Firehose destinations) — covered in our observability content.

If You Only Do One Thing This Week

Add S3 and DynamoDB Gateway Endpoints to every VPC in your account that doesn’t have them. The change is one IaC line or one CLI command per VPC, costs nothing, and immediately starts saving on NAT Gateway data processing fees for S3 and DynamoDB traffic. Cross-check the NAT Gateway impact in our NAT Gateway billing post — the two changes (Gateway Endpoints + a NAT audit) typically compound to recover 20–40% of the networking-related bill on accounts that haven’t done either recently.

For the broader networking architecture decisions — multi-account network setup, Transit Gateway design, hybrid connectivity — the VPC networking best practices guide covers the design side.