Egress costs dominate our cloud bill
Egress (data out) is usually the priciest line. Four levers: CDN for public traffic, VPC endpoints for service traffic, region choice for inter-cloud, and providers with free egress (Cloudflare R2, Backblaze B2) for bulk.
Try this first
- 1Inventory where egress comes from: Cost Explorer > Service > Data Transfer. Or correlate VPC Flow Logs with IP destinations.
- 2Public web traffic via CDN. CloudFront, Front Door or Cloud CDN are cheaper on egress than direct from origin. Cloudflare cheaper still for global.
- 3Service traffic to AWS services: Gateway Endpoints (S3, DynamoDB) free, Interface Endpoints lower than NAT. See NAT gateway entry.
- 4Inter-cloud (AWS to Azure or vice versa): always costs. Consider whether inter-cloud calls are really needed, or whether consolidating data to one place is cheaper.
- 5For bulk egress (backups, archive to offsite): Cloudflare R2, Backblaze B2 or Wasabi have no egress fees. Saves 80-90 percent on that line.
When to bring us in
For egress bills above 5K per month, a network architecture review usually pays back inside 2 months. Patterns differ per app.
See also
- Everyone logs in with the AWS root accountRoot is for emergencies and billing. Day-to-day work belongs in IAM users or SSO.
- Every developer has AdministratorAccessAdministratorAccess everywhere is convenient now, painful later. Start with role-based policies.
- Everyone has individual IAM users with their own passwordIdentity Center (formerly AWS SSO) links to your IdP and issues temporary credentials per session.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.