Cost Optimization¶
Cost optimization strategies for VPC infrastructure provisioned by the VPC Provisioner.
Table of Contents¶
Cost Overview¶
VPC costs are driven by three components:
Cost Factor |
Description |
Typical Impact |
|---|---|---|
NAT Gateway |
Hourly charge + data processing |
40-60% of VPC cost |
Data Transfer |
Cross-AZ, cross-region, internet |
30-50% of VPC cost |
Elastic IPs |
Unused EIPs incur charges |
0-5% of VPC cost |
Key insight: NAT Gateways are the primary VPC cost driver. Disabling them in dev/test environments is the single most effective optimization.
Built-in Cost Estimation¶
The VPC Provisioner includes a built-in cost estimation feature that calculates costs specific to your configuration and region. Instead of using the generic estimates in this guide, run the cost estimation workflow for accurate numbers:
# Step 1: Generate traffic assumptions (edit defaults to match your usage)
--action cost-traffic
# Step 2: Calculate costs with region-specific pricing
--action cost-estimate
The tool produces:
Console output with fixed and variable cost breakdown
Professional HTML report with per-resource detail
Monthly and annual totals using on-demand pricing for your region
Edit the traffic assumptions file and re-run cost-estimate to model different scenarios (e.g., low vs. high traffic months).
To update pricing data to the latest AWS rates:
--action cost-refresh-prices
See the User Guide for complete command reference.
NAT Gateway Costs¶
Configuration |
Monthly Cost* |
Annual Cost |
Use Case |
|---|---|---|---|
No NAT Gateway |
$0 |
$0 |
Public-only VPC, dev/test |
Single NAT Gateway |
~$32 |
~$384 |
Dev/staging with private subnets |
HA NAT (2 AZs) |
~$64 |
~$768 |
Production (standard) |
HA NAT (3 AZs) |
~$96 |
~$1,152 |
Production (critical workloads) |
*US East (N. Virginia), $0.045/hour per NAT Gateway, excludes data processing charges.
NAT Gateway Data Processing¶
In addition to the hourly charge, NAT Gateways charge $0.045/GB for data processed:
Monthly Data |
Processing Cost |
Total (Single NAT) |
|---|---|---|
10 GB |
$0.45 |
~$32.45 |
100 GB |
$4.50 |
~$36.50 |
1 TB |
$46.08 |
~$78.08 |
10 TB |
$460.80 |
~$492.80 |
Data Transfer Costs¶
Transfer Type |
Cost/GB |
Notes |
|---|---|---|
Within same AZ |
Free |
Keep resources in same AZ when possible |
Between AZs |
$0.01 |
Both directions charged |
To internet via NAT Gateway |
$0.045 |
Data processing charge |
To internet via IGW |
$0.09 |
First 10 TB/month |
Between regions |
$0.02 |
Both directions charged |
To S3 via Gateway Endpoint |
Free |
Use VPC endpoints |
To DynamoDB via Gateway Endpoint |
Free |
Use VPC endpoints |
VPC Endpoint Savings¶
VPC Gateway Endpoints for S3 and DynamoDB are free and eliminate NAT Gateway data processing charges:
Scenario (1 TB/month to S3) |
Without Endpoint |
With Endpoint |
Savings |
|---|---|---|---|
Via NAT Gateway |
$46.08 |
$0 |
$46.08/month |
Annual savings |
$552.96 |
$0 |
$552.96/year |
The S3 Provisioner supports VPC endpoint configuration:
s3:
vpc_id: "vpc-0a1b2c3d4e5f6g7h8"
route_table_ids: "rtb-0a1b2c3d,rtb-4e5f6g7h"
Cost Reduction Strategies¶
1. Disable NAT Gateway in Dev/Test (100% NAT savings)¶
# Development — no NAT Gateway needed
vpc:
nat_gateway:
enabled: false
# Production — enable with HA
vpc:
nat_gateway:
enabled: true
high_availability: true
2. Use Single NAT Gateway for Staging (50% NAT savings)¶
# Staging — single NAT, not HA
vpc:
nat_gateway:
enabled: true
high_availability: false
3. Use VPC Endpoints for AWS Services¶
Add S3 and DynamoDB Gateway Endpoints to eliminate NAT data processing charges for AWS service traffic. These endpoints are free.
4. Minimize Cross-AZ Traffic¶
Place resources that communicate frequently in the same AZ to avoid $0.01/GB cross-AZ charges:
SageMaker training instances and S3 data in same AZ
Application servers and databases in same AZ
5. Right-Size Your Architecture¶
Environment |
Recommended Pattern |
Monthly VPC Cost |
|---|---|---|
Dev/Test |
Simple Public (no NAT) |
~$0 |
Staging |
Public-Private (single NAT) |
~$32 |
Production |
3-Tier HA (2-3 NAT) |
~$64-96 |
6. Release Unused Elastic IPs¶
Unused Elastic IPs cost $0.005/hour (~$3.60/month). Release them after deleting test stacks:
# Check for unused EIPs
aws ec2 describe-addresses --query 'Addresses[?AssociationId==null].AllocationId'
# Release unused
aws ec2 release-address --allocation-id eipalloc-xxxxx
7. Consolidate VPCs¶
If multiple teams use separate VPCs in the same region, consider consolidating into a single VPC with subnet-level isolation. Fewer VPCs = fewer NAT Gateways.
Cost by Architecture Pattern¶
Pattern 1: Simple Public VPC (Dev/Test)¶
Resource |
Monthly Cost |
|---|---|
VPC |
Free |
Public Subnets (2) |
Free |
Internet Gateway |
Free |
Total |
$0 |
Pattern 2: Public-Private (Staging)¶
Resource |
Monthly Cost |
|---|---|
VPC |
Free |
Public Subnets (2) |
Free |
Private Subnets (2) |
Free |
Internet Gateway |
Free |
NAT Gateway (1) |
~$32 |
Elastic IP (1) |
Included with NAT |
Total |
~$32 |
Pattern 3: 3-Tier HA (Production)¶
Resource |
Monthly Cost |
|---|---|
VPC |
Free |
Public Subnets (2) |
Free |
Private Subnets (3) |
Free |
Database Subnets (2) |
Free |
Internet Gateway |
Free |
NAT Gateways (2, HA) |
~$64 |
Elastic IPs (2) |
Included with NAT |
Total |
~$64 |
Monitoring and Analysis¶
AWS Cost Explorer¶
# View VPC-related costs
aws ce get-cost-and-usage \
--time-period Start=2026-03-01,End=2026-04-01 \
--granularity MONTHLY \
--metrics BlendedCost \
--filter '{"Dimensions":{"Key":"SERVICE","Values":["Amazon Virtual Private Cloud"]}}'
VPC Flow Logs¶
Enable VPC Flow Logs to analyze traffic patterns and identify optimization opportunities:
High cross-AZ traffic that could be co-located
Traffic to AWS services that could use VPC endpoints
Unexpected internet-bound traffic
NAT Gateway CloudWatch Metrics¶
Monitor these metrics to understand NAT Gateway usage:
BytesOutToDestination— data processedActiveConnectionCount— concurrent connectionsPacketsDropCount— capacity issues
All prices are estimates based on US East (N. Virginia). Actual costs vary by region. Use --action cost-estimate for region-specific pricing based on your configuration, or the AWS Pricing Calculator for detailed estimates.