The Three Most Expensive AWS Services Nobody Knows About
The line items that surprise teams in their AWS bill are rarely EC2 or S3. They are the silent middle of the bill.
1. NAT Gateway
NAT Gateway charges $0.045 per GB processed plus hourly fee. A pod that pulls 100 GB/day from external sources costs $135/month per Gateway in data alone.
The fix: VPC Endpoints (Gateway endpoints for S3/DynamoDB are free; Interface endpoints have hourly cost but no per-GB). Most NAT traffic is to AWS services anyway.
2. Cross-AZ traffic
- Inter-AZ traffic charges $0.01-0.02 per GB depending on direction. A chatty service mesh between AZs can cost $4-8k/month at meaningful scale.
- The fix: topology-aware routing (Linkerd/Istio support this). Keep traffic in the same AZ when both endpoints exist there.
3. CloudWatch Logs storage
CloudWatch Logs charges for ingest ($0.50/GB) and retention ($0.03/GB/month). At 10 GB/day for a year, that is $1,800 ingest + $1,100 storage = $2,900/year per stream.
The fix: structured logs at appropriate verbosity; ship to S3 for long retention; query from there with Athena.
How to find them in your bill
AWS Cost Explorer → group by “Usage Type.” The three line items above show as DataTransfer-NatGateway, DataTransfer-Regional-Bytes, and CloudWatch:LogsHourlyStorage / CloudWatch:DataProcessing-Bytes.
If any one of them is >5% of your bill, the playbook above pays back in days.
Antipatterns
- Treating NAT Gateway as “just plumbing.” It is a meter.
- Ignoring the data transfer line entirely. Cross-AZ adds up silently.
- Dumping all logs to CloudWatch indefinitely. Use S3 + Athena for cold logs.
What to do this week
Three moves. (1) Pick the most exposed instance of the pattern in your environment. (2) Apply the lightest fix and measure for one week. (3) Schedule a quarterly review so the discipline does not rot.