If you've ever stared at an AWS bill wondering why your data transfer charges keep climbing, you're not alone. Data transfer fees are one of the most misunderstood and frustrating parts of AWS pricing — they're invisible until they hurt.
At Basavytix, we built Netway to solve exactly this problem. Here's what we've learned about where AWS data transfer costs hide, and how to automatically surface and fix them.
The Hidden Tax in Your AWS Bill
AWS charges for data movement in ways that aren't always obvious:
- S3 traffic routed through NAT Gateway — When your EC2 instances access S3 through a NAT Gateway instead of a VPC Gateway Endpoint, you pay both NAT processing fees (~$0.045/GB) and data transfer fees. S3 Gateway Endpoints are free. This single pattern is responsible for some of the largest surprise bills we've seen.
- Cross-AZ data transfer — Traffic between EC2 instances, RDS, or containers in different Availability Zones costs $0.01/GB in each direction. At scale, this adds up fast. Many teams don't realize their load balancer is routing requests across AZs unnecessarily.
- EC2 calling AWS APIs without VPC Endpoints — Every API call to services like SSM, CloudWatch, or Secrets Manager that routes through the public internet generates internet egress charges. Interface VPC Endpoints eliminate this.
- Unnecessary internet egress — Services talking to public IPs when a private path exists, or downloading the same large artifacts repeatedly instead of caching them.
Why These Costs Stay Hidden
The core problem is that AWS doesn't tell you which resources are causing the charges — only the aggregate totals. Your bill shows "Data Transfer OUT to Internet: $847.32" but doesn't say which VPC, which instance, or which traffic pattern.
To find the root cause, you need to analyze VPC Flow Logs — the raw network telemetry AWS generates for every connection in your VPC. But Flow Logs are voluminous, they live in S3, and querying them with Athena requires writing SQL against hundreds of millions of rows. Most teams simply don't have the time.
How Netway Automates This
Netway is a Lambda-based analyzer that runs inside your own AWS account. Here's how it works:
You deploy a single CloudFormation stack — one command, no agents, no IAM users to create manually.
Netway's Lambda reads your VPC Flow Logs via Athena, running pattern-matching queries that identify the specific traffic patterns that generate unnecessary charges.
Findings are posted to your dashboard at netway.basavytix.com — each finding includes the affected VPC, the traffic pattern detected, and the estimated monthly savings.
You fix it — each finding comes with a recommended remediation (e.g., "Create an S3 Gateway Endpoint in vpc-xxxxx").
Everything runs in your account. Your flow log data never leaves your AWS environment.
A Real Example
During our own system testing, we spun up a test VPC in ap-south-1, launched an EC2 instance, and generated S3 traffic deliberately routed through the NAT Gateway. Within 24 hours, Netway detected the pattern:
VPC: vpc-064e9769bfe82d1af
Pattern: S3 traffic via NAT Gateway
Estimated waste: $0.03/month (for our tiny test)
Fix: Create a free S3 Gateway VPC Endpoint
At production scale, this same pattern typically runs $50–$500/month depending on your S3 usage volume.
The Patterns Netway Detects Today
General Infrastructure
S3 access via NAT Gateway
Instead of free S3 Gateway Endpoints — the most common and avoidable source of data transfer charges.
Cross-AZ traffic between services
EC2, RDS, or container traffic crossing availability zones at $0.01/GB per direction.
NAT Gateway in wrong AZ
Instances routing to a NAT Gateway in a different AZ pay both NAT processing and cross-AZ fees on every outbound byte.
AWS API calls without Interface VPC Endpoints
Calls to SSM, CloudWatch, Secrets Manager routing through the public internet.
Unnecessary internet egress from private subnets
Services talking to public IPs when a private path exists.
ML / AI Workloads
ML Training Data in Wrong Region
GPU instances pulling training data from an S3 bucket in a different region, incurring cross-region transfer fees on every epoch. Fix: replicate data to the same region as the compute.
ML Checkpoint Writes via NAT
Training jobs saving model checkpoints to S3 through a NAT Gateway instead of a free S3 Gateway Endpoint. On large models with frequent checkpointing, this alone can cost hundreds of dollars per training run.
Multi-GPU Gradient Sync Across AZ
Distributed training jobs using NCCL for gradient synchronization between GPU instances placed in different Availability Zones, paying cross-AZ transfer fees on every backward pass. Fix: place all nodes in the same AZ.
ML Inference Cold Start Loading via NAT
SageMaker or self-hosted inference endpoints downloading model weights from S3 through a NAT Gateway on every cold start. Fix: add an S3 Gateway Endpoint to the inference VPC.
ML Feature Store in Wrong Region
Training or inference jobs fetching features from RDS, ElastiCache, or DynamoDB in a different region, generating continuous cross-region transfer costs.
Training Data Gravity
AWS-hosted training data being egressed to an external GPU provider, paying full internet egress rates on every data pull. Fix: move compute to AWS or pre-stage data closer to the GPU provider.
More detectors are in development.
Getting Started
Setup takes about 5 minutes:
Register at netway.basavytix.com
Run the CloudFormation deploy command shown in your dashboard
Wait 24 hours for your first analysis to complete
Review findings and estimated savings
There's no agent to maintain, no S3 buckets to configure, and no data sharing required.
The Bigger Picture
AWS data transfer pricing is deliberately complex. The fees are real, but they're also largely avoidable with the right architecture. VPC Gateway Endpoints for S3 and DynamoDB are free. Interface Endpoints for other services cost ~$7/month each but often pay for themselves many times over. Cross-AZ traffic can frequently be eliminated with small routing changes.
The problem has never been that fixes are hard — it's that finding which fixes matter in your specific environment requires digging through data most teams don't have time to analyze.
That's the gap Netway fills.
See it in action
Watch the full detection and remediation flow — from CloudFormation deploy to finding on the dashboard.