Cloud Egress Costs: The Hidden Tax Breaking Cloud Budgets (and How to Cut It 20–80%)

Cloud egress is no longer a niche billing annoyance. It is one of the most misread lines on a cloud bill, because it rarely appears as one line item. The obvious part is public internet transfer. The expensive part is everything around it: NAT processing, cross-Availability-Zone traffic, cross-region replication, private-endpoint data processing, CDN cache-fill, and — increasingly — websocket and webhook fanout from realtime stacks.

The strongest framing for any team trying to control it is this: your biggest network costs are usually architectural, not list-price driven. Catalog price differences between clouds are small. The cost curve is set by where your bytes move and how many times.

All prices below are public list prices and all workload numbers are modeled for budgeting, not invoice reconciliation. They exclude enterprise discounts, taxes, and second-order savings (less compute, fewer DB reads), which usually strengthen the case for optimization rather than weaken it.

The pricing snapshot

Common North America and Europe internet egress clusters around $0.085–$0.09/GB on AWS and Azure, while Google Cloud Premium Tier often starts higher at $0.12/GiB for the first tier before falling. The cheaper, less-discussed paths — and the ones that quietly compound — are internal.

Path	Representative list price	Why it bites
Public internet egress (AWS, first 10 TB)	$0.09/GB	The visible number everyone benchmarks
Cross-AZ transfer	~$0.01/GB each direction	Nearly universal; ~half of AWS transfer cost in Datadog's sample
Cross-region transfer	~$0.02/GB (wider on GCP: $0.02–$0.14/GiB)	Multi-region replication and cross-region reads
NAT gateway	~$0.045/GB plus ~$0.045/hour	Private-subnet workloads pay this on top of egress
CDN cache-fill	$0.01–$0.04/GiB + lookups	A CDN lowers origin egress but is not free

Two structural alternatives change the table entirely. Oracle Cloud includes the first 10 TB/month of egress free, and Cloudflare R2 charges no internet egress at all — useful to know as architectural options even if they are not drop-in compute-origin equivalents.

What 10 TB actually costs

The same baseline 10 TB/month of internet-bound traffic, before any NAT or architectural side effects:

Provider	10 TB/month baseline
AWS	~$891
GCP Premium	~$1,110
GCP Standard	~$833
Azure	~$792
Oracle	$0 (within free tier)
Cloudflare R2 (egress-only)	$0

Now add one NAT gateway to that same private-subnet workload and the picture shifts: AWS becomes ~$1,373, GCP ~$1,595, Azure ~$1,274. In plain terms, NAT adds 44–61% on top of the baseline — an invisible markup that has nothing to do with the per-GB rate you compared between clouds.

Four workloads, four very different egress profiles

Archetype	Modeled monthly egress	Egress share of a typical bill
Midsize web app	~$1,080	~12%
Media streaming	~$9,490	~38%
Analytics / ETL	~$6,740	~22%
Backup / DR (drill month)	~$2,360	~20%

The analytics row mirrors AWS's own published example: a 210 TB/month cross-region S3 path through an interface endpoint cost $6,300/month, versus $0 for the same-region gateway-endpoint path. Few line items are easier to eliminate than a cross-region path that exists only because the workflow was assembled around convenience instead of locality.

The optimization playbook

The best way to cut egress is to attack each path where bytes move: viewer delivery, origin fetch, cross-region replication, cross-AZ chatter, service-to-service access, exports, and restores.

Strategy	What it attacks	Modeled savings	Trade-off
Architecture locality	Cross-AZ / cross-region bytes	20–80% of internal transfer	HA design needs care
CDN + origin shielding	Repeated origin delivery	20–95% of origin egress	Cache invalidation discipline
Compression (Brotli, WebP/AVIF)	Raw payload size	15–40% of text/JSON	CPU / QA overhead
Gateway / private endpoints	NAT, public detours	20–100% on the path	Network complexity
Replace polling with webhooks/events	"No change" chatter	50–99% for low-change data	Retry / ordering logic
Lifecycle & restore discipline	Restore / export bytes	30–80% of DR egress	RTO trade-offs

Two rules carry most of the weight. Move compute to the data for ETL, lakehouse, and replication-heavy estates. And monitor bytes by path, not "network" as one blended bucket — on AWS, filter Cost Explorer on Data Transfer - Internet (Out), Region to Region, and Inter AZ; alert when cross-AZ exceeds ~40% of transfer spend for an app that isn't intentionally zonal.

The modern-stack trap: Supabase, Neon, and Trigger

This is the part that catches fast-moving teams. The cost inflection is usually not the scaffold tool — it's the subscription topology and event-delivery pattern the fast build makes easy to ship.

Supabase's own docs are blunt about it: Broadcast is recommended for scalability, Postgres Changes does not scale as well (every change event is authorization-checked per subscriber — 100 subscribers + one insert can trigger 100 reads, on a single ordered thread), and payload size dominates. In Supabase's benchmarks, the same broadcast pattern moved 10.4 GB at 1 KB payloads versus 348 GB at 50 KB.

Turn that into money. Assume one row update per second, a 2 KB payload, and 500 subscribed clients:

• That's 500 messages/second ≈ 1.3 billion messages/month.
• On Supabase Pro/Team realtime pricing, message overage alone is roughly $3,200+/month.
• The delivered bytes are ~2.6 TB/month — another ~$210/month of egress over the included quota.

One feature. No traffic spike you'd notice. And it scales almost linearly if components open duplicate subscriptions or broadcast whole rows when a 100-byte delta would do.

Anti-pattern	Better pattern
Broad Postgres Changes subscriptions	Broadcast with narrow channels and filters
Full-row payloads	Compact custom payloads / deltas
Every component opens its own subscription	One subscription hub per page or tenant
Polling Edge Functions for changes	Webhooks, Broadcast, or outbox + worker
pg_net trigger-to-HTTP on every row	Batch in an outbox table; debounce; scheduled flush

The guidance for teams shipping fast: ship the feature with direct subscriptions, but plan the graduation path early — channel scoping, payload minimization, event batching, outbox tables, and webhook/Edge-Function aggregation. That's where realtime UX stays delightful without quietly becoming an egress problem.

The bottom line

Most companies don't have an egress pricing problem first. They have an egress architecture problem first. The rate card is nearly the same everywhere; the bill is set by NAT paths that shouldn't exist, cross-AZ chatter that ignores locality, and realtime fanout that delivers the same logical change a thousand times. Those are fixable — usually in the 20–80% range on the transfer line item, and occasionally 100% on a path that should never have existed.

If you want a second set of eyes on where your bytes are actually going, that's exactly what the free egress audit does: share your stack and get a ranked list of your top avoidable transfer paths, with a rough savings range and fixes by complexity and payback.