| Line Item | Qty / Volume | Unit Rate | Monthly Est. |
|---|
AWS VPC Design, Hidden Network Costs & On-Premises TCO: A Practical Reference
The calculator above handles the numbers. This reference covers the architectural decisions behind VPC subnet design, the AWS network cost line items that routinely catch teams off guard, and the honest trade-offs in an on-premises vs. AWS total cost comparison.
VPC CIDR Block Design: Getting the Subnet Architecture Right
VPC subnet design decisions made at day one are expensive to
change later. A VPC CIDR block cannot be resized after creation —
you can add secondary CIDRs, but you cannot reclaim fragmented
space or re-number subnets without redeploying workloads. The most
common regret in mature AWS environments is starting with a
/24
because it "seemed big enough" and hitting the ceiling 18 months
later.
AWS reserves five IP addresses in every subnet — the first four
and the last. A
/24
gives you 251 usable addresses, not 254. A
/28
— the minimum subnet size AWS supports — gives you only 11. Factor
these reservations into your capacity planning before provisioning
anything.
/27
or
/28
is often sufficient per AZ.
/23
per AZ for workloads expected to scale.
| VPC Size | Recommended CIDR | Total IPs | Suitable For |
|---|---|---|---|
| Small | /24 | 256 | Dev/test, single workload. Tight on room — avoid for production. |
| Standard | /20 | 4,096 | Most mid-market workloads across 2–3 AZs with room to grow. |
| Large | /18 | 16,384 | Multi-account landing zones, Transit Gateway hub VPCs. |
| Enterprise | /16 | 65,536 | Maximum VPC size. Use for shared services VPCs and large migrations. |
Avoid RFC 1918 overlap with your on-premises network.
If you're connecting via AWS Direct Connect or Site-to-Site VPN,
your VPC CIDR must not overlap with any on-premises subnet. A
10.0.0.0/16
VPC conflicts with any on-premises
10.0.x.x
range. Use the VPC Subnet Planner above against a block that is
already reserved and free in your on-premises IP plan.
AWS Network Costs That Routinely Surprise Engineering Teams
AWS publishes its pricing openly. The problem is not a lack of transparency — it is that the cost model is fundamentally different from on-premises networking, where most traffic is free once the hardware is paid for. In AWS, data movement has a per-GB price tag that compounds rapidly at scale. The three line items below account for the majority of unexpected AWS networking spend in mid-market deployments.
$0.045/hr per gateway
$0.045/GB processed
The hourly run-rate is easy to miss because it looks small — $0.045 per hour per gateway. At $32.85 per gateway per month, three NAT Gateways across three AZs cost $98.55 before a single byte of traffic flows through them. Add the data processing surcharge — $0.045 per GB of traffic processed — and a workload pushing 500 GB/month per gateway adds another $22.50 each.
The most common optimization: private subnets within the same VPC that need to communicate with each other should use VPC endpoints or internal routing rather than hairpinning through a NAT Gateway. Traffic between EC2 instances in the same VPC does not need to touch NAT at all.
$0.09/GB (first 10TB)
Data leaving AWS to the public internet costs $0.09 per GB in us-east-1. Ingress — data coming into AWS — is free. This asymmetry means architectures that serve large files, video, or frequent API responses to external clients accumulate egress costs that do not exist in a datacenter model where internet bandwidth is typically a flat monthly commitment.
At 1TB of monthly egress, the bill is $92.16. At 10TB it is $921.60. CloudFront as a CDN layer in front of S3 or EC2 substantially reduces egress costs — CloudFront-to-internet transfer is cheaper than direct EC2 egress and the first 1TB/month is free.
$0.01/GB each direction
Traffic between EC2 instances in different Availability Zones within the same region is charged at $0.01 per GB in each direction — $0.02 per GB round-trip. This is small per transaction but accumulates quickly in microservices architectures where services in separate AZs make thousands of cross-AZ API calls per minute.
The mitigation is AZ affinity: route requests within an AZ where possible. Application Load Balancers support availability zone affinity routing. EKS topology spread constraints can keep pod-to-pod traffic within a single AZ for latency-sensitive services.
$0.05/hr per attachment
$0.02/GB processed
Transit Gateway is the correct solution for multi-VPC and hybrid connectivity at scale — but it is not free. Each VPC attachment costs $0.05/hr ($36.50/month), and all data processed through the TGW is charged at $0.02/GB. A hub-and-spoke design with 10 VPCs attached costs $365/month in attachment fees alone before any traffic flows. For simple two-VPC connectivity, VPC Peering is free to create and only charges standard data transfer rates — use TGW only when you need centralized routing across more than a handful of VPCs.
| Service | Rate | Notes |
|---|---|---|
| NAT Gateway hourly | $0.045/hr | ~$32.85/mo per gateway at idle |
| NAT data processing | $0.045/GB | Charged per GB through the gateway |
| Internet egress | $0.09/GB | First 100GB/mo free. Tiered above 10TB. |
| Cross-AZ transfer | $0.01/GB | Each direction. $0.02/GB round-trip. |
| VPC Peering transfer | $0.01/GB | Same-AZ peered traffic: free. |
| Transit Gateway attachment | $0.05/hr | Per VPC attachment. Plus $0.02/GB processed. |
| Direct Connect (1Gbps) | ~$220/mo | Port fee only. Colocation and provider fees additional. |
Use the Hidden Cost Estimator tab above to model your specific NAT and egress configuration.
On-Premises vs. AWS TCO: What the Numbers Don't Capture
TCO calculators — including this one — compare quantifiable costs: hardware, power, colocation, compute, and storage. They are useful for directional analysis, but every TCO comparison has a set of costs that are difficult to quantify and almost always left out of the model.
- Hardware refresh cycles every 3–5 years
- Network engineer time for firmware, patching, and cabling
- Unplanned downtime and hardware failure replacement
- Capacity over-provisioning to handle peak demand
- Disaster recovery infrastructure that sits idle
- Egress and data transfer costs at scale
- NAT Gateway run-rate across multiple AZs
- Licensing uplift for Windows and SQL Server on EC2
- Support plan costs ($100–$15,000+/month)
- Cost of cloud skills gap and training
- Variable or unpredictable workload patterns
- Global distribution without physical presence
- Managed services replacing operational overhead
- Speed of provisioning new capacity
- Multi-region DR without duplicating hardware investment
The TCO Worksheet uses on-demand pricing — the most expensive way to run EC2. For stable, predictable workloads, Compute Savings Plans deliver up to 66% off on-demand rates in exchange for a 1- or 3-year spend commitment. Reserved Instances offer up to 72% savings for specific instance types.
A realistic enterprise AWS cost model applies Savings Plans to baseline capacity and on-demand for burst. If your workloads are stable, the AWS number from the worksheet above can realistically be reduced by 40–60% through committed use pricing — which changes the TCO calculus significantly.
Planning a migration to AWS or optimizing an existing VPC architecture? The consulting link in the sidebar covers VPC design, landing zone architecture, Transit Gateway configuration, and cost governance for mid-market deployments.