Why your cloud bill is mostly data transfer (and you didn't notice)
If you've ever opened a cloud invoice and felt the numbers don't add up to what you think you're running, you're not wrong. Compute and storage are the visible costs — they map cleanly to instances and disks you can see in the console. Data transfer doesn't. It hides behind half a dozen SKU prefixes that look like license plates.
The line items that quietly eat your budget
On AWS, the four line items that most often dominate a bill — and the ones we see misread or skipped entirely on every first pass — are:
- NAT Gateway data processing. You pay per GB pushed through the NAT, on top of the hourly cost. A chatty service in a private subnet is a metered tap.
- Cross-AZ traffic. Two services in the same region but different availability zones still pay egress in both directions. Many architectures pay this twice on every request.
- VPC endpoint vs. internet egress. Hitting S3 without a gateway endpoint means your traffic exits your VPC and re-enters via the public internet — at public-internet prices.
- CloudWatch Logs ingestion. Logs aren't free to write. Verbose application logs at scale routinely beat the EC2 line they came from.
The pattern: anything that moves bytes is metered, and the meter is usually invisible on the architecture diagram you drew in a Notion doc.
Why dashboards don't catch it
Generic cost tools group line items by service. So NAT Gateway processing shows up under "EC2 – Other," CloudWatch Logs ingestion shows up under "CloudWatch," and cross-AZ traffic shows up under "Data Transfer." The bill is mostly data movement, but the chart says it's mostly compute. The category labels are doing the lying.
The three cuts that almost always work
- Add an S3 gateway endpoint. It's free. It removes a real, recurring NAT Gateway charge for any service that talks to S3.
- Co-locate stateful pairs. Database and the workload that hits it the hardest belong in the same AZ unless you've explicitly chosen multi-AZ for HA reasons. The latency win is a bonus; the bill win is the headline.
- Sample your logs. Debug-level logs on every request, ingested at $0.50/GB, will out-cost the box producing them. Sample at the edge, retain less, archive to S3 for cheaper grep.
How CloudBillDecoder reads this
When we read your billing export, we don't just sort by amount. We tag each row by what it physically is — is this byte-movement, is this hours of compute, is this storage at rest — and then we tell you, in English, which of the three patterns above your bill is matching. Your one-paragraph description of the app does most of the work: a "B2B SaaS with a nightly batch" has different fingerprints from "consumer mobile API on the public internet."
CloudBillDecoder is in private beta. Request access →