The Hidden Cloud Tax: How IPv4 Rent and Egress Fees Are Silently Crushing 2026 Budgets

Your cloud bill has a cover charge.

And most teams don't even know they're paying it. Before a single byte of real traffic moves, you're being charged for the privilege of having a public IP address, routing through a NAT Gateway, and eventually sending data out to the internet. In 2026, these “invisible” networking costs are the fastest-growing line item on cloud bills across AWS, Azure, and GCP — and the least audited.

The Three Charges Nobody Reads

Cloud providers have structured networking fees to be individually small but collectively massive. Here are the three charges that silently drain budgets every month:

1. IPv4 Address Rent: $3.65/Month Per IP

Since February 2024, AWS charges $0.005/hour ($3.65/month) for every public IPv4 address — whether it's attached to an instance, a load balancer, a NAT Gateway, or sitting idle in an Elastic IP pool. Azure and GCP have similar charges.

The math that surprises teams:

50 EC2 instances with public IPs$182.50/month

10 ALBs (2 IPs each across AZs)$73.00/month

6 NAT Gateways (3 VPCs x 2 AZs)$21.90/month

15 idle Elastic IPs$54.75/month

Total IPv4 rent$332.15/month — $3,986/year

And that's a modest account. Enterprise accounts with hundreds of load balancers, RDS instances, and Elastic IPs pay five figures annually — just for IP addresses.

2. NAT Gateway: The Per-Byte Toll Booth

NAT Gateways charge $0.045/hour plus $0.045/GB for every byte they process. Private subnets routing to AWS services through NAT pay this tax on traffic that never leaves the AWS network. Add cross-AZ transfer ($0.01/GB each way) when compute and NAT are in different availability zones.

The compounding effect:

Hourly fee: $32.40/month per NAT Gateway (always on, even at zero traffic)

Data processing: 2TB/month to S3 = $92.16/month per NAT — for traffic that could use a free Gateway Endpoint

Cross-AZ: $0.01/GB x 2 directions adds another $40.96/month on that same 2TB

Single NAT Gateway total: $165/month — $1,980/year — mostly unnecessary

3. Egress Fees: The Exit Tax on Your Own Data

Moving data out of a cloud provider costs $0.09–$0.12/GB on AWS (after the first 100GB free tier). Azure charges $0.087/GB, GCP $0.12/GB for standard internet egress. Ingress is free — getting data in is the easy part. Getting it out is where the meter runs.

$0.09/GB

AWS Internet Egress

(first 10TB/month)

$0.087/GB

Azure Internet Egress

(Zone 1 regions)

$0.12/GB

GCP Internet Egress

(premium tier)

A media company serving 50TB/month in content delivery pays $4,500/month in AWS egress alone. A SaaS API handling 10TB/month of response payloads: $900/month. Cross-region replication for DR? Each TB replicated adds $20/month on AWS, and that traffic is constant.

Real World: The $12K Wake-Up Call

A mid-size SaaS team was reviewing their $50,000/month EC2 bill and couldn't figure out why costs kept climbing despite stable instance counts. They finally broke out networking line items:

NAT Gateway data processing (S3/ECR/CloudWatch)$4,800/month

Internet egress (API responses + CDN origin pulls)$3,600/month

Cross-AZ data transfer$2,100/month

Public IPv4 addresses (87 IPs across accounts)$1,500/month

Total networking overhead: $12,000/month — 24% of their “EC2 bill”

None of this showed up as “networking” in their cost dashboard. It was buried under EC2, VPC, and data transfer categories. They were optimizing instance sizes while ignoring a quarter of their spend.

Why Networking Costs Grow While Compute Gets Cheaper

Compute prices drop every year. Graviton, Spot instances, and ARM migrations push per-vCPU costs down 20–40%. But networking costs are going the other direction:

IPv4 exhaustion is permanent

IANA ran out of IPv4 blocks in 2011. AWS started charging $0.005/hour per public IP in Feb 2024 — a net-new cost that didn't exist before. With IPv6 adoption still below 50% for most enterprise workloads, IPv4 prices will only go up.

Microservices multiply data transfer

A monolith makes in-process calls. Microservices make HTTP calls across subnets, AZs, and sometimes regions. Each hop generates data transfer charges. An architecture with 50 services making 100 calls/second creates a data transfer bill that scales with request volume, not compute.

AI/ML workloads are data-hungry

Training pipelines pull TBs from S3. Inference endpoints serve large response payloads. Model artifacts get replicated across regions. GPU instance networking alone can cost more than the compute for high-throughput inference.

Multi-cloud and hybrid add cross-cloud egress

Organizations using AWS + Azure + GCP pay egress fees on every cross-cloud data movement. A data pipeline that reads from AWS S3 and writes to GCP BigQuery pays $0.09/GB out of AWS plus ingestion costs on GCP.

What To Audit This Week

You don't need a FinOps platform to find networking waste. These checks use native tools and take a few hours, not weeks.

1Count Your Public IPv4 Addresses

AWS now provides a free tool for this. Run the Public IP Insights report in the VPC console or use the CLI:

# List all public IPs across your account
aws ec2 describe-addresses --query 'Addresses[*].{IP:PublicIp,InstanceId:InstanceId,AllocationId:AllocationId}' --output table

# Count public IPs on running instances
aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" \
 --query 'Reservations[*].Instances[?PublicIpAddress!=null].{Id:InstanceId,IP:PublicIpAddress}' --output table

Look for: instances that don't need public IPs (move behind ALB or use SSM for access), unused Elastic IPs, and dev/test instances with public IPs that should be private.

2Check NAT Gateway Data Processing Charges

Open Cost Explorer, filter to “EC2-Other” usage type, and look for NatGateway-Bytes. Then check whether you have VPC endpoints deployed:

# List all VPC endpoints in your account
aws ec2 describe-vpc-endpoints --query 'VpcEndpoints[*].{VPC:VpcId,Service:ServiceName,Type:VpcEndpointType,State:State}' --output table

# Check if S3 Gateway Endpoint exists (should be in every VPC)
aws ec2 describe-vpc-endpoints --filters "Name=service-name,Values=com.amazonaws.*.s3" --query 'VpcEndpoints[*].{VPC:VpcId,State:State}' --output table

If you have NAT Gateways but no S3 or DynamoDB Gateway Endpoints, you're paying $0.045/GB for traffic that should be free. See our NAT Gateway deep dive for the full fix.

3Map Your Egress By Service and Destination

In Cost Explorer, group by “Usage Type” and filter for data transfer. Look for:

DataTransfer-Out-Bytes: Internet egress — is a CDN (CloudFront, Cloudflare) in front of your services?

DataTransfer-Regional-Bytes: Cross-AZ traffic — are services chatty across AZs unnecessarily?

DataTransfer-Inter-Region: Cross-region replication — do you need full replication or just metadata?

CloudFront egress vs origin pulls: If CloudFront egress is high but cache hit ratio is low, your caching config is wasting money.

4Quantify Cross-AZ Data Transfer

Cross-AZ transfer charges $0.01/GB in each direction ($0.02/GB round-trip). For microservice architectures, this adds up fast. Enable VPC Flow Logs and check:

# Check cross-AZ costs in Cost Explorer
# Filter: Service = "Amazon Elastic Compute Cloud - Compute"
# Usage Type Group: contains "DataTransfer-Regional"
# Group by: Availability Zone

For services that don't need multi-AZ high availability (batch processors, dev environments, stateless workers), pinning to a single AZ eliminates cross-AZ charges entirely.

5Find Idle Load Balancers and Unused Elastic IPs

Each ALB uses at least 2 public IPs (one per AZ). Idle ALBs still cost ~$16/month base + $7.30/month in IPv4 charges. Check for load balancers with zero healthy targets:

# Find ALBs with no healthy targets
aws elbv2 describe-target-health --target-group-arn <tg-arn> \
 --query 'TargetHealthDescriptions[?TargetHealth.State!=`healthy`]'

# Find unattached Elastic IPs (charged $0.005/hr when idle)
aws ec2 describe-addresses --query 'Addresses[?AssociationId==null].{IP:PublicIp,AllocId:AllocationId}' --output table

The Fixes: Quick Wins and Strategic Moves

Quick Wins (Do This Week)

Deploy S3 + DynamoDB Gateway Endpoints in every VPC with a NAT Gateway. Free. Zero downside. Eliminates per-GB NAT processing for the two most common services.

Release idle Elastic IPs. Each unused EIP costs $3.65/month. Most accounts have 5–20 lingering from decommissioned instances.

Move instances behind ALB/NLB instead of giving each one a public IP. One ALB replaces 10+ public IPs with 2–3.

Use SSM Session Manager for SSH access instead of public IPs on bastion hosts. Eliminates bastion IPv4 costs and improves security.

Delete idle load balancers from dev/staging environments. If it has zero healthy targets, it's burning $23/month for nothing.

Strategic Moves (This Quarter)

Evaluate IPv6 migration for internal services

IPv6 addresses are free on AWS. Internal microservices communicating over IPv6 eliminate IPv4 charges entirely. AWS ALB, NLB, and most managed services support dual-stack.

Put a CDN in front of everything public-facing

CloudFront egress is $0.085/GB (cheaper than direct egress) and reduces origin pulls. Cloudflare's free tier has zero egress fees. For API traffic, CloudFront supports dynamic content acceleration too.

Compress API responses and enable gzip/brotli

JSON API responses compress 70–90% with gzip. If you're serving 10TB/month of uncompressed API responses, compression reduces egress to 1–3TB — saving $630–$810/month.

Use S3 Transfer Acceleration or direct peering for high-volume transfers

For large data movements between clouds or regions, AWS Direct Connect ($0.02/GB) or dedicated interconnects are 80% cheaper than internet egress.

AZ-aware service mesh or topology-aware routing

Kubernetes topology-aware routing and service mesh AZ affinity keep traffic within the same AZ when possible. This can reduce cross-AZ transfer by 60–80% for microservice architectures.

Multi-Cloud Networking Cost Comparison (2026)

Every cloud provider charges for networking differently, but they all charge. Here's how the three majors compare:

Cost Category	AWS	Azure	GCP
Public IPv4	$0.005/hr ($3.65/mo)	$0.004/hr ($2.92/mo)*	$0.004/hr ($2.92/mo)
NAT Gateway hourly	$0.045/hr	$0.045/hr	$0.044/hr
NAT data processing	$0.045/GB	$0.045/GB	$0.045/GB
Internet egress (first 10TB)	$0.09/GB	$0.087/GB	$0.12/GB (premium)
Cross-AZ / Cross-Zone	$0.01/GB each way	Free within region	$0.01/GB each way
Free gateway endpoints	S3, DynamoDB	Service Endpoints (free)	Private Google Access (free)

* Azure static public IP pricing varies by SKU and region. Prices shown are approximate for US regions as of Feb 2026. All clouds are converging toward similar pricing for public IPv4 as global address scarcity drives costs up.

Chef's Pro Tip

The biggest networking savings come from traffic you eliminate entirely, not traffic you make cheaper. Before optimizing egress pricing, ask: does this data actually need to leave the VPC? Does this service need a public IP? Does this cross-AZ call need to happen on every request?

Add a “networking cost review” step to your architecture review process. Catch public IPs, missing VPC endpoints, and unnecessary cross-AZ patterns before they deploy — not 6 months later in a cost audit.

The Bottom Line: 2026's Cost War Is About Networking

Compute optimization is mature. Most teams already use Savings Plans, right-size quarterly, and leverage Spot for stateless workloads. The next wave of cloud savings — the 15–25% that most organizations are still leaving on the table — is in networking.

IPv4 rent, NAT Gateway processing, egress fees, and cross-AZ transfer are the new “idle instances.” They're charges that accumulate silently, hide across multiple billing categories, and grow with every new service you deploy.

Start with the audit checklist above. Most teams find 10–30% networking waste within the first hour of looking. The fixes are often free (VPC endpoints), fast (releasing unused IPs), or architectural decisions you'd want to make anyway (CDN, compression, IPv6).

Sources:

#finops#networking#ipv4#egress#nat-gateway#cost-optimization#data-transfer#aws#azure#gcp