Cloud Networking Basics: VPC, Load Balancers and Egress Costs (2026)
Last verified: June 29, 2026 · Format: Guide · Reviewed by TechJacks Cloud Infrastructure Team, AWS SAP-C02
Cloud networking is the hidden cost layer. Compute and storage have simple pricing pages; networking has a matrix of egress rates, peering charges, CDN cache fills, and transfer acceleration surcharges that can dwarf your storage bill. Understanding VPCs, security groups, load balancers, and the egress cost structure is a prerequisite for designing cost-predictable cloud workloads.
This guide walks through the core networking primitives step by step, compares egress pricing across AWS, Azure, and GCP with verified figures, and provides a decision tool for choosing the right connectivity option. All figures are from official documentation verified June 29, 2026.
Step 1: VPC and Subnets
A Virtual Private Cloud (VPC) is a logically isolated section of a cloud provider's network. You define CIDR IP ranges, create subnets across Availability Zones, attach internet gateways (for public internet access) and NAT gateways (for private instance outbound access), and set route tables controlling traffic flow.
Govern the data behind your AI. The AI Data Governance & Quality Assessment: a checklist to keep your data trustworthy.
Your purchase helps keep our hubs free to read.
AWS vs Azure vs GCP VPC model
AWS VPC: Regional scope. Each region gets its own VPC. To connect VPCs in different regions, use VPC Peering (incurs data transfer charges) or AWS Transit Gateway. Security is enforced via security groups (stateful, instance-level) and optional network ACLs (stateless, subnet-level).
Azure VNet: Regional scope. Uses Network Security Groups (NSGs) at the subnet or NIC level. Applications connect across VNets via VNet Peering. Azure Application Gateway and Azure Load Balancer sit at the VNet perimeter.
GCP VPC: Global scope: a single VPC spans all regions worldwide, isolated within projects. Cross-project access requires Shared VPC or VPC Network Peering. GCP's global firewall rules are stored in replicated databases to prevent regional failure dependencies. Standard tier traffic uses the public internet; Premium tier routes traffic over Google's global backbone (charged at premium rates).
Step 2: Network Security
Cloud network security layers from outermost to innermost:
| Layer | AWS | Azure | GCP | Scope |
|---|---|---|---|---|
| Perimeter | AWS Shield + WAF | Azure DDoS Protection | Cloud Armor | DDoS + WAF |
| Subnet | Network ACL (stateless) | NSG (subnet-level) | Firewall Rules | Allow/deny by CIDR |
| Instance | Security Groups (stateful) | NSG (NIC-level) | Firewall Policies | Port/protocol rules |
| Application | ALB WAF + mTLS | Application Gateway WAF | Cloud Armor + Cloud Run | HTTP/HTTPS inspection |
Shared responsibility: In IaaS (VMs), you are responsible for configuring security groups, NSGs, and network segmentation. The cloud provider manages the physical network; security of in the cloud is the customer's job. This is explicitly documented in AWS, Azure, and GCP shared responsibility models and verified against official vendor documentation.
Step 3: Load Balancers
Load balancers distribute traffic across compute targets and provide health checking, SSL termination, and sticky sessions. Each provider offers multiple types targeting different OSI layers.
| Provider | Layer 7 (HTTP/S) | Layer 4 (TCP/UDP) | Global |
|---|---|---|---|
| AWS | Application Load Balancer (ALB) | Network Load Balancer (NLB) | Global Accelerator |
| Azure | Application Gateway | Azure Load Balancer | Traffic Manager (DNS-based) |
| GCP | External Application Load Balancer | External TCP/UDP NLB | Global External ALB (anycast) |
GCP's Global External Application Load Balancer uses anycast IP routing: a single IP routes to the nearest healthy backend globally. GCP documented up to a 10x reduction in network latency for high-traffic workloads using Cloud Load Balancing vs unoptimized routing. AWS Global Accelerator uses anycast IP addresses to route users to the nearest AWS edge entry point, then routes traffic over the AWS global backbone to the target region — eliminating public internet hops between edge and destination.
Step 4: CDN
Content Delivery Networks cache content at edge locations close to users, reducing origin egress costs and improving latency. Key CDN comparison:
| Provider | CDN service | Edge locations | S3/Origin cost |
|---|---|---|---|
| AWS | CloudFront | 750+ POPs + 15 regional edge caches | S3 → CloudFront is free (no origin egress) |
| Azure | Azure Front Door | Global PoPs | Storage egress to CDN charged at Azure bandwidth rates |
| GCP | Cloud CDN | Google's global peering POPs | Waives Cloud Storage data transfer charges; cache fill charges may apply |
AWS key differentiator: Data transferred from AWS S3 to CloudFront is free, with no egress charge on that specific path. This is confirmed in the official AWS CloudFront and S3 pricing documentation. If your primary workload is serving S3 objects to web users, CloudFront + S3 is the most cost-efficient origin delivery combination in the market.
Step 5: Egress Costs
Egress (data leaving the cloud to the internet or another region) is where networking bills surprise teams. Ingress (data arriving) is almost always free across all providers.
| Route | AWS | Azure | GCP |
|---|---|---|---|
| To internet (0–10 TB) | ~$0.09/GB | ~$0.087/GB | $0.12/GiB (Premium internet egress, 0–10 TiB); inter-region within N.America from $0.08/GiB |
| Cross-region (same provider) | $0.02/GB (most regions) | ~$0.02/GB | $0.02/GiB within N. America |
| To China (from N. America) | $0.12/GB+ | Tiered | $0.23/GiB (most expensive standard GCP route) |
| Free tier | 100GB/month aggregate | ~5GB/month | 1GB/month to internet |
| S3 → CloudFront | Free | N/A | Cloud Storage → CDN: Cloud Storage egress waived |
| Cross-region (intra-region gotcha) | Free within same AZ, charged cross-AZ | Free within region | Region ≠ multi-region; transfer between charges apply |
GCP Standard tier carries outbound traffic over the public internet for part of its path. Standard tier outbound is free up to 200 GB/month but traffic takes longer, less-predictable paths. Premium tier routes all traffic over Google's private backbone from entry point to destination, starting at $0.08/GiB. If latency consistency matters, use Premium tier and budget accordingly. Fix: Default new projects to Premium tier; revisit for batch/non-latency-sensitive workloads only.
A GCP region (e.g., us-east1) is NOT considered the same location as the US multi-region bucket, even if it's geographically within it. Data transfer between a regional resource and a multi-regional Cloud Storage bucket incurs transfer charges. Fix: Co-locate compute and storage in the same region (not multi-region) to avoid this charge, or use single-region storage with cross-region replication explicitly budgeted.
S3 Transfer Acceleration speeds uploads and downloads via CloudFront edge locations. It adds a $0.04/GB surcharge (US/Europe/Japan edge) or $0.08/GB (all other edge locations) on top of standard S3 data transfer rates. Fix: Use Transfer Acceleration only for large file uploads from distant geographic locations. For internal AWS transfers, use regular S3 endpoints.
Lambda data transfer within the same region to/from S3, DynamoDB, SES, SQS, Kinesis, ECR, and SNS is free. But cross-region Lambda data transfer is billed at standard EC2 data transfer rates, not at zero as many teams assume. Fix: Keep Lambda functions in the same region as the data sources they access. Explicitly budget cross-region data transfer if multi-region architecture is required.
Step 6: Hybrid Connectivity
Hybrid connectivity links your on-premises data center to the cloud via private network connections, bypassing the public internet. Options range from site-to-site VPN (cheaper, variable latency) to dedicated physical circuits (higher cost, predictable latency).
| Provider | VPN option | Dedicated circuit | Edge/telecom |
|---|---|---|---|
| AWS | AWS Site-to-Site VPN | AWS Direct Connect (private, bypasses internet) | AWS Outposts (on-prem), AWS Wavelength (telco edge) |
| Azure | Azure VPN Gateway | Azure ExpressRoute (fast, reliable, private physical) | Azure Stack (on-prem hybrid) |
| GCP | Cloud VPN (on-demand, HA-VPN available) | Cloud Interconnect (Dedicated: 10G/100G), Partner Interconnect | Cloud NAT (private instances to internet) |
Dedicated circuit connections (Direct Connect, ExpressRoute, Cloud Interconnect) provide:
- Lower and more consistent latency than site-to-site VPN over the internet
- Guaranteed bandwidth (10 Gbps or 100 Gbps ports)
- Typically lower data transfer rates than internet egress pricing
- Compliance benefits: data never crosses the public internet
Pricing for dedicated circuits varies significantly by bandwidth and colocation location; never state a fixed price for Direct Connect, ExpressRoute, or Cloud Interconnect. Always verify against the provider's current pricing calculator and your specific colocation provider's cross-connect fees.
Network Connectivity Picker
Test Your Knowledge
AWS, Amazon CloudFront, Direct Connect, and Outposts are trademarks of Amazon Web Services, Inc. Microsoft Azure and ExpressRoute are trademarks of Microsoft Corporation. Google Cloud Platform and Cloud Interconnect are trademarks of Google LLC. Networking and egress pricing sourced from official documentation June 2026. Verify current pricing at each provider's live pricing pages before budgeting.