Gallery

Contacts

405 W. Greenlawn Ave Lansing, Michigan 48910

contact@techjacksolutions.com

+1-616-320-4064


Cloud Tools Hub · Cloud Foundations

Cloud Networking Basics: VPC, Load Balancers and Egress Costs (2026)

Last verified: June 29, 2026  ·  Format: Guide  ·  Reviewed by TechJacks Cloud Infrastructure Team, AWS SAP-C02

39
AWS regions with 123 Availability Zones and 750+ CloudFront POPs globally
Source: AWS official documentation, June 2026
Free
S3 to CloudFront data transfer: no egress charge on that path
Source: AWS official documentation, June 2026
10x
GCP Cloud Load Balancing reduces network latency vs unoptimized high-traffic workloads
Source: GCP official documentation, June 2026
$0.23
GCP egress rate per GiB to China, the most expensive standard egress destination
Source: GCP official documentation, June 2026

Cloud networking is the hidden cost layer. Compute and storage have simple pricing pages; networking has a matrix of egress rates, peering charges, CDN cache fills, and transfer acceleration surcharges that can dwarf your storage bill. Understanding VPCs, security groups, load balancers, and the egress cost structure is a prerequisite for designing cost-predictable cloud workloads.

This guide walks through the core networking primitives step by step, compares egress pricing across AWS, Azure, and GCP with verified figures, and provides a decision tool for choosing the right connectivity option. All figures are from official documentation verified June 29, 2026.


[BOTH] Practitioners + Decision-Makers

Step 1: VPC and Subnets

A Virtual Private Cloud (VPC) is a logically isolated section of a cloud provider's network. You define CIDR IP ranges, create subnets across Availability Zones, attach internet gateways (for public internet access) and NAT gateways (for private instance outbound access), and set route tables controlling traffic flow.

Define your CIDR block
Choose a private IP range (e.g., 10.0.0.0/16). This creates 65,536 IP addresses. Plan carefully: VPC CIDR blocks cannot easily be changed after creation without rebuilding the network.
Create subnets across Availability Zones
Divide your CIDR into subnets across at least 2 AZs for availability. Public subnets have a route to an internet gateway; private subnets route outbound traffic through a NAT gateway. Databases and application tiers go in private subnets.
Attach internet and NAT gateways
Internet gateway enables inbound + outbound internet access for public subnet resources. NAT gateway lets private subnet resources initiate outbound internet connections without exposing them inbound. NAT gateways cost money; AWS charges hourly plus per-GB processed.
Configure route tables
Each subnet is associated with a route table. Public subnet route table: 0.0.0.0/0 → igw-*. Private subnet route table: 0.0.0.0/0 → nat-*. Routes within the VPC CIDR are local and automatic.

AWS vs Azure vs GCP VPC model

AWS VPC: Regional scope. Each region gets its own VPC. To connect VPCs in different regions, use VPC Peering (incurs data transfer charges) or AWS Transit Gateway. Security is enforced via security groups (stateful, instance-level) and optional network ACLs (stateless, subnet-level).

Azure VNet: Regional scope. Uses Network Security Groups (NSGs) at the subnet or NIC level. Applications connect across VNets via VNet Peering. Azure Application Gateway and Azure Load Balancer sit at the VNet perimeter.

GCP VPC: Global scope: a single VPC spans all regions worldwide, isolated within projects. Cross-project access requires Shared VPC or VPC Network Peering. GCP's global firewall rules are stored in replicated databases to prevent regional failure dependencies. Standard tier traffic uses the public internet; Premium tier routes traffic over Google's global backbone (charged at premium rates).


[WORKER] Practitioners

Step 2: Network Security

Cloud network security layers from outermost to innermost:

LayerAWSAzureGCPScope
PerimeterAWS Shield + WAFAzure DDoS ProtectionCloud ArmorDDoS + WAF
SubnetNetwork ACL (stateless)NSG (subnet-level)Firewall RulesAllow/deny by CIDR
InstanceSecurity Groups (stateful)NSG (NIC-level)Firewall PoliciesPort/protocol rules
ApplicationALB WAF + mTLSApplication Gateway WAFCloud Armor + Cloud RunHTTP/HTTPS inspection

Shared responsibility: In IaaS (VMs), you are responsible for configuring security groups, NSGs, and network segmentation. The cloud provider manages the physical network; security of in the cloud is the customer's job. This is explicitly documented in AWS, Azure, and GCP shared responsibility models and verified against official vendor documentation.


[WORKER] Practitioners

Step 3: Load Balancers

Load balancers distribute traffic across compute targets and provide health checking, SSL termination, and sticky sessions. Each provider offers multiple types targeting different OSI layers.

ProviderLayer 7 (HTTP/S)Layer 4 (TCP/UDP)Global
AWSApplication Load Balancer (ALB)Network Load Balancer (NLB)Global Accelerator
AzureApplication GatewayAzure Load BalancerTraffic Manager (DNS-based)
GCPExternal Application Load BalancerExternal TCP/UDP NLBGlobal External ALB (anycast)

GCP's Global External Application Load Balancer uses anycast IP routing: a single IP routes to the nearest healthy backend globally. GCP documented up to a 10x reduction in network latency for high-traffic workloads using Cloud Load Balancing vs unoptimized routing. AWS Global Accelerator uses anycast IP addresses to route users to the nearest AWS edge entry point, then routes traffic over the AWS global backbone to the target region — eliminating public internet hops between edge and destination.


[BOTH] Practitioners + Decision-Makers

Step 4: CDN

Content Delivery Networks cache content at edge locations close to users, reducing origin egress costs and improving latency. Key CDN comparison:

ProviderCDN serviceEdge locationsS3/Origin cost
AWSCloudFront750+ POPs + 15 regional edge cachesS3 → CloudFront is free (no origin egress)
AzureAzure Front DoorGlobal PoPsStorage egress to CDN charged at Azure bandwidth rates
GCPCloud CDNGoogle's global peering POPsWaives Cloud Storage data transfer charges; cache fill charges may apply

AWS key differentiator: Data transferred from AWS S3 to CloudFront is free, with no egress charge on that specific path. This is confirmed in the official AWS CloudFront and S3 pricing documentation. If your primary workload is serving S3 objects to web users, CloudFront + S3 is the most cost-efficient origin delivery combination in the market.


[PROCUREMENT] Decision-Makers

Step 5: Egress Costs

Egress (data leaving the cloud to the internet or another region) is where networking bills surprise teams. Ingress (data arriving) is almost always free across all providers.

RouteAWSAzureGCP
To internet (0–10 TB)~$0.09/GB~$0.087/GB$0.12/GiB (Premium internet egress, 0–10 TiB); inter-region within N.America from $0.08/GiB
Cross-region (same provider)$0.02/GB (most regions)~$0.02/GB$0.02/GiB within N. America
To China (from N. America)$0.12/GB+Tiered$0.23/GiB (most expensive standard GCP route)
Free tier100GB/month aggregate~5GB/month1GB/month to internet
S3 → CloudFrontFreeN/ACloud Storage → CDN: Cloud Storage egress waived
Cross-region (intra-region gotcha)Free within same AZ, charged cross-AZFree within regionRegion ≠ multi-region; transfer between charges apply
GCP Standard tier: what's actually routed on the public internet

GCP Standard tier carries outbound traffic over the public internet for part of its path. Standard tier outbound is free up to 200 GB/month but traffic takes longer, less-predictable paths. Premium tier routes all traffic over Google's private backbone from entry point to destination, starting at $0.08/GiB. If latency consistency matters, use Premium tier and budget accordingly. Fix: Default new projects to Premium tier; revisit for batch/non-latency-sensitive workloads only.

GCP multi-region ≠ region: transfer charges apply between them

A GCP region (e.g., us-east1) is NOT considered the same location as the US multi-region bucket, even if it's geographically within it. Data transfer between a regional resource and a multi-regional Cloud Storage bucket incurs transfer charges. Fix: Co-locate compute and storage in the same region (not multi-region) to avoid this charge, or use single-region storage with cross-region replication explicitly budgeted.

AWS S3 Transfer Acceleration: $0.04–$0.08/GB surcharge on top of standard transfer

S3 Transfer Acceleration speeds uploads and downloads via CloudFront edge locations. It adds a $0.04/GB surcharge (US/Europe/Japan edge) or $0.08/GB (all other edge locations) on top of standard S3 data transfer rates. Fix: Use Transfer Acceleration only for large file uploads from distant geographic locations. For internal AWS transfers, use regular S3 endpoints.

Lambda cross-region data transfer: billed at EC2 data transfer rates

Lambda data transfer within the same region to/from S3, DynamoDB, SES, SQS, Kinesis, ECR, and SNS is free. But cross-region Lambda data transfer is billed at standard EC2 data transfer rates, not at zero as many teams assume. Fix: Keep Lambda functions in the same region as the data sources they access. Explicitly budget cross-region data transfer if multi-region architecture is required.


[PROCUREMENT] Decision-Makers

Step 6: Hybrid Connectivity

Hybrid connectivity links your on-premises data center to the cloud via private network connections, bypassing the public internet. Options range from site-to-site VPN (cheaper, variable latency) to dedicated physical circuits (higher cost, predictable latency).

ProviderVPN optionDedicated circuitEdge/telecom
AWSAWS Site-to-Site VPNAWS Direct Connect (private, bypasses internet)AWS Outposts (on-prem), AWS Wavelength (telco edge)
AzureAzure VPN GatewayAzure ExpressRoute (fast, reliable, private physical)Azure Stack (on-prem hybrid)
GCPCloud VPN (on-demand, HA-VPN available)Cloud Interconnect (Dedicated: 10G/100G), Partner InterconnectCloud NAT (private instances to internet)

Dedicated circuit connections (Direct Connect, ExpressRoute, Cloud Interconnect) provide:

  • Lower and more consistent latency than site-to-site VPN over the internet
  • Guaranteed bandwidth (10 Gbps or 100 Gbps ports)
  • Typically lower data transfer rates than internet egress pricing
  • Compliance benefits: data never crosses the public internet

Pricing for dedicated circuits varies significantly by bandwidth and colocation location; never state a fixed price for Direct Connect, ExpressRoute, or Cloud Interconnect. Always verify against the provider's current pricing calculator and your specific colocation provider's cross-connect fees.

🔒
[PREMIUM] Template Marketplace
Cloud Networking Cheat Sheet
One-page reference: VPC/VNet/GCP VPC comparison, security group vs NSG vs firewall rule quick guide, load balancer type selector, egress pricing matrix for 6 routes across 3 providers, and hybrid connectivity decision flowchart. Available in the TechJacks template marketplace.

[BOTH] Practitioners + Decision-Makers

Network Connectivity Picker

Which connectivity option fits?
Select your requirements to get a starting recommendation.
Use case
Latency requirement
Scale

[BOTH] Practitioners + Decision-Makers

Test Your Knowledge

Cloud Networking Quiz
Three levels: Quick check · Deep dive · Mastery egress
Q1. Data transferred from AWS S3 to CloudFront is billed at what rate?
Q2. GCP VPC scope differs from AWS and Azure in what way?
Q3. In IaaS (VMs), who is responsible for configuring security groups and NSGs?
Q1. Your Lambda function in us-east-1 queries DynamoDB in us-west-2. How is data transfer billed?
Q2. You use S3 Multi-Region Access Points to route requests within AWS. What is the routing fee?
Q3. A GCP resource in us-east1 reads from a US multi-region Cloud Storage bucket. Is transfer charged?
Q1. You upload 500GB to S3 from Tokyo using S3 Transfer Acceleration (US edge). Surcharge on top of standard data transfer?
Q2. GCP egress to N. America within N. America is $0.02/GiB. How much to send 10TiB within N. America?
Q3. Which private connection bypasses the public internet entirely and provides dedicated bandwidth to Azure?
Verified by TechJacks Cloud Infrastructure Team  ·  AWS SAP-C02  ·  Updated June 2026

AWS, Amazon CloudFront, Direct Connect, and Outposts are trademarks of Amazon Web Services, Inc. Microsoft Azure and ExpressRoute are trademarks of Microsoft Corporation. Google Cloud Platform and Cloud Interconnect are trademarks of Google LLC. Networking and egress pricing sourced from official documentation June 2026. Verify current pricing at each provider's live pricing pages before budgeting.

Before You Use Cloud Networking Services
Your Privacy

Cloud networking services including VPCs, CDNs, and dedicated circuits process network metadata. Review each provider's data processing agreements before routing sensitive traffic through their networks.

Mental Health & AI Dependency

Cloud architecture complexity can be overwhelming. If you are experiencing distress: 988 Lifeline (call or text 988), SAMHSA 1-800-662-4357, Crisis Text Line text HOME to 741741.

AI systems can produce plausible-sounding but incorrect networking guidance. For production network designs, security configurations, and compliance-driven architectures, always consult a qualified cloud architect. See the NIST AI Risk Management Framework.

Your Rights & Our Transparency

Egress pricing and networking rates verified from official documentation June 29, 2026. Networking pricing changes frequently; verify current rates at each provider's pricing pages before committing to architecture decisions.