By Lionel David, Solutions Architect

Get more efficient and secure AWS DGW connectivity by understanding the provider's Data Transfer Outbound requirements.

As hybrid and cloud-native architectures have become commonplace, efficient and secure connectivity between on-premises data centers and the cloud is more crucial than ever.

For organizations using AWS, connecting through a Direct Connect link simplifies and centralizes network connections across multiple regions thanks to its Direct Connect Gateway (DGW) component.

But while the benefits of using this service—such as reduced latency, increased security, and high-speed connectivity—are clear, understanding the costs associated with data transfer is essential to optimizing your cloud architecture.

In this blog post, we’ll explain the intricacies of AWS Direct Connect Gateway and explore the often-overlooked area of Data Transfer Out (DTO) charges. From the impact of AWS Region locations to the different types of Virtual Interfaces (VIFs) available, we’ll help you navigate the complexities of AWS network pricing and ensure you’re making the most cost-effective decisions for your cloud infrastructure.

AWS Direct Connect Gateway overview

The AWS Direct Connect Gateway is a networking service that simplifies and centralizes connectivity between an on-premises data center or remote network and multiple Virtual Private Clouds (VPCs) in AWS. It allows you to establish connections to VPCs in different AWS Regions using a single Direct Connect location, eliminating the need for multiple physical connections to each Region.

An AWS Direct Connect location is a physical data center or colocation facility where AWS has established a presence to provide access to its Direct Connect service. These locations serve as the on-ramp for setting up a private, high-bandwidth, low-latency connection between your on-premises network and AWS.

At a Direct Connect location, you can set up:

• Dedicated connections: A physical port is assigned exclusively to your organization.
• Partner connections: A third-party AWS Direct Connect Partner manages the connection on your behalf, often aggregating multiple customers.

A Direct Connect Gateway is not tied to a specific region; it’s designed to improve the flexibility and scalability of Direct Connect by serving as a central hub for managing network connections and extending connectivity to VPCs across multiple regions.

The Direct Connect Gateway acts as a centralized network aggregation point, enabling you to securely connect to multiple VPCs across different AWS Regions using private connectivity that bypasses the public internet. Functionally, it is a highly resilient, software-defined networking component, not a physical router or switch – but it serves a similar purpose in routing traffic between AWS and your on-premises network.

By leveraging dedicated, high-speed connections of up to 100 Gbps, the Direct Connect Gateway ensures consistent, low-latency performance suitable for bandwidth-intensive workloads such as data replication, real-time analytics, and hybrid cloud applications.

Designed with high availability and fault tolerance, the Direct Connect Gateway operates in multiple AWS Availability Zones, ensuring no single point of failure. Additionally, it supports features such as BGP routing, allowing for dynamic route exchanges between your network and AWS.

This gateway is particularly useful for hybrid cloud architectures, as it facilitates seamless integration between on-premises networks and the AWS cloud. It also supports multi-region deployments, allowing organizations to connect to VPCs located anywhere globally within their AWS accounts or through shared access via AWS Resource Access Manager.

By using a Direct Connect Gateway you can centralize network management, reduce the number of physical connections needed, and streamline access to resources hosted in multiple AWS Regions.

A VIF in AWS Direct Connect is a logical connection that enables communication between an on-premises network and AWS resources. Three types of VIFs can be used in AWS Direct Connect:

• Private VIF is used for private communication between your on-premises network and VPCs, allowing access to private resources via private IPs. Natively, you can interconnect up to 10 VPCs (through Virtual Private Gateway/VGW) to a Direct Connect Gateway, but you can also choose to connect to a single VPC and not use a Direct Connect Gateway.
• Public VIF enables access to AWS public services like S3 or DynamoDB using public IPs, bypassing the public internet but not connecting to private VPC subnets. In this case, a Direct Connect Gateway is only requested if you want to connect to these services in multiple regions.
• Transit VIF connects to AWS Transit Gateways. If you need to connect above 10 VPCs to your environment or need to enable traffic between VPC, this is the VIF you need.

Regardless of the type of Virtual Interface (VIF) in use—private, public, or transit—data transfer out charges apply for any data sent from AWS to your on-premises network.

What are Data Transfer Outbound charges?

Data Transfer Outbound (DTO) charges in AWS refer to the cost of transferring data from AWS resources to destinations outside the AWS cloud, such as your on-premises network or external systems.

These charges apply when using services like AWS Direct Connect to facilitate private network connections. For Direct Connect, the charges are based on the amount of data that leaves AWS through the Direct Connect connection.

The cost is determined by factors such as the AWS Region, the Direct Connect location, and whether the connection is between Regions.

Typically, data ingress (data coming into AWS) is free, but DTO is billed per GB of data transferred out. Using Direct Connect for DTO is generally more cost-effective compared to transferring data over the public internet.

It’s worth mentioning here that DTO applies regardless of whether you connect via VPN to your VPCs through the internet or you connect through private connectivity with a Direct Connect (Direct or Partner). But the charges will be around 66% lower with Direct Connect compared to the internet.

The below diagram is an example of the cost difference for Europe (each AWS pricing zone may have different costs).

How does the Direct Connect location affect DTO charges?

When determining DTO costs, the location of the Direct Connect physical location and the AWS Region hosting the VPCs are key factors. The charges depend on whether the Direct Connect location and the AWS Region are in the same AWS pricing region or in different AWS pricing regions.

As explained in the AWS Direct Connect pricing page and shown in the table ‘Data transfer from AWS Region or Local Zone’, “If you are using an AWS Direct Connect gateway, you will pay applicable DTO data rates based on the AWS Region that is the source of the traffic and AWS Direct Connect location where it is connected.”

1. Same AWS pricing region
   • If your Direct Connect location and VPC’s AWS Region are in the same AWS pricing region (e.g. both in Europe), the data transfer charges are typically the same, even if the Direct Connect location and VPC are in different cities within that region.
   • For example, transferring data from a VPC in “Europe (Ireland)” to a Direct Connect location in “Europe (Frankfurt)” costs $0.0200 per GB, the same as if the Direct Connect location and the VPC were in the same city or metro zone.

     

2. Different AWS pricing regions
   • If your Direct Connect location and the AWS Region hosting your VPCs are in different AWS pricing regions (e.g. your Direct Connect location is in “North America” and your VPC is in “Europe”), a surcharge is added to the data transfer costs. This surcharge reflects the added complexity of routing traffic between pricing regions using AWS’s global infrastructure.

     

The difference between DTO and inter-region charges

DTO charges for Direct Connect are not the same as inter-region data transfer charges. Inter-region charges apply when data moves between VPCs in different AWS Regions (e.g. “US East (N. Virginia)” to “US West (Oregon)”) over the AWS backbone.

In contrast, Direct Connect DTO charges specifically cover the cost of transferring data from AWS to your on-premises location. They also depend on the Region-to-Direct Connect location relationship as explained above and available on the AWS Direct Connect pricing page, in the table “Data transfer out (DTO) pricing for AWS Direct Connect”.

Conclusion

In summary, DTO charges for Direct Connect depend on the proximity of the Direct Connect location to the AWS Region hosting your resources. When both are within the same pricing region, the costs are the same as if they were in the same metro zone. If they are in different pricing regions, a surcharge is added, but this is distinct from inter-Region egress charges typically seen in VPC-to-VPC communication.

Additionally, leveraging a Direct Connect Partner can provide substantial advantages including access from a broader range of data centers, and provides finer granularity in bandwidth selection leading to money savings, allowing organizations to optimize costs and performance more effectively.

Megaport, with its extensive network of on-ramps to AWS across numerous regions worldwide, simplifies the process of establishing robust and flexible cloud connectivity. This global reach and flexibility makes it easier than ever for businesses to achieve their hybrid cloud goals while maintaining cost efficiency and scalability.

For further details, you can refer to:

• AWS Direct Connect pricing
• AWS Direct Connect Gateway documentation
• AWS blog on Direct Connect multi-account pricing​
• AWS Direct Connect Whitepaper.