惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

L
LangChain Blog
Scott Helme
Scott Helme
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Stack Overflow Blog
Stack Overflow Blog
Forbes - Security
Forbes - Security
T
The Blog of Author Tim Ferriss
Y
Y Combinator Blog
S
Schneier on Security
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Cisco Talos Blog
Cisco Talos Blog
N
News | PayPal Newsroom
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Project Zero
Project Zero
Cyberwarzone
Cyberwarzone
Vercel News
Vercel News
M
MIT News - Artificial intelligence
云风的 BLOG
云风的 BLOG
Google Online Security Blog
Google Online Security Blog
Simon Willison's Weblog
Simon Willison's Weblog
MongoDB | Blog
MongoDB | Blog
Martin Fowler
Martin Fowler
T
Tenable Blog
I
InfoQ
W
WeLiveSecurity
Google DeepMind News
Google DeepMind News
G
Google Developers Blog
D
DataBreaches.Net
博客园 - Franky
Know Your Adversary
Know Your Adversary
Spread Privacy
Spread Privacy
S
Security @ Cisco Blogs
Hacker News: Ask HN
Hacker News: Ask HN
J
Java Code Geeks
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
F
Full Disclosure
C
Cisco Blogs
Google DeepMind News
Google DeepMind News
P
Proofpoint News Feed
C
CXSECURITY Database RSS Feed - CXSecurity.com
The Cloudflare Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
I
Intezer
The GitHub Blog
The GitHub Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
F
Fortinet All Blogs
Jina AI
Jina AI
V
Visual Studio Blog
L
LINUX DO - 热门话题
WordPress大学
WordPress大学
aimingoo的专栏
aimingoo的专栏

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
The Egress Bill: Why Your Multi-Region FinOps Plan Misses $40k/Month
Muskan · 2026-05-05 · via DEV Community

Muskan

The Egress Bill: Why Your Multi-Region FinOps Plan Misses $40k/Month

Multi-region is the architecture default for serious SaaS in 2026. The justification is real: disaster recovery, latency, sovereignty. The cost is hidden in the bill under "data transfer" and "regional traffic" and gets zero attention because no engineer "owns" data transfer the way they own compute or storage.

A multi-region SaaS spending $200,000 per month on AWS pays $30,000-$50,000 of that bill on data transfer alone. Most of it is AZ-to-AZ replication for stateful systems, plus cross-region database read replicas, plus chatty service-to-service calls that should have stayed regional. The compute team optimizes compute. The storage team optimizes storage. The egress bill keeps growing because it sits in the gap between teams.

FinOps is the engineering practice of bringing financial accountability to variable cloud spend by aligning engineering, finance, and product on continuous cost decisions, per the FinOps Foundation. Applied to egress, the practice has four levers: replication topology, service placement, observability routing, and endpoint coverage. This piece covers each in order of typical impact.

Why the Egress Bill Stays Hidden

The egress bill is invisible because no one team owns data transfer. Compute is owned by the team running the service. Storage is owned by the team that picked the bucket. Data transfer is the result of a thousand independent decisions about where services live, how they communicate, and what their replication policies are. Without a single owner, optimization stalls.

The bill grows organically. Adding a region for compliance adds 10-20% to data transfer. Adding a third microservice that calls the existing two crosses an AZ boundary. Adding observability for the new feature ships another 200GB/day to the central region. Each decision is locally rational. Aggregated, they are the line item nobody can explain.

This pattern works when the team has a designated "platform" or "infrastructure" owner for egress. It breaks when egress is treated as an emergent property of architecture decisions, because by the time the bill grows large enough to investigate, the architectural choices that drove it are already deeply embedded.

The Pricing Gradient: Free to Brutal

AWS, GCP, and Azure all use a four-tier model. Movement within the smallest scope (a single AZ) is free or near-free. Each step out — across AZ, across region, across the public internet — adds an order of magnitude to the cost.

Path AWS GCP Azure
Intra-AZ / intra-zone Free Free Free
Cross-AZ / cross-zone (same region) $0.01/GB each direction $0.01/GB $0.01/GB
Cross-region (same continent) $0.02/GB $0.02/GB $0.02/GB
Public internet egress (first 10TB/month) $0.09/GB $0.12/GB (premium tier) $0.087/GB
Public internet egress (>500TB/month) $0.05/GB $0.08/GB $0.05/GB

diagram

The same 10TB of monthly traffic costs $0 intra-AZ, $200 cross-AZ round-trip, $200 cross-region one-way, or $900 to the public internet. The architectural decision of where to place a service and which path its traffic takes drives a 100x cost gap on identical bytes.

Replication Topology: Where the Big Money Hides

Cross-AZ and cross-region replication for stateful systems is the largest waste category. Multi-AZ Postgres or MySQL with synchronous replication doubles every write's egress cost. Cross-region read replicas for global services multiply it again.

A 1TB write workload on synchronous multi-AZ Postgres pays $20/month in cross-AZ replication for the second AZ alone. Add a third AZ for the recommended HA pattern, $40/month. Add a cross-region read replica in another continent, $200/month for the cross-continent egress. The same write workload on a single-AZ primary with async cross-AZ replicas pays near zero, at the cost of recovery point objective (RPO) increasing from 0 seconds to roughly 30 seconds during a failover.

diagram

Cross-region replicas for analytics workloads are the easiest fix. Real-time replicas only justify themselves for transactional read paths where latency-to-source matters. Analytics workloads accept a one-day staleness for a 70-90% lower egress cost, by replacing real-time replication with S3 Cross-Region Replication snapshots that refresh nightly.

Replication topology 1TB write workload, 2 replica regions, monthly egress
Synchronous multi-region active-active $400 (two cross-region copies of every write)
Single primary + sync multi-AZ + async cross-region $40 (cross-AZ only, async cross-region)
Single primary + async multi-AZ + nightly snapshot to other region $5 (snapshot deltas only)
Single-AZ primary, snapshots only $0

The right topology depends on RPO, recovery time objective (RTO), and read locality requirements. Most teams default to the most expensive option (active-active sync) because it sounds safest. The right answer for most workloads is the second or third row.

This pattern works when the team can classify workloads by RPO/RTO. It breaks when every workload is treated as critical because nobody wants to be the one who downgrades replication. The fix is an explicit per-workload classification with sign-off from the workload owner.

Service Placement: Topology-Aware Routing

The microservices version of the same problem. A 30-service architecture deployed naively across AZs (Kubernetes scheduling pods wherever capacity exists) generates 5-10TB/month of cross-AZ service-to-service traffic. At $0.02/GB round-trip, that is $100-$200/month, scaling linearly with service count and traffic.

Topology-aware routing keeps 70-80% of traffic intra-AZ at zero cost. The pattern: services prefer in-AZ peers when available, fall through to cross-AZ only when capacity demands. Kubernetes supports this via topologyKeys on services and pod-anti-affinity for replicas.

diagram

The trade-off is uneven load distribution across AZs. Topology-aware routing assumes services have enough capacity in each AZ to handle local demand. For services with low replica counts (1-2 replicas total), forcing in-AZ traffic produces hot AZs and idle AZs. The fix is a minimum replica count of 3 (one per AZ) for any service that participates in topology-aware routing.

Architecture Cross-AZ traffic Monthly cost (10TB total)
30 services, naive scheduling 50% cross-AZ $100 cross-AZ
30 services, topology-aware 25% cross-AZ $50 cross-AZ
30 services, single-AZ deployment 0% cross-AZ $0 (but no AZ HA)

This pattern works for stateless services where any replica can serve any request. It breaks for sticky-session workloads where requests must land on a specific replica, because topology-aware routing then competes with session affinity.

Observability Routing: The Quiet Egress Tax

Observability data shipping is 30% of egress in many setups, per the FinOps Foundation 2026 observability report. Every region's logs, metrics, and traces ship to a central observability vendor, and most teams never measure how much that costs in egress alone.

The default deployment of any observability agent (Datadog, New Relic, Splunk, Honeycomb) is "ship every event to the vendor's endpoint." If the vendor's region differs from where the workload runs (which it almost always does in multi-region setups), every byte crosses regions. A 5-region deployment shipping 1TB/day of observability data per region to one central vendor region pays $30,000+/month on observability egress alone.

diagram

Region-local aggregators (Vector, Fluent Bit, OpenTelemetry Collector) batch, compress, and sample before shipping cross-region. Compression alone saves 60-80% on log data. Sampling traces at 1-5% (instead of the default 100%) saves another order of magnitude. The trade-off is incident-time access to the dropped data, which most teams accept once they see the bill.

This pattern works when alert latency tolerates a 30-60 second batching delay. It breaks for workloads with sub-second alert SLOs that need real-time event streaming, in which case the unbatched cost is justified.

VPC Endpoints, Direct Connect, and the Endpoint Habit

VPC endpoints (AWS PrivateLink) and Cloud Interconnect (GCP) eliminate egress charges for traffic that would otherwise cross the public internet. A workload calling S3 in the same region pays $0.01/GB without an endpoint and $0.00/GB through a Gateway Endpoint. For a 50TB/month S3 access pattern, that is $500/month savings per region with one one-line Terraform configuration.

The five highest-impact endpoints to enable first:

Service Endpoint type Why it pays
S3 Gateway Endpoint Most workloads read 10-100TB/month from S3; endpoint eliminates per-GB charges
DynamoDB Gateway Endpoint Same as S3; high-volume table reads stay private
ECR Interface Endpoint Pulling container images from ECR otherwise crosses NAT, paying NAT processing + per-GB egress
Secrets Manager / Parameter Store Interface Endpoint Every container start fetches secrets; volume is small but path matters for compliance
CloudWatch Logs Interface Endpoint Log shipping bytes that would otherwise cross NAT

Direct Connect and Dedicated Interconnect provide flat-rate egress to on-premises networks at $0.02/GB versus $0.09/GB public internet, for workloads with sustained 1Gbps+ throughput. The breakeven is roughly 50TB/month of sustained on-prem-bound traffic, below which the port-hour fees ($0.30/hour for 1Gbps Direct Connect) exceed the per-GB savings.

This pattern works when the team has visibility into per-service egress paths via the AWS Cost and Usage Report or GCP Billing Export. It breaks when nobody has enabled CUR (which most teams haven't, despite it being free since 2024) and the cost data is invisible at the per-service level.

A 60-Day Egress Cost Reduction Plan

Egress optimization sequences cleanly. Each phase produces measurable savings, and the data from each phase informs the next.

Phase Weeks Action Effort Expected saving
Visibility 1-2 Enable AWS Cost and Usage Report (or GCP Billing Export). Build a dashboard showing top egress sources by service, source region, destination region. 1 engineer-week 0 (data only)
VPC endpoints 3 Enable Gateway Endpoints for S3 + DynamoDB. Enable Interface Endpoints for ECR, Secrets Manager, CloudWatch Logs. 2 days 15-25% on egress for endpoint-eligible traffic
Topology-aware service routing 4-6 Enable Kubernetes topology-aware routing on the top 10 services by cross-AZ traffic. Verify replica counts. 2 weeks 30-50% on cross-AZ service-to-service traffic
Observability aggregator rollout 7-8 Deploy Vector or Fluent Bit as a region-local aggregator. Configure batching, compression, sampling. 1 week 60-80% on observability egress
Replication topology audit 9-10 Classify databases by RPO/RTO. Move analytics replicas from real-time to nightly snapshots. Move non-critical workloads from sync to async multi-AZ. 2 weeks 40-70% on stateful replication egress
Direct Connect evaluation 11-12 If on-prem-bound traffic exceeds 50TB/month sustained, evaluate Direct Connect. Otherwise skip. 1 week + procurement Variable, only if breakeven is clear

A team starting at $40,000/month in data transfer charges typically lands at $12,000-$18,000 after 60 days. The work is architectural, not new tooling. Each phase is testable in isolation. Most teams do the first three phases and stop, because by that point the egress bill has dropped enough that the marginal effort on the rest doesn't pay back.

To get started, enable the AWS Cost and Usage Report and look at the Data Transfer line item broken down by source region. The largest 3-5 contributors are almost always cross-AZ replication for one major database, observability shipping for one major service, and ECR image pulls during deployments. Any one of those is a 1-week project with a measurable bill reduction. Pair the work with autonomous remediation so the gains hold once attention shifts to the next architectural problem.