AWS PrivateLink pricing: what to model (consumer vs provider)

PrivateLink helps keep service traffic private. Cost modeling is straightforward if you separate three things: endpoint-hours, data processed, and transfer boundaries in your design (cross-AZ / cross-region).

What you pay for (the inputs that matter)

• Interface endpoint-hours: billed per endpoint per AZ per hour. If you attach one endpoint to 3 AZs, you pay 3x endpoint-hours.
• Data processed (GB): billed per GB that traverses the interface endpoint (use measured traffic, not guesses).
• Transfer boundaries: PrivateLink does not remove all transfer costs. Cross-AZ/cross-region designs can add transfer line items that dominate the total.

A simple monthly model (fast and accurate enough for planning)

Endpoint-hours ≈ (sum of endpoint AZ attachments) × hours in month (use 730 as a planning default).

Cost ≈ (endpoint-hours × $/endpoint-hour) + (processed GB × $/GB) + transfer charges (if any).

1) Model the consumer side (interface endpoints)

• Count endpoints by service (S3, STS, ECR, your own services, etc). Cost scales with how many distinct endpoints you create.
• Count AZ attachments per endpoint. A “standard” 3-AZ VPC often means 3 billed endpoints even if the traffic is small.
• Estimate processed GB/month using evidence: VPC Flow Logs, load balancer bytes, or observed client throughput. Include a peak scenario.

2) Model provider-side implications (if you publish an endpoint service)

If you are the provider, PrivateLink itself is usually not the bill — your bill is the infrastructure that serves the traffic (load balancers, targets, logging, and any transfer within your architecture).

• If you front the service with a load balancer, include its hourly + LCU/bytes pricing (and any cross-zone traffic you enable).
• If your service targets live in multiple AZs, confirm whether the traffic pattern causes cross-AZ data transfer.
• If you turn on high-volume logs (flow logs, LB logs), account for log ingestion + retention costs.

3) Compare against NAT and internet egress

PrivateLink frequently competes with NAT or public endpoints. Use the same traffic assumptions and compare: endpoint-hours + per-GB processing vs NAT gateway-hours + NAT GB processed (plus any egress where applicable).

Tooling: VPC interface endpoint cost and NAT vs VPC endpoints.

Worked example (sanity check your estimate)

Suppose you create 4 endpoints and attach each to 3 AZs. That is 12 endpoint-AZ attachments. For a 730-hour planning month, endpoint-hours ≈ 12 × 730 = 8,760. Then add processed GB/month and apply your region pricing.

Common pitfalls (where surprise bills come from)

• Creating endpoints per VPC/account without noticing the multiplier across environments.
• Always using 3 AZs even when the workload can safely run in 2 AZs (availability vs cost trade-off).
• Underestimating processed GB because you only look at “app payload” and ignore retries, timeouts, and backfills.
• Assuming PrivateLink eliminates cross-AZ transfer; cross-AZ service design can still create transfer charges.
• Comparing against NAT without including NAT GB processed and NAT hourly.
• Turning on verbose logs (flow logs / LB logs) without budgeting ingestion + retention.

How to validate in billing (fast, reliable)

• In Cost Explorer, filter Service to Amazon VPC and group by Usage type. Search for usage types containing “endpoint”.
• Confirm that billed endpoint-hours roughly match your expected (endpoint AZ attachments × hours). If the billed number is higher, you likely have more endpoints or more AZ attachments than you thought.
• For GB processed, cross-check with VPC Flow Logs (bytes) for the subnets that host the endpoint ENIs or with workload telemetry.

Next steps

Sources

• AWS PrivateLink pricing
• Amazon VPC pricing (endpoints / transfer context)

Related guides

Related calculators

FAQ