THE AWS CERTIFIED ADVANCED NETWORKING – SPECIALTY EXAM OBJECTIVES COVERED IN THIS CHAPTER MAY INCLUDE, BUT ARE NOT LIMITED TO, THE FOLLOWING:
Billing for AWS networking-related services can often be complex and initially confusing. In this chapter, we examine the elements used to evaluate which charges apply to a particular flow of data to or from services hosted within AWS.
There are three elements for network-related charges:
Service or port-hour fees can include services such as Virtual Private Networks (VPNs), AWS Direct Connect, and Network Address Translation (NAT) gateways, where an hourly charge is applied once the service has been configured. Other service charges can reflect an inclusive data transfer element where it is not charged separately.
Data processing fees are applied on services such as NAT gateway and Elastic Load Balancing.
Data transfer costs are the fees charged by AWS when data is moved over a network where at least one end of the traffic flow is located within an AWS Region.
In this chapter, pricing for the us-east-1 (N. Virginia) region at the time of writing is used for all examples. You should check for the latest pricing on the AWS website, noting that different AWS Regions may use different pricing. Where tiered pricing exists for a service, the chapter uses the first non-free rate.
The following network-specific services incur service or port-hour fees in addition to data transfer (which is covered in the section that follows).
VPN connections are charged per connection hour. This means that the connection-hour fee applies once you provision an AWS-managed VPN and it becomes available for use. An AWS-managed VPN connects a Virtual Private Gateway (VGW) on a Virtual Private Cloud (VPC) to a customer gateway. Deleting the VPN connection ceases the connection-hour charge. In addition to the connection-hour fee, there is a charge for data transfer that can vary depending on the location of the customer gateway. For most architectures, the customer gateway is located within a customer’s network and data transfer is charged at Internet rates. Using the us-east-1 region as an example, this is $0.09 per GB outbound from AWS. You are not charged for inbound data transfer in this scenario.
AWS Direct Connect connections are charged per port-hour. This means that the port-hour charge applies after you are provisioned with an AWS Direct Connect connection and either its status becomes “available” for the first time or 90 days pass (whichever occurs first). In the case of a hosted connection, which is provided by an AWS Direct Connect partner, the port-hour charge applies once the receiving account accepts the connection. In both situations, the account that has the connection is charged the port-hour fee.
AWS Direct Connect cannot be used effectively until a Virtual Interface (VIF) has been created. A VIF establishes the Border Gateway Protocol (BGP) session and enables traffic to flow. After creating a VIF, AWS Direct Connect data transfer charges then apply and are charged to the account that owns the VIF. The account that owns the VIF can be different from the account that owns the AWS Direct Connect connection. AWS Direct Connect data transfer rates then also apply and are different for each region and AWS Direct Connect location. AWS Direct Connect data transfer rates are, however, consistently lower than standard Internet-out rates.
If you choose to create an interface type VPC endpoint in your VPC, you are charged for each hour that your VPC endpoint is provisioned in each Availability Zone. Data processing charges apply for each gigabyte processed through the VPC endpoint, regardless of the traffic’s source or destination. Each partial VPC endpoint-hour consumed is billed as a full hour.
A NAT gateway is charged based on NAT gateway hours from the moment that the gateway is provisioned and available. These charges stop when the NAT gateway is deleted. As the NAT gateway processes traffic and performs the NAT, there is a charge for the volume of data processed regardless of the traffic’s source or destination. In addition, standard data transfer charges apply for the traffic flowing through the NAT gateway. In most architectures, this will be Internet-out rates.
Elastic Load Balancing has three different types of load balancers.
Application Load Balancer You are charged for each hour or partial hour that an Application Load Balancer is running and for the number of Load Balancer Capacity Units (LCUs) used by the load balancer per hour.
Network Load Balancer You are charged for each hour or partial hour that a Network Load Balancer is running and for the number of LCUs used by the load balancer per hour.
Classic Load Balancer You are charged for each hour or partial hour that a Classic Load Balancer is running and for each GB of data transferred through your load balancer.
For Application Load Balancers and Network Load Balancers, the variable component is based on the number of LCUs. An LCU measures the dimensions on which the load balancer processes your traffic (averaged over an hour).
The dimensions measured are as follows:
New connections or flows Number of newly-established connections per second. Many technologies (for example, HTTP or WebSockets) reuse Transmission Control Protocol (TCP) connections for efficiency. The number of new connections is typically lower than your request or message count.
Active connections or flows. Number of active connections per minute.
Bandwidth. The amount of traffic processed by the load balancer in Mbps.
Rule evaluations (only for Application Load Balancer). The product of number of rules processed by your load balancer and the request rate. You are not charged for the first 10 processed rules:
Rule evaluations = Request rate × [Number of rules processed − 10 rules]
You are charged only on the one dimension that has the highest usage for the hour.
An LCU for the Application Load Balancer contains the following:
If you have 10 or fewer rules configured, the rule evaluations dimension is ignored in the LCU computation.
An LCU for the Network Load Balancer contains the following:
AWS data transfer is generally metered at the resource or service interface. The source and destination for an associated traffic flow is identified and then charged at the appropriate rate. There can be an exception when a private VIF is used on AWS Direct Connect. If the traffic flow is identified as having a target that is reachable via the VIF, then data transfer is charged at the appropriate rate attributed to the Direct Connect location and the specific AWS Region as identified on the AWS Direct Connect pricing web page outbound from AWS.
The definition of Internet with regard to data transfer is when traffic flows between an AWS-owned public IP address and a non-AWS-owned public IP address. This definition excludes traffic between two AWS Regions or traffic between public IPs in the same AWS Region.
Data transfer in from the Internet to an AWS public IP is not charged. Data transfer out to the Internet from an AWS public IP is charged at $0.09 per GB up to the first 10 TB.
When traffic flows between AWS public IP addresses in different AWS Regions, then the traffic incurs the region-to-region rate of $0.02 per GB. This charge applies for traffic flow in the outbound direction from a region. For bi-directional data transfer between two different AWS Regions, each flow is only charged once in each direction (on egress). Due to the bi-directional flow, however, each flow is actually charged separately.
Whether the AWS public IP being used is associated with an Amazon Elastic Compute Cloud (Amazon EC2) instance or an AWS Cloud service (such as Amazon Simple Storage Service [Amazon S3]) does not make a difference on data transfer charges.
Amazon CloudFront has a range of charges for data transfer outbound from edge locations to end users/viewers of content.
When the origin being used for an Amazon CloudFront distribution is hosted in an AWS Region (for example, on Amazon S3 or an Amazon EC2 instance), there is no outbound data transfer charge from that resource. If Amazon CloudFront is also being used for uploading content, however, that inbound data transfer is charged at the inter-region rate of $0.02 per GB uploaded to the region.
There is no charge for traffic flows to and from an AWS regional service (such as Amazon S3, Amazon Simple Queue Service [Amazon SQS], or Amazon Simple Email Service [Amazon SES]) in the same region as the source. Whether the service/resource is owned by the same account does not make a difference.
An exception is that if the traffic flow is between two Amazon EC2 instances (in the same or different AWS accounts) using their public IP, then the data transfer is charged at $0.01 per GB in both directions. It does not matter whether the traffic remains in the Availability Zone—it is still charged the same rate.
Traffic flow between two Amazon EC2 instances in the same VPC but in different Availability Zones is charged at $0.01 per GB in each direction. This traffic flow also includes access to services that are provided inside that VPC (such as Amazon Relational Database Service [Amazon RDS] and Amazon Redshift).
Traffic flow between two Amazon EC2 instances in different VPCs is charged at $0.01 per GB in each direction. This also includes access to services that are provided inside the peered VPC (for example, Amazon RDS and Amazon Redshift). The Availability Zone and customer account for the peered VPC do not affect this charge.
There are no charges for data transfer between Amazon EC2 instances within the same Availability Zone if they are in the same VPC.
The VGW IP addresses used by the AWS managed VPN solution for IP Security (IPsec) VPN endpoints are included in the definition of AWS public IPs for a region. Therefore, if you build a software VPN from an Amazon EC2 instance in another region acting as the customer gateway, you will be charged at the $0.02 per-GB rate for the flow in each direction rather than the Internet rate of $0.09 per GB that you may assume.
When you transfer data over an AWS Direct Connect public VIF, the AWS billing system validates whether the destination IPs for a traffic flow are listed for use with an account associated with your AWS organization/billing family. These IP addresses are defined when creating the public VIF. If the IP addresses are associated with one of your accounts and the VIF has a BGP status of “up” advertising those prefixes, data transfer from resources owned by the organization is charged at the reduced AWS Direct Connect rate (as calculated based on the AWS Direct Connect location and the AWS Region being used).
If these conditions are not met, then the traffic may still flow via AWS Direct Connect; however, it will be charged at Internet rates to the owner of the resource.
The following section provides common examples of elements seen within application architectures and how the networking elements are charged.
This scenario shows regular data transfer between two different AWS customers using Amazon EC2 instances in two different regions (see Figure 14.1).
This scenario is a highly-available application replicating data between Amazon EC2 instances, both within one AWS Region and a different region chosen for disaster recovery purposes (see Figure 14.2).
This scenario is using AWS Direct Connect to access an Amazon S3 bucket owned by your organization and an Amazon S3 bucket owned by another customer (see Figure 14.3).
Using AWS Direct Connect in one account to access an Amazon EC2 instance in another account, with both accounts owned by the same AWS customer (see Figure 14.4).
The transit VPC design within a single AWS Region (see Figure 14.5).
The transit VPC design over multiple AWS Regions (see Figure 14.6).
Understanding networking billing within AWS requires you to have a clear understanding of the source and destination for a specific traffic flow. You can use that information to attribute each end of the flow to one of the service and port-hour fee categories mentioned in this chapter and the AWS documentation. This then enables you to establish which of the various data transfer categories applies to that particular flow. Regardless of the categories, it’s important to understand if you are charged once or twice for each flow in each direction.
Understand the key elements used for billing related to networking on AWS. Port-hour/service charges, data transfer, and data processing are the three key elements used to calculate networking-related charges.
Understand how AWS Direct Connect affects billing. Private VIFs simply reduce the outbound data transfer rates from Internet ($0.09 per GB) to AWS Direct Connect rates ($0.020 per GB).
Public VIFs have multiple factors to consider before the reduced rate applies, specifically ownership of the resource, ownership of the VIF, relationship of the VIFs within the AWS organization, whitelisted IP prefixes, BGP status, and whether the prefix is being advertised.
Understand how to combine relevant components to derive a cost for an architecture. The VGW IPsec VPN endpoints are within an AWS Region. There may be two elements to the data transfer charge, depending on where a traffic flow restarts due to a VPN appliance or similar mechanism. You will be charged twice for a traffic flow in certain situations, such as between two Availability Zones.
The best way to become familiar with the AWS billing model and associated charges is to configure your own architecture and then use available resources (for example, AWS Cost and Usage reports) to understand the charges for each component.
For assistance completing these exercises, refer to the AWS Documentation located at https://aws.amazon.com/documentation/account-billing/ and the individual service pricing pages on the AWS website.
You have two Amazon Elastic Compute Cloud (Amazon EC2) instances in two different Virtual Private Clouds (VPCs) that have a peering connection. Both VPCs are in the same Availability Zone. What charge will you see on your bill for data transfer between those two instances?
Which of the following statements regarding data transfer into Amazon Simple Storage Service (Amazon S3) is not true?
You elect to use an AWS Direct Connect public Virtual Interface (VIF) to carry an IP Security (IPsec) Virtual Private Network (VPN) from your Virtual Private Cloud (VPC) Virtual Private Gateway (VGW) to your customer gateway. What rate is charged for all of the data transfer over the VPN?
Which of the following types of data transfer is not charged?
You want to receive an email in advance if it is likely that your monthly charge will exceed $200. Which is the most appropriate mechanism to generate this notification?
After creating an AWS Direct Connect connection, what is the earliest point in time that you start receiving port-hour charges?
Which of the following is not used for billing of the Network Address Translation (NAT) gateway?
Which of the following is the charge for data transfer out from Amazon Simple Storage Service (Amazon S3) to Amazon CloudFront?
When using a public Virtual Interface (VIF) on AWS Direct Connect, you access an Amazon Simple Storage Service (Amazon S3) bucket owned by someone who is not part of your organization. Who pays for data transfer from that bucket?
You make a connection from an Amazon Elastic Compute Cloud (Amazon EC2) instance that you own to the public IP address for another Amazon EC2 instance in your account. Both instances are in the same Availability Zone. How much does this cost in us-east-1?