S3 egress and inter-AZ traffic. The way they advertise multi-AZ should honestly be illegal, or at least include warnings about charges.
Like when you set up an RDS instance, the “prod” template defaults to multi-AZ (a good idea tbf), but completely elides the fact that if your app is in a different AZ, you’re going to start racking up $0.02/GB.
Same with NLBs and cross-AZ routing. Sure, it can be helpful, but yeesh.
Or EKS, since Topology Aware Routing is in no way a default.
That's not the only thing that has excess fees in AWS/Azure/ ....
Eg. For cloudflare workers. If you're worker is making an outgoing request ( db / rest) it's not considered cpu-time and it's not counted towards that either ( in cloudflare ofc).
While this is a hidden profit of many cloud providers :)
That's partially why so many llm/ai apps use cloudflare.
An API call can take a lot of seconds. While Cloudflare only bills cpu-time ( eg. 10 ms. ). Other providers bill those seconds too as "duration", while the CPU was just sitting idle.
I can see both sides because you are reserving that amount of RAM while your process is running. The Lambda price is also proportional to the RAM reserved.
I have to imagine CloudWatch makes AWS a lot of money too. Very often, when I look into an account from work that is spending a lot, CloudWatch is a large contributor.
Really? From Custom metrics, or logs? It's pretty rare that I hear anyone use it in production, there's usually either a SaaS like Datadog/New Relic or a homegrown setup with e.g. Prometheus.
Then, one month, I got a ~$500 bill out of no where.
Docker had changed an api causing my service to return 5xx errors all month. Each error was individually logged to CloudWatch - which racked up a ~$500 bill.
I moved to Cloudflare Workers that day and haven’t moved back.
C suite types prefer to have a single portal for “all the things” and naïvely assume the price premium they’re paying for AWS is evenly distributed across all their products. It’s also a common assumption AWS is the best in each category.
A good number of people end up using cloud watch for all of the above, even though it’s (comparatively) mid.
Anyone doing serious traffic with AWS will use cloud front and then you get additional savings on-top of that and you can negotiate a better rate then provided depending on usage so some people pay way less then the advertised price.
Sure, if you're a business that has to burn money on servers anyways, but a lot of people avoid AWS for side-projects and non-business applications because it can easily balloon to over $100/month with just a few services and moderate traffic.
So, the CloudFront setup process only surfaces S3, ELBs, API Gateways, Mediastore, and Mediapackage domains as origin domains. I do notice that it will let me type in an arbitrary domain - is that how you're supposed to stick bare EC2 instances behind CloudFront? Just provide it something like realoriginserverplsdonthack.example.com and use some other method (e.g. VPC configuration) to prevent bypassing CloudFront?
There’s not much AWS can do about it because they must make untold billions from those sweet, sweet S3 egress fees.
I’d be willing to bet S3 egress fees make up about 60% of all AWS revenue.