Chapter 14
Billing

THE AWS CERTIFIED ADVANCED NETWORKING – SPECIALTY EXAM OBJECTIVES COVERED IN THIS CHAPTER MAY INCLUDE, BUT ARE NOT LIMITED TO, THE FOLLOWING:

  • Domain 2.0: Design and Implement AWS Networks
  • images 2.6 Evaluate and optimize cost allocations given a network design and application data flow
  • Content may include the following:
    • Data transfer charges within a Virtual Private Cloud (VPC)
    • Data transfer charges with AWS Cloud services outside an Amazon VPC
    • Data transfer charges when using AWS Direct Connect
    • Data transfer charges over the Internet

images

Billing Overview

Billing for AWS networking-related services can often be complex and initially confusing. In this chapter, we examine the elements used to evaluate which charges apply to a particular flow of data to or from services hosted within AWS.

There are three elements for network-related charges:

  • A service or port-hour fee
  • A data processing fee
  • Data transfer

Service or port-hour fees can include services such as Virtual Private Networks (VPNs), AWS Direct Connect, and Network Address Translation (NAT) gateways, where an hourly charge is applied once the service has been configured. Other service charges can reflect an inclusive data transfer element where it is not charged separately.

Data processing fees are applied on services such as NAT gateway and Elastic Load Balancing.

Data transfer costs are the fees charged by AWS when data is moved over a network where at least one end of the traffic flow is located within an AWS Region.

In this chapter, pricing for the us-east-1 (N. Virginia) region at the time of writing is used for all examples. You should check for the latest pricing on the AWS website, noting that different AWS Regions may use different pricing. Where tiered pricing exists for a service, the chapter uses the first non-free rate.

Service and Port-Hour Fees

The following network-specific services incur service or port-hour fees in addition to data transfer (which is covered in the section that follows).

Virtual Private Network (VPN) Connections

VPN connections are charged per connection hour. This means that the connection-hour fee applies once you provision an AWS-managed VPN and it becomes available for use. An AWS-managed VPN connects a Virtual Private Gateway (VGW) on a Virtual Private Cloud (VPC) to a customer gateway. Deleting the VPN connection ceases the connection-hour charge. In addition to the connection-hour fee, there is a charge for data transfer that can vary depending on the location of the customer gateway. For most architectures, the customer gateway is located within a customer’s network and data transfer is charged at Internet rates. Using the us-east-1 region as an example, this is $0.09 per GB outbound from AWS. You are not charged for inbound data transfer in this scenario.

AWS Direct Connect

AWS Direct Connect connections are charged per port-hour. This means that the port-hour charge applies after you are provisioned with an AWS Direct Connect connection and either its status becomes “available” for the first time or 90 days pass (whichever occurs first). In the case of a hosted connection, which is provided by an AWS Direct Connect partner, the port-hour charge applies once the receiving account accepts the connection. In both situations, the account that has the connection is charged the port-hour fee.

AWS Direct Connect cannot be used effectively until a Virtual Interface (VIF) has been created. A VIF establishes the Border Gateway Protocol (BGP) session and enables traffic to flow. After creating a VIF, AWS Direct Connect data transfer charges then apply and are charged to the account that owns the VIF. The account that owns the VIF can be different from the account that owns the AWS Direct Connect connection. AWS Direct Connect data transfer rates then also apply and are different for each region and AWS Direct Connect location. AWS Direct Connect data transfer rates are, however, consistently lower than standard Internet-out rates.

AWS PrivateLink

If you choose to create an interface type VPC endpoint in your VPC, you are charged for each hour that your VPC endpoint is provisioned in each Availability Zone. Data processing charges apply for each gigabyte processed through the VPC endpoint, regardless of the traffic’s source or destination. Each partial VPC endpoint-hour consumed is billed as a full hour.

NAT Gateway

A NAT gateway is charged based on NAT gateway hours from the moment that the gateway is provisioned and available. These charges stop when the NAT gateway is deleted. As the NAT gateway processes traffic and performs the NAT, there is a charge for the volume of data processed regardless of the traffic’s source or destination. In addition, standard data transfer charges apply for the traffic flowing through the NAT gateway. In most architectures, this will be Internet-out rates.

Elastic Load Balancing

Elastic Load Balancing has three different types of load balancers.

Application Load Balancer You are charged for each hour or partial hour that an Application Load Balancer is running and for the number of Load Balancer Capacity Units (LCUs) used by the load balancer per hour.

Network Load Balancer You are charged for each hour or partial hour that a Network Load Balancer is running and for the number of LCUs used by the load balancer per hour.

Classic Load Balancer You are charged for each hour or partial hour that a Classic Load Balancer is running and for each GB of data transferred through your load balancer.

For Application Load Balancers and Network Load Balancers, the variable component is based on the number of LCUs. An LCU measures the dimensions on which the load balancer processes your traffic (averaged over an hour).

The dimensions measured are as follows:

New connections or flows Number of newly-established connections per second. Many technologies (for example, HTTP or WebSockets) reuse Transmission Control Protocol (TCP) connections for efficiency. The number of new connections is typically lower than your request or message count.

Active connections or flows. Number of active connections per minute.

Bandwidth. The amount of traffic processed by the load balancer in Mbps.

Rule evaluations (only for Application Load Balancer). The product of number of rules processed by your load balancer and the request rate. You are not charged for the first 10 processed rules:

Rule evaluations = Request rate × [Number of rules processed − 10 rules]

You are charged only on the one dimension that has the highest usage for the hour.

An LCU for the Application Load Balancer contains the following:

  • 25 new connections per second
  • 3,000 active connections per minute
  • 2.22 Mbps (which translates to 1 GB per hour)
  • 1,000 rule evaluations per second

If you have 10 or fewer rules configured, the rule evaluations dimension is ignored in the LCU computation.

An LCU for the Network Load Balancer contains the following:

  • 800 new non-Secure Sockets Layer (SSL) connections or flows per second
  • 100,000 active connections or flows (sampled per minute)
  • 2.22 Mbps (which translates to 1 GB per hour)

Types of Data Transfer

AWS data transfer is generally metered at the resource or service interface. The source and destination for an associated traffic flow is identified and then charged at the appropriate rate. There can be an exception when a private VIF is used on AWS Direct Connect. If the traffic flow is identified as having a target that is reachable via the VIF, then data transfer is charged at the appropriate rate attributed to the Direct Connect location and the specific AWS Region as identified on the AWS Direct Connect pricing web page outbound from AWS.

Data Transfer: Internet

The definition of Internet with regard to data transfer is when traffic flows between an AWS-owned public IP address and a non-AWS-owned public IP address. This definition excludes traffic between two AWS Regions or traffic between public IPs in the same AWS Region.

Data transfer in from the Internet to an AWS public IP is not charged. Data transfer out to the Internet from an AWS public IP is charged at $0.09 per GB up to the first 10 TB.

Data Transfer: Region to Region

When traffic flows between AWS public IP addresses in different AWS Regions, then the traffic incurs the region-to-region rate of $0.02 per GB. This charge applies for traffic flow in the outbound direction from a region. For bi-directional data transfer between two different AWS Regions, each flow is only charged once in each direction (on egress). Due to the bi-directional flow, however, each flow is actually charged separately.

Whether the AWS public IP being used is associated with an Amazon Elastic Compute Cloud (Amazon EC2) instance or an AWS Cloud service (such as Amazon Simple Storage Service [Amazon S3]) does not make a difference on data transfer charges.

Amazon CloudFront

Amazon CloudFront has a range of charges for data transfer outbound from edge locations to end users/viewers of content.

When the origin being used for an Amazon CloudFront distribution is hosted in an AWS Region (for example, on Amazon S3 or an Amazon EC2 instance), there is no outbound data transfer charge from that resource. If Amazon CloudFront is also being used for uploading content, however, that inbound data transfer is charged at the inter-region rate of $0.02 per GB uploaded to the region.

Data Transfer: Same Region via Public IP

There is no charge for traffic flows to and from an AWS regional service (such as Amazon S3, Amazon Simple Queue Service [Amazon SQS], or Amazon Simple Email Service [Amazon SES]) in the same region as the source. Whether the service/resource is owned by the same account does not make a difference.

An exception is that if the traffic flow is between two Amazon EC2 instances (in the same or different AWS accounts) using their public IP, then the data transfer is charged at $0.01 per GB in both directions. It does not matter whether the traffic remains in the Availability Zone—it is still charged the same rate.

Data Transfer: Inter-Availability Zone

Traffic flow between two Amazon EC2 instances in the same VPC but in different Availability Zones is charged at $0.01 per GB in each direction. This traffic flow also includes access to services that are provided inside that VPC (such as Amazon Relational Database Service [Amazon RDS] and Amazon Redshift).

Data Transfer: VPC Peering

Traffic flow between two Amazon EC2 instances in different VPCs is charged at $0.01 per GB in each direction. This also includes access to services that are provided inside the peered VPC (for example, Amazon RDS and Amazon Redshift). The Availability Zone and customer account for the peered VPC do not affect this charge.

Data Transfer: Intra-Availability Zone

There are no charges for data transfer between Amazon EC2 instances within the same Availability Zone if they are in the same VPC.

Virtual Private Network (VPN) Endpoints (Virtual Private Gateways [VGWs])

The VGW IP addresses used by the AWS managed VPN solution for IP Security (IPsec) VPN endpoints are included in the definition of AWS public IPs for a region. Therefore, if you build a software VPN from an Amazon EC2 instance in another region acting as the customer gateway, you will be charged at the $0.02 per-GB rate for the flow in each direction rather than the Internet rate of $0.09 per GB that you may assume.

AWS Direct Connect Public Virtual Interfaces (VIFs)

When you transfer data over an AWS Direct Connect public VIF, the AWS billing system validates whether the destination IPs for a traffic flow are listed for use with an account associated with your AWS organization/billing family. These IP addresses are defined when creating the public VIF. If the IP addresses are associated with one of your accounts and the VIF has a BGP status of “up” advertising those prefixes, data transfer from resources owned by the organization is charged at the reduced AWS Direct Connect rate (as calculated based on the AWS Direct Connect location and the AWS Region being used).

If these conditions are not met, then the traffic may still flow via AWS Direct Connect; however, it will be charged at Internet rates to the owner of the resource.

Scenarios

The following section provides common examples of elements seen within application architectures and how the networking elements are charged.

Scenario 1

This scenario shows regular data transfer between two different AWS customers using Amazon EC2 instances in two different regions (see Figure 14.1).

Diagram shows transfer of 0.02 dollar from us-east 1a VPC subnet at North Virginia to us-west-2a VPC subnet at Oregon and reverse transfer of 0.02 dollar from us-west-2a to us-east-1a.

FIGURE 14.1 Scenario 1

Scenario 2

This scenario is a highly-available application replicating data between Amazon EC2 instances, both within one AWS Region and a different region chosen for disaster recovery purposes (see Figure 14.2).

Diagram shows transfer of 0.01 dollar between us-east 1a and us-east 1b subnet within VPC at North Virginia, transfer of 0.01 dollar between us-west 2a and us-west 2b subnets within VPC at Oregon, and transfer of 0.02 dollars between us-east-1a and us-west-2a.

FIGURE 14.2 Scenario 2

Scenario 3

This scenario is using AWS Direct Connect to access an Amazon S3 bucket owned by your organization and an Amazon S3 bucket owned by another customer (see Figure 14.3).

Diagram shows transfer of 0.02 dollar from account 1 of North Virginia AWS to on-premise datacenter via AWS direct connect public VIF and transfer 0.09 dollar from account 2 to on-premise datacenter.

FIGURE 14.3 Scenario 3

Scenario 4

Using AWS Direct Connect in one account to access an Amazon EC2 instance in another account, with both accounts owned by the same AWS customer (see Figure 14.4).

Diagram shows transfer of 0.02 dollar from account 1 of North Virginia AWS to on-premise datacenter and transfer 0.3 dollar from account 2 to on-premise datacenter via AWS direct connect.

FIGURE 14.4 Scenario 4

Scenario 5

The transit VPC design within a single AWS Region (see Figure 14.5).

Diagram shows transit VPC within North Virginia AWS region connected to n number of VPC subnets, corporate datacenter, and other provider networks. It shows transfer of 0.01 dollar from VPC subnets to transit VPC and 0.09 dollar from transit VPC to other networks.

FIGURE 14.5 Scenario 5

Scenario 6

The transit VPC design over multiple AWS Regions (see Figure 14.6).

Diagram shows transit VPC within Oregon AWS region connected to VPC subnet A of North Virginia, n number of VPC subnets of Oregon, corporate datacenter, and other provider networks.

FIGURE 14.6 Scenario 6

Summary

Understanding networking billing within AWS requires you to have a clear understanding of the source and destination for a specific traffic flow. You can use that information to attribute each end of the flow to one of the service and port-hour fee categories mentioned in this chapter and the AWS documentation. This then enables you to establish which of the various data transfer categories applies to that particular flow. Regardless of the categories, it’s important to understand if you are charged once or twice for each flow in each direction.

Exam Essentials

Understand the key elements used for billing related to networking on AWS. Port-hour/service charges, data transfer, and data processing are the three key elements used to calculate networking-related charges.

Understand how AWS Direct Connect affects billing. Private VIFs simply reduce the outbound data transfer rates from Internet ($0.09 per GB) to AWS Direct Connect rates ($0.020 per GB).

Public VIFs have multiple factors to consider before the reduced rate applies, specifically ownership of the resource, ownership of the VIF, relationship of the VIFs within the AWS organization, whitelisted IP prefixes, BGP status, and whether the prefix is being advertised.

Understand how to combine relevant components to derive a cost for an architecture. The VGW IPsec VPN endpoints are within an AWS Region. There may be two elements to the data transfer charge, depending on where a traffic flow restarts due to a VPN appliance or similar mechanism. You will be charged twice for a traffic flow in certain situations, such as between two Availability Zones.

Resources to Review

Exercises

The best way to become familiar with the AWS billing model and associated charges is to configure your own architecture and then use available resources (for example, AWS Cost and Usage reports) to understand the charges for each component.

For assistance completing these exercises, refer to the AWS Documentation located at https://aws.amazon.com/documentation/account-billing/ and the individual service pricing pages on the AWS website.



Review Questions

  1. You have two Amazon Elastic Compute Cloud (Amazon EC2) instances in two different Virtual Private Clouds (VPCs) that have a peering connection. Both VPCs are in the same Availability Zone. What charge will you see on your bill for data transfer between those two instances?

    1. $0.00 per GB in each direction
    2. $0.01 per GB in each direction
    3. $0.02 per GB in each direction
    4. $0.04 per GB in each direction

  2. Which of the following statements regarding data transfer into Amazon Simple Storage Service (Amazon S3) is not true?

    1. Data transfer from a non-AWS public IP to Amazon S3 is not charged.
    2. Data transfer from Amazon Elastic Compute Cloud (Amazon EC2) in us-west-2 to an Amazon S3 bucket in eu-west-1 is not charged.
    3. Data transfer from Amazon EC2 to Amazon S3 in the same region is not charged.
    4. Data transfer from Amazon S3 to an Amazon CloudFront edge location is not charged.

  3. You elect to use an AWS Direct Connect public Virtual Interface (VIF) to carry an IP Security (IPsec) Virtual Private Network (VPN) from your Virtual Private Cloud (VPC) Virtual Private Gateway (VGW) to your customer gateway. What rate is charged for all of the data transfer over the VPN?

    1. $0.00 per GB
    2. $0.020 per GB
    3. $0.05 per GB
    4. $0.09 per GB

  4. Which of the following types of data transfer is not charged?

    1. From Amazon Elastic Compute Cloud (Amazon EC2) in eu-west-1 to Amazon Simple Storage Service (Amazon S3) in us-east-1
    2. From your on-premises data center to Amazon S3 in us-east-1
    3. From Amazon EC2 in eu-west-1 to your on-premises data center
    4. From Amazon S3 in us-east-1 to Amazon EC2 in eu-west-1

  5. You want to receive an email in advance if it is likely that your monthly charge will exceed $200. Which is the most appropriate mechanism to generate this notification?

    1. Create a billing alarm in Amazon CloudWatch.
    2. Create a budget.
    3. Enable Cost and Usage reporting.
    4. Access your billing console.

  6. After creating an AWS Direct Connect connection, what is the earliest point in time that you start receiving port-hour charges?

    1. 90 days from creation
    2. When the connection becomes available for the first time
    3. Once you have transferred 100 MB of data
    4. When a Virtual Interface (VIF) is created

  7. Which of the following is not used for billing of the Network Address Translation (NAT) gateway?

    1. NAT gateway hourly charge
    2. NAT gateway data processing charge
    3. Active session charge
    4. Data transfer charge

  8. Which of the following is the charge for data transfer out from Amazon Simple Storage Service (Amazon S3) to Amazon CloudFront?

    1. $0.000 per GB
    2. $0.010 per GB
    3. $0.020 per GB
    4. Varies by edge location

  9. When using a public Virtual Interface (VIF) on AWS Direct Connect, you access an Amazon Simple Storage Service (Amazon S3) bucket owned by someone who is not part of your organization. Who pays for data transfer from that bucket?

    1. The owner of the AWS Direct Connect connection
    2. The Amazon S3 bucket owner
    3. The owner of the public VIF
    4. No one; it is not charged.

  10. You make a connection from an Amazon Elastic Compute Cloud (Amazon EC2) instance that you own to the public IP address for another Amazon EC2 instance in your account. Both instances are in the same Availability Zone. How much does this cost in us-east-1?

    1. Nothing; data transfer is not charged within the same Availability Zone
    2. $0.010 per GB in each direction
    3. $0.090 per GB in each direction
    4. Nothing in one direction; $0.090 per GB in the other direction
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
13.59.79.176