AWS PrivateLink pricing

You can create AWS PrivateLink endpoints to enable private connectivity to a service that is either owned by AWS or owned by an AWS customer or partner. You will be billed for each hour that your VPC endpoint remains provisioned in each Availability Zone, irrespective of the state of its association with the service (learn more). Such hourly billing for your VPC endpoint will stop when you delete it. Hourly billing will also stop if the endpoint service owner rejects your VPC endpoint’s attachment to their service, and that service is subsequently deleted. Such VPC endpoints cannot be reused and you should delete them. Each partial VPC endpoint-hour consumed is billed as a full hour. Data processing charges apply for each Gigabyte processed through the VPC endpoint regardless of the traffic’s source or destination. 

There are two different AWS PrivateLink endpoints you can choose to use: Interface endpoints and Gateway Load Balancer Endpoints. The rates you are charged depend on the type of endpoint you use as follows:

You can use interface endpoints to privately and securely access services like AWS services, internal application services or SaaS services that are running outside your VPC.

Below pricing tiers apply on the total data processed by all Interface Endpoints in an AWS Region:

Some AWS services may optionally include the cost of interface VPC endpoints associated with their service in the cost of their service, and you may not see these costs directly identified in your bill. Such cases will be identified in each of those service’s pricing information.

You can use gateway load balancer endpoints to privately and securely inject in-line network and security services, such as firewalls, intrusion detection and prevention systems, monitoring, analytics and others, running outside your VPC into your traffic flow.

You can use Interface endpoints to connect to supported VPC endpoint services outside your AWS region. There is no premium for accessing a service in another region. You incur standard PrivateLink charges for data processing and hours. In addition, AWS cross-region data transfer rates will apply. The Interface endpoint owner will be charged for each Gigabyte transferred inter-region regardless of the directionality of the data transfer. Please visit the Data Transfer section of the Amazon EC2 pricing page for specific data transfer rates between regions.

The service provider incurs a fixed hourly charge per active remote region regardless of the number of VPC endpoints using your service. A region is considered active if it has at least one Interface endpoint connected to the service. You are charged for each hour (or partial hour) that a remote AWS Region is active. The service provider does not incur any additional charges for inter-region data transfer. 

Example 1: Cross-Region Interface Endpoint Service Pricing

Let’s assume you host three VPCE services in the US-East-1 Region. You then enable cross-region access from EU-West-1, US-West-2 and US-East-2 Regions.
Service-Alpha has attached VPCEs in US-East-1, US-West-2 and US-East-2.
Service-Beta has attached VPCEs each in EU-West-1, US-West-2 and US-East-2.
Service-Gamma has attached VPCEs in US-East-1 only.

Each VPCE service is billed $0.05/hour for each remote region with attached VPCEs, resulting in a total of $0.25 per hour for all three VPCE services combined.

Example 2: Cross-Region Interface Endpoint Pricing

Let’s assume you create an Interface endpoint in US-East-1 to connect to a VPC Endpoint service in US-West-2. You transfer 2 GB of data to the VPCE service, and receives 3 GB in response.

You are billed for 5 GB data processed through the endpoint at $0.01 per GB. Additionally you are billed for 2 GB data transfer out from US-East-1 to US-West-2 ($0.02 per GB) and for 3 GB data transferred back from US-West-2 to US-East-1 ($0.02 per GB). In total, you incur $0.05 for data processing and $0.10 for inter-region data transfer. In addition, you will be charged $0.01 per hour for each endpoint ENI.