Strategy / line items not on the pricing page
Hidden Cloud Costs in 2026: the charges AWS, Azure, and GCP do not advertise
Hidden charges typically add 10 to 20 percent to a cloud bill. NAT Gateway data processing, cross-zone traffic, log ingestion, idle endpoints, snapshot accumulation. This is the catalogue: 24 surprise line items per provider, with rates and avoidance strategies, plus a 10-step bill audit checklist.
Total estimate
For a workload listed at $100,000 per month, hidden charges typically add $10,000 to $20,000 per month, often more for network-heavy or log-heavy architectures.
AWS hidden cost catalogue
AWS surprise line items
8 items| Item | Rate | Impact | How to avoid |
|---|---|---|---|
| NAT Gateway | $0.045/GB processed + $0.045/hour | Often $1k-3k/mo for medium workloads | Add VPC gateway endpoints (free) for S3 and DynamoDB. Add interface endpoints for ECR, CloudWatch Logs, Secrets Manager. |
| Cross-AZ data transfer | $0.01/GB each direction | Multi-AZ pods or services can spend more on cross-AZ than on compute | Topology-aware routing in Kubernetes. Pin chatty workloads to a single AZ when feasible. |
| CloudWatch Logs ingestion | $0.50/GB | Verbose container logs can cost $5k-15k/mo at scale | Drop debug logs at source. Use CloudWatch Logs Live Tail rather than persistent ingestion. Push high-volume logs to S3 directly. |
| EBS snapshot accumulation | $0.05/GB/mo | Snapshots accumulate over time and rarely get cleaned up | Data Lifecycle Manager (DLM) policies. Quarterly snapshot audits. |
| Elastic IP unattached | $0.005/hour ($3.65/mo) | Per orphaned EIP | Release unattached EIPs. Cost Optimization Hub surfaces them. |
| Route 53 | $0.50/zone/mo + $0.40 per million queries | Multiple environments compound | Consolidate apex zones. Cache aggressively with longer TTLs where safe. |
| Application Load Balancer idle | $16.20/mo minimum | Per parked ALB | Delete idle ALBs in non-prod. Use host-based routing to combine apps onto fewer ALBs. |
| S3 request pricing | $5/M PUT, $0.40/M GET | Small-object workloads can spend more on requests than storage | Batch small writes. Use multipart for large objects. Cache GETs at CloudFront edge. |
Azure hidden cost catalogue
Azure surprise line items
8 items| Item | Rate | Impact | How to avoid |
|---|---|---|---|
| Azure Firewall Standard | $1.25/hr ($912.50/mo) + $0.016/GB processed | Fixed cost runs whether or not it sees traffic | Use NSGs (free) plus Application Gateway WAF v2 for simpler patterns. |
| Log Analytics ingestion | $2.76/GB after 5 GB/day free per workspace | Container Insights at scale can cost $10k+/mo | Drop verbose logs at source. Use Basic Logs tier ($0.65/GB) for archive-style retention. Set table-level retention. |
| Azure AD Premium licences | P1 $6/user/mo, P2 $9/user/mo | Per user, often over-licensed | Audit assigned licences quarterly. Many tenants over-license P2 for users who only need P1. |
| Bandwidth above 100 GB/mo free | $0.087/GB outbound first 10 TB | Variable based on egress | Azure Front Door or CDN for high-volume egress. Co-locate chatty workloads in the same region. |
| Azure DevOps parallel jobs | $40/mo per additional Microsoft-hosted agent | CI/CD-heavy teams compound cost | Self-hosted agents on Spot VMs for high-volume CI/CD. |
| Key Vault operations | $0.03 per 10k operations, secrets $1/mo each | Microservices that fetch secrets per-request add up fast | Cache secrets in memory with appropriate refresh windows. |
| App Service Always On | Requires Basic ($0.075/hour) or higher | Free tier cold starts force upgrade | Premium V3 with auto-scale rules where bursty traffic justifies it. |
| Public IP addresses (Standard) | $3.65/mo each | Compounds across many resources | Audit unattached IPs monthly. Use NAT Gateway with shared public IPs. |
GCP hidden cost catalogue
GCP surprise line items
8 items| Item | Rate | Impact | How to avoid |
|---|---|---|---|
| Persistent Disk SSD premium | $0.170/GB/mo (vs $0.080/GB AWS gp3) | SSD-heavy workloads cost roughly 2x AWS equivalent | Hyperdisk Balanced for IOPS-bound workloads. Right-size disks. Snapshots for cold data. |
| GKE Standard control plane | $0.10/hr ($73/mo) per cluster | Multi-cluster patterns compound | Consolidate dev clusters. Use GKE Autopilot (control plane included). |
| Cloud NAT | $0.045/GB processed + $0.0014/hr per VM gateway endpoint | Per-VM cost scales with instance count | Private Service Connect for Google APIs. Co-locate egress through dedicated NAT subnets. |
| Persistent Disk snapshots | $0.026/GB/mo standard, $0.050/GB/mo regional | Snapshots accumulate; regional redundancy doubles cost | Snapshot lifecycle policies. Move long-term snapshots to Cloud Storage Coldline. |
| Network Intelligence Center flow logs | $0.04 per flow log entry | High-traffic VPCs generate large flow log bills | Sample VPC flow logs. Disable on subnets where not required. |
| Cloud Logging ingestion | $0.50/GB above 50 GB/project/month free | Multi-project organisations compound | Exclusion filters at sink level. Send container debug logs to Cloud Storage. |
| External IP addresses (static, unattached) | $0.01/hr ($7.30/mo) | Per orphaned static IP | Audit unattached static IPs monthly. |
| Cross-region multi-region buckets | Multi-region storage rate + replication egress | Higher than regional for non-critical data | Use regional buckets for non-critical data. Reserve multi-region for compliance. |
Bill audit checklist
10 steps to find the hidden line items
- 01
Run Cost Explorer / Cost Management / Cloud Billing grouped by service for the past 90 days
- 02
Identify the top 10 line items beyond compute and storage
- 03
Map each to the catalogues on this page
- 04
For each surprise line item, calculate annual run rate (monthly cost x 12)
- 05
Quantify avoidance impact at 50% reduction (realistic conservative estimate)
- 06
Schedule audits of unattached resources (IPs, snapshots, EBS volumes, idle LBs)
- 07
Add VPC endpoints (AWS) or Private Service Connect (GCP) for high-volume API traffic
- 08
Set CloudWatch / Log Analytics / Cloud Logging exclusion filters
- 09
Enable storage lifecycle policies (S3 Intelligent-Tiering, Blob lifecycle, Autoclass)
- 10
Establish a monthly hidden-cost review as part of the FinOps cadence
Common questions
FAQ
How much do hidden costs typically add to a cloud bill?+
10-20% for typical architectures, sometimes more. NAT Gateway data processing and CloudWatch Logs ingestion are the most common surprises on AWS. Azure Firewall and Log Analytics catch Azure customers. GCP block storage premium and Cloud NAT per-VM charges add up on GCP. The first surprise bill is often when a workload moves from staging to production traffic.
Why does NAT Gateway cost so much?+
AWS charges $0.045/GB of data processed plus $0.045/hour per gateway. The hourly charge alone is $32.85/mo. The data processing charge applies to all egress through NAT, including pulling Docker images, calling AWS APIs, and external service traffic. For a workload pulling 100 GB/day through NAT, that is $4.50/day or $135/month per gateway, on top of the hourly fee.
What is the easiest hidden cost to fix?+
Unattached resources: orphaned Elastic IPs, idle Application Load Balancers, EBS snapshots from terminated instances, unused public IP addresses. Most providers have idle-resource reports (AWS Cost Optimization Hub, Azure Advisor, GCP Recommender Hub). A quarterly cleanup typically saves 2-5% of the bill with no architecture changes.
How do I find hidden costs in my own bill?+
Group your cost report by usage type, not by service. Most teams group by service and miss that 'data transfer', 'request charges', and 'storage' are line items inside services. The usage type view surfaces NAT Gateway data processing, CloudWatch Logs PutLogEvents, S3 PUT requests, and similar charges that hide inside parent services.
Are hidden costs a sign of poor architecture?+
Sometimes. Cross-AZ traffic costs that exceed compute cost suggest poor topology. NAT Gateway costs above 5% of bill suggest missing VPC endpoints. CloudWatch Logs costs above 3% of bill suggest verbose logging. Hidden costs are often a useful architecture signal: where the bill is leaking is usually where the architecture has a gap.
Continue reading