Network egress is the surprise charge that catches every GCP team at least once. You build a perfectly optimized architecture, right-size your VMs, tune your BigQuery queries — and then discover you're paying hundreds or thousands per month for data moving between regions, to the internet, or even between services in the same project.
The asymmetry is what makes it frustrating: ingress (data coming in) is free, but egress (data going out) is not. And "out" doesn't just mean the internet — it means any data leaving a zone, a region, or a VPC. This pricing model creates hidden costs in architectures that look perfectly reasonable until the bill arrives.
This guide breaks down where network costs come from, which ones you can control, and the architectural decisions that prevent surprises.
How GCP Network Pricing Works
GCP network pricing follows a tiered model based on where data travels. The farther it goes, the more it costs:
| Traffic Path | Cost per GB |
|---|---|
| Within the same zone | Free |
| Same region, different zone | $0.01 |
| Between regions (same continent) | $0.01 - $0.02 |
| Between continents | $0.02 - $0.08 |
| To the internet (first 1 TB/month) | $0.085 - $0.12 |
| To the internet (1-10 TB/month) | $0.065 - $0.085 |
| To the internet (10+ TB/month) | $0.045 - $0.065 |
Premium vs Standard network tier
GCP offers two network tiers:
| Feature | Premium Tier (default) | Standard Tier |
|---|---|---|
| Routing | Google's global network | Public internet (regional) |
| Latency | Lower (Google backbone) | Higher (variable) |
| Internet egress | $0.085 - $0.12/GB | $0.04 - $0.085/GB |
| Availability | Global load balancers, CDN | Regional only |
The ingress/egress asymmetry
This pricing model has a deliberate consequence: it's cheap to get data into GCP but expensive to get it out. This affects decisions about:
- Multi-cloud architectures: Moving data between GCP and AWS/Azure incurs egress
- Hybrid setups: On-prem to GCP communication costs add up
- API-heavy applications: Every API response is egress
The Biggest Egress Cost Drivers
Not all egress is equal. Some patterns generate surprisingly large bills.
1. Cross-region replication
If your architecture spans multiple regions (for high availability or compliance), every replicated byte is billed:
| Service | Replication Cost |
|---|---|
| Cloud SQL (HA across regions) | $0.12/GB for cross-region read replicas |
| Cloud Spanner (multi-region) | Included in Spanner pricing (but Spanner itself is expensive) |
| GCS (multi-region bucket) | Free between regions within multi-region |
| GCS (cross-region copy) | Standard egress rates |
| Memorystore (Redis cross-region) | Standard egress rates |
2. API responses to end users
Every HTTP response from Cloud Run, GKE, or App Engine is internet egress. For API-heavy applications:
| Average Response Size | Requests/Day | Monthly Egress | Monthly Cost |
|---|---|---|---|
| 10 KB | 100K | ~93 GB | ~$8 |
| 50 KB | 100K | ~465 GB | ~$40 |
| 100 KB | 1M | ~9.3 TB | ~$560 |
| 500 KB | 1M | ~46.5 TB | ~$2,100 |
3. BigQuery cross-region queries
If your BigQuery dataset is in us-central1 but your application reads results from europe-west1, you pay egress on the query results. This also applies to cross-region joins — BigQuery moves data to execute the query and bills egress for it.
Fix: Keep your BigQuery datasets in the same region as the services that query them.
4. Cloud Storage downloads
Every time a user or service downloads from GCS, it's egress. For public-facing storage (images, documents, media), this can be the largest single line item:
| Bucket Size | Daily Downloads | Monthly Egress | Monthly Cost |
|---|---|---|---|
| 10 GB (fully downloaded daily) | 1x/day | 300 GB | ~$26 |
| 100 GB (10% downloaded daily) | 1x/day | 300 GB | ~$26 |
| 1 TB (serving media files) | Varies | 5 TB | ~$340 |
5. VPN and Interconnect data transfer
Data flowing through Cloud VPN or Dedicated Interconnect is also billed for egress. Interconnect offers discounted egress rates ($0.02/GB vs $0.085/GB for internet), which is why high-volume hybrid architectures favor Interconnect over VPN — the data transfer savings alone can justify the circuit cost.
Cloud NAT — The Silent Cost Multiplier
Cloud NAT is one of the most misunderstood cost items on GCP. It lets private VMs and containers access the internet without public IPs. Sounds simple, but the pricing catches people off guard.
What Cloud NAT charges
Cloud NAT has two cost components:
| Component | Price |
|---|---|
| NAT gateway (per gateway per hour) | ~$0.044/hr (~$32/month) |
| Data processing fee | $0.045/GB processed |
- $0.045 (NAT processing) + $0.085 (internet egress) = $0.13/GB total
Why costs explode with containers
GKE and Cloud Run workloads using private networking route all internet-bound traffic through Cloud NAT. In container environments, this includes:
- Pulling container images from public registries
- Calling external APIs (payment processors, SaaS tools, etc.)
- Downloading dependencies during builds
- Health checks to external services
A GKE cluster pulling images and calling APIs can easily process 500 GB/month through NAT — that's $22.50/month in NAT processing fees alone, on top of egress.
Private Google Access — the free alternative
For traffic to GCP APIs (BigQuery, Cloud Storage, Pub/Sub, etc.), use Private Google Access instead of Cloud NAT:
| Feature | Cloud NAT | Private Google Access |
|---|---|---|
| Cost | $0.045/GB + egress | Free |
| Covers | All internet traffic | GCP API traffic only |
| Setup | NAT gateway required | Enable on subnet |
gcloud compute networks subnets update SUBNET_NAME \
--region=REGION \
--enable-private-ip-google-access
This routes GCP API traffic through Google's internal network at no charge, bypassing Cloud NAT entirely. For many workloads, 50-80% of NAT traffic is actually going to GCP APIs.
CDN and Load Balancer Costs
Cloud CDN pricing
Cloud CDN charges for two things: cache fill (pulling content from your origin) and cache egress (serving content from cache to users).
| Component | Price |
|---|---|
| Cache fill (origin to CDN) | Standard egress rates |
| Cache egress (CDN to user) | $0.02 - $0.08/GB (varies by region) |
| HTTP/HTTPS requests | $0.0075 per 10K requests |
| Cache invalidation | $0.005 per invalidation |
| Scenario | Without CDN | With CDN (90% hit rate) | Savings |
|---|---|---|---|
| 10 TB/month internet egress | $850 | ~$310 | 64% |
| 1 TB/month internet egress | $85 | ~$42 | 51% |
| 100 GB/month internet egress | $8.50 | ~$7.50 | 12% |
- Low cache hit ratio (unique content per user, dynamic responses)
- Low traffic volume (CDN fixed costs outweigh savings)
- Content changes frequently (constant cache invalidation)
Load balancer costs
GCP load balancers charge for data processing, and the charges vary by type:
| Load Balancer Type | Data Processing Cost |
|---|---|
| Global External Application LB | $0.008 - $0.012/GB |
| Regional External Application LB | $0.008 - $0.012/GB |
| Regional Internal Application LB | $0.008/GB |
| Network LB (passthrough) | Free (no data processing charge) |
Choose the right LB for your traffic:
- Use Network LB (passthrough) for internal TCP/UDP traffic (no data processing charge)
- Use Regional External Application LB instead of Global when you only serve one region
- Consider direct Cloud Run URLs for internal service-to-service calls that don't need load balancing
GCS Lifecycle and Operation Costs
Cloud Storage pricing has two components that trip people up: storage class and operations.
Storage class pricing
| Storage Class | Storage $/GB/month | Retrieval $/GB | Min Duration |
|---|---|---|---|
| Standard | $0.020 | Free | None |
| Nearline | $0.010 | $0.01 | 30 days |
| Coldline | $0.004 | $0.02 | 90 days |
| Archive | $0.0012 | $0.05 | 365 days |
The lifecycle rule trap
Lifecycle rules automatically move objects to cheaper storage classes as they age. This saves on storage costs but increases retrieval costs. The trap: if you access "cold" data regularly, the retrieval fees can exceed the storage savings.
Example: Moving 1 TB from Standard to Coldline saves $16/month in storage. But if you access 10% of that data monthly, retrievals cost $2/month — acceptable. If you access 50%, retrievals cost $10/month — most of the savings disappear.
Rules of thumb:
- Nearline: Data accessed less than once per month
- Coldline: Data accessed less than once per quarter
- Archive: Data accessed less than once per year (backups, compliance)
Class A vs Class B operations
GCS also charges per-operation, and the prices differ dramatically between operation types:
| Operation Type | Standard | Nearline | Coldline | Archive |
|---|---|---|---|---|
| Class A (write, list) | $0.005/1K | $0.01/1K | $0.01/1K | $0.05/1K |
| Class B (read, get) | $0.0004/1K | $0.001/1K | $0.005/1K | $0.05/1K |
- ETL pipelines that write millions of small files
- Listing operations on buckets with millions of objects (each LIST call is Class A)
- Overwriting objects frequently (each write is Class A)
Multi-region vs single-region buckets
| Bucket Type | Storage Premium | Egress Benefit |
|---|---|---|
| Single-region | Baseline | Standard egress |
| Dual-region | ~2x storage cost | Free egress between the two regions |
| Multi-region | ~2x storage cost | Free egress within the multi-region |
Reducing Network Costs
1. Keep traffic in the same region
The single most impactful decision for network costs is co-locating services and data. If your app, database, and storage are all in us-central1, most internal traffic is free.
Common mistakes:
- App in
us-central1, BigQuery dataset inus(multi-region) — cross-region query results - Cloud SQL in
us-central1, read replica ineurope-west1— continuous cross-region replication - Cloud Run in
us-east1, GCS bucket inus-west1— every object fetch is cross-region egress
2. Use Private Google Access instead of NAT
Enable it on every subnet. For most workloads, this eliminates 50-80% of Cloud NAT traffic at zero cost.
3. Compress API responses
Enable gzip/brotli compression on Cloud Run, GKE services, and App Engine. A typical JSON API response compresses 70-80%, directly reducing egress costs.
Cloud Run service - most frameworks handle this automatically
For Express.js:
app.use(compression())
For Python/FastAPI with uvicorn:
Use --proxy-headers and let the load balancer handle compression
Or use GzipMiddleware
4. Cache at every layer
| Layer | Tool | Impact |
|---|---|---|
| CDN | Cloud CDN | Eliminates origin egress for cached content |
| Application | Redis/Memorystore | Reduces database queries and backend-to-backend traffic |
| Database | BigQuery caching, Cloud SQL query cache | Reduces data scanned and transferred |
| Client | Cache-Control headers | Eliminates requests entirely |
5. Choose single-region when multi-region isn't needed
Multi-region is a compliance or HA requirement, not a default. Unless you have users or regulatory requirements in multiple regions, single-region deployments eliminate cross-region data transfer entirely.
6. Monitor with billing export
SELECT
service.description AS service,
sku.description AS sku,
ROUND(SUM(cost), 2) AS total_cost,
ROUND(SUM(usage.amount), 2) AS total_gb
FROM project.dataset.gcp_billing_export_v1_XXXXXX
WHERE invoice.month = '202603'
AND (
sku.description LIKE '%Egress%'
OR sku.description LIKE '%Network%'
OR sku.description LIKE '%NAT%'
OR sku.description LIKE '%Data Processing%'
OR sku.description LIKE '%Download%'
)
GROUP BY service, sku
ORDER BY total_cost DESC;
This query shows all network-related charges across all services. Run it monthly to catch new egress patterns before they become expensive.
Putting It All Together
This week (30 minutes)
- [ ] Run the billing export query to identify all network/egress charges
- [ ] Check if Private Google Access is enabled on all subnets
- [ ] List all Cloud NAT gateways and their monthly data processing volume
- [ ] Verify your services and data are in the same region
This month (2-3 hours)
- [ ] Enable Private Google Access on all subnets that lack it
- [ ] Add Cloud CDN to GCS buckets serving public content (if cache hit ratio > 80%)
- [ ] Enable response compression on all API services
- [ ] Review cross-region replications — are they all necessary?
- [ ] Check GCS lifecycle rules for retrieval cost impact
This quarter
- [ ] Evaluate Standard vs Premium network tier for non-user-facing workloads
- [ ] Audit load balancer types — switch to passthrough Network LB where applicable
- [ ] Consider Dedicated Interconnect if VPN egress exceeds $500/month
- [ ] Consolidate to single-region where multi-region isn't required
- [ ] Set up budget alerts filtered to network SKUs
Expected results
| Optimization | Typical Savings |
|---|---|
| Private Google Access (bypass NAT) | 50-80% reduction in NAT processing fees |
| Response compression | 70-80% reduction in API egress |
| Cloud CDN (high cache hit ratio) | 50-65% reduction in origin egress |
| Co-locating services in same region | Eliminates cross-region egress entirely |
| Standard network tier (where applicable) | 30-50% on internet egress |
| GCS lifecycle optimization | Varies — prevents retrieval cost surprises |
Surprised by network charges on your GCP bill? GCP FinOps helps growing companies identify and eliminate cloud waste without enterprise complexity.
Related Articles: