Is traffic from a VPC EC2 instance with a public IP address to an S3 bucket in the same region guaranteed to stay within Amazon's network?

Question

This question is inspired by this tweet by someone who accidentally and unexpectedly incurred a large bill due to NAT gateway.

I'm using EC2 to process terabytes of data from an S3 bucket. The bucket and the instance are in the same region.

My goal is to minimize costs. In particular, I want to pay $0 for S3 data transfer costs. According to the S3 pricing page, this should be possible:

Transfers between S3 buckets or from Amazon S3 to any service(s) within the same AWS Region are free.

My instance is in a VPC, has a public IP address, no NAT gateway, no S3 gateway endpoint.

I observe that over months of doing this, I'm not being charged. Whereas traceroute from a server in a different region shows intermediate hops to the S3 host, the route from a server in the same region shows no intermediate hops to the S3 endpoint. Is this always guaranteed? Could Amazon's DNS resolver one day give me an IP address that requires routing over the public Internet, thus incurring thousands of dollars of fees?

This question seems a bit related, but doesn't really address the core question.

Answer 1

The tweet does not appear to accurately reflect the true nature of the charges they incurred.

(I'm not saying they weren't charged, I'm saying that it isn't correct to describe it as if S3 isn't free in this case, even though the tweet implies that this is the case.)

S3 traffic to/from other services within the same region isn't free with a * -- it's just free.

Transfers between S3 buckets or from Amazon S3 to any service(s) within the same AWS Region are free.

https://aws.amazon.com/s3/pricing/

That doesn't say anything about the routing of the traffic, and the routing of the traffic is not important, because -- back to the tweet -- they would not have been billed those usage charges by Amazon S3.

They would have been billed by Amazon VPC for using a NAT Gateway. What you access through a NAT Gateway isn't relevant, because the "data processing" charge always apply to traffic passing through it.

Data processing charges apply for each Gigabyte processed through the NAT gateway regardless of the traffic’s source or destination. (emphasis added)

https://aws.amazon.com/vpc/pricing/

The NAT Gateway pricing page (including old versions like this one) specifically mentions that accessing S3 through a NAT Gateway is subject to all the charges applicable to NAT Gateway.

Accessing S3 within the same region using either an EC2 instance with a public IP address or using an S3 endpoint does not incur any data transfer charges.

When you access S3 within the region, the traffic -- by the relevant definition -- doesn't leave the region, because objects stored in a given region are always located in the region.

Objects stored in a Region never leave the Region unless you explicitly transfer them to another Region.

https://docs.aws.amazon.com/AmazonS3/latest/dev/Introduction.html

As long as you aren't using a NAT Gateway, or doing something similarly sub-optimal, like accessing S3 by transiting an EC2 NAT Instance or forward proxy (e.g. Squid) in another region (which would result in cross-region traffic charges between your client instance and the NAT Instance or proxy billed by VPC or EC2 -- not S3) then you should not expect to pay for data transfer related to S3 within a region.