Sign up now for a free Kubernetes cost and resource assessment

Network Cost Model

How DevZero classifies network traffic and calculates costs using cloud provider pricing.

Network Cost Model

DevZero calculates network costs by classifying every observed flow into a traffic type and applying the published cloud provider rate for that type. Costs are computed per metric and stored alongside the traffic data in time-series storage, giving you per-minute cost visibility at the workload level.

How Costs Are Calculated

Network Flow (src pod → dst)


┌──────────────────┐     ┌──────────────────┐     ┌──────────────┐
│ Classify traffic │ ──▶ │ Look up rate for │ ──▶ │ Cost =       │
│ type (see below) │     │ cloud + type     │     │ GB × $/GB    │
└──────────────────┘     └──────────────────┘     └──────────────┘

The cost for each flow is:

Cost = (TX bytes + RX bytes) / 1 GB × rate per GB

The rate depends on two factors:

  1. Traffic type — where the traffic is going
  2. Cloud provider — which cloud the cluster runs on (detected automatically from cluster metadata)

Traffic Types

Traffic TypeDescriptionTypical Cost
Internal Same-AZPod-to-pod or pod-to-service within the same availability zoneFree on all providers
Internal Cross-AZPod-to-pod across different availability zones in the same region~$0.01/GB (AWS, GCP); Free (Azure, OCI)
Internet EgressTraffic to public IP addresses or resolved external domains0.00850.0085–0.12/GB depending on provider
PeeringTraffic to cloud-managed services via VPC endpoints, PrivateLink, control plane endpoints, or cloud APIs~$0.01/GB
External PrivateTraffic to private IPs outside the cluster that don't match known cloud patternsFree (conservative estimate)

How Traffic Type Is Determined

  • Same-AZ vs Cross-AZ: The platform resolves the source and destination pods to their respective nodes, then compares the availability zones from node labels.
  • Internet Egress: The destination IP is checked against IANA reserved ranges. If it's globally routable, it's internet egress.
  • Peering: Private IPs with DNS domains matching known cloud provider patterns (VPC endpoints, PrivateLink, control planes, cloud service APIs) are classified as peering traffic.
  • External Private: Private IPs that can't be resolved to any cluster resource or known cloud pattern.

Egress Traffic

Internet egress is typically the largest cost driver in Kubernetes networking. DevZero identifies egress traffic through two signals:

  1. Public IP detection — Destination IP is checked against known private/reserved ranges. If it's not private, it's public.
  2. DNS domain resolution — The operator traces DNS responses via eBPF to map IPs to domain names. This lets you see that traffic to 52.54.61.135 is actually going to api.stripe.com.

This gives you visibility into which workloads are generating egress traffic, to which external services, and at what volume.

NAT Gateway processing fees are not yet included in cost calculations. Cloud providers charge additional per-GB processing fees for traffic routed through NAT Gateways (e.g., AWS charges $0.045/GB on top of data transfer). The operator currently cannot distinguish whether egress traffic flows through a NAT Gateway or an Internet Gateway, as the NAT translation happens at the VPC level, outside the node's connection tracking table. We plan to detect NAT Gateway involvement via node subnet metadata in a future release.

Cloud Provider Pricing

DevZero applies simplified rates based on published cloud provider pricing. These are first-tier estimates — actual billing may differ based on volume tiers, committed use discounts, regions, and specific service configurations.

AWS

  • Same-AZ: Free
  • Cross-AZ: ~$0.01/GB each direction
  • Internet Egress: ~$0.09/GB (first 10TB tier)
  • Official pricing

Azure

  • Same-AZ: Free
  • Cross-AZ: Free (Azure eliminated cross-AZ charges)
  • Internet Egress: ~$0.087/GB
  • Official pricing

GCP

  • Same zone: Free
  • Cross-zone (same region): ~$0.01/GB
  • Internet Egress: ~$0.12/GB (Premium tier)
  • Official pricing

OCI (Oracle Cloud)

  • Within region (all ADs): Free
  • Internet Egress: ~$0.0085/GB (after free tier)
  • Official pricing

When the cloud provider cannot be determined (e.g., on-prem or unmanaged clusters), conservative default rates based on AWS pricing are used.

Peering & Private Connectivity

Traffic to cloud-managed services often travels over private networking (VPC endpoints, PrivateLink, private DNS zones) but still incurs charges. DevZero identifies these connections by matching destination domains against known cloud provider patterns:

AWS:

  • VPC Interface Endpoints: vpce-*.vpce-svc-*.<region>.vpce.amazonaws.com
  • EKS Control Plane: *.<region>.eks.amazonaws.com
  • Internal ELBs/NLBs: internal-*.<region>.elb.amazonaws.com
  • Service APIs: <service>.<region>.amazonaws.com (S3, ECR, STS, etc.)

Azure:

  • Private Endpoints: *.privatelink.*.(azure.com|windows.net|azure.net)
  • AKS Control Plane: *.azmk8s.io
  • Service APIs: *.azurecr.io, *.vault.azure.net, *.blob.core.windows.net, etc.

GCP:

  • Private Service Connect: *.psc.<region>.googleusercontent.com
  • Private Google APIs: private.googleapis.com, restricted.googleapis.com
  • GKE Control Plane: *.gke.googleapis.com
  • General APIs: *.googleapis.com

Infrastructure Endpoints:

  • Instance Metadata Service (IMDS): 169.254.169.254 — classified as cloud infrastructure
  • AWS Time Sync: 169.254.169.123 — classified as cloud infrastructure

Roadmap & Known Limitations

We're actively improving network monitoring. The following are known gaps — if any of these are important to your environment, we'd love to hear from you at support@devzero.io.

LimitationDescription
Ingress trafficTraffic entering the cluster from external sources is not yet tracked. We monitor outbound connections from pods but not inbound connections initiated externally. We'd love to hear about your use cases for ingress tracking.
IPv6Currently IPv4 only. IPv6 conntrack and eBPF flow tracking is planned.
Volume-tiered pricingCurrent rates are flat per-GB. Real cloud pricing uses volume tiers (e.g., AWS first 10TB at 0.09/GB,next40TBat0.09/GB, next 40TB at 0.085/GB).
Cross-region trafficNo distinction between cross-AZ (same region) and cross-region traffic. Cross-region typically costs significantly more.
NAT Gateway feesEgress costs reflect data transfer rates only. NAT Gateway processing fees (e.g., AWS $0.045/GB) are not included.

Network Monitoring

How DevZero monitors Kubernetes network traffic to provide visibility into traffic patterns and costs.

Manage DevZero resources using Terraform

A step-by-step guide for managing DevZero resources using Terraform.

On this page

Network Cost Model
How Costs Are Calculated
Traffic Types
How Traffic Type Is Determined
Egress Traffic
Cloud Provider Pricing
AWS
Azure
GCP
OCI (Oracle Cloud)
Peering & Private Connectivity
Roadmap & Known Limitations