CloudFront: the CDN line item that usually pays for itself

Most cost-cutting advice on CloudFront treats it as a line to scrutinize. The honest read for most workloads is the opposite. CloudFront is one of the few AWS line items that gets cheaper as it grows, and for traffic served out of S3, ALB, or API Gateway, putting the CDN in front of the origin is usually a net saving on the bill, not just a latency win.

The reason is that AWS charges $0.09 per GB for S3 egress directly to the internet, $0.085 per GB for CloudFront egress in North America and Europe, and zero for the S3-to-CloudFront hop. The CDN is the cheaper path on every byte that lands in the cheap zones. The arithmetic is more nuanced once you mix in Asia and Latin America, which is where the price-class knob comes in.

The CloudFront pricing in one paragraph

North America and Europe are the cheap zones at $0.085 per GB out. Asia (Japan, Korea, Hong Kong, Singapore, Taiwan, Philippines, Indonesia) is $0.114 per GB. India is $0.109. Australia and New Zealand are $0.114. South America is $0.110. Middle East is $0.110. South Africa is $0.114. Inter-service hops from S3 or any other AWS origin to CloudFront are free. HTTPS requests are $0.0100 per 10,000 in North America and Europe, $0.0120 in Asia and Australia, similar small numbers elsewhere.

For typical workloads, the request charge is single-digit percent of the bill and the egress is the rest. So the math that matters is the blended per-GB rate across whatever zone mix your users are in.

The price-class trick

Every CloudFront distribution has a price_class setting with three values:

• PriceClass_100: serves only from edge locations in North America and Europe. Users elsewhere still get content, but their requests are routed back to the cheapest available edge. Good fit for B2B SaaS with users concentrated in the cheap zones.
• PriceClass_200: adds Asia, India, and Middle East edges. Excludes Australia, South America, and Africa. The middle path. Common default for global apps that do not have heavy traffic from Sydney or São Paulo.
• PriceClass_All: global, every edge. Default if you do not set anything. Pay the highest blended rate but get the lowest latency everywhere.

The trick is that price class is a soft control. Traffic from an Australian user with PriceClass_100 still works, it just gets served from the nearest US or EU edge. For most apps nobody notices. For latency-critical apps you set it to All. The audit question is whether the latency premium is worth a real cost, and the answer is usually no for back-office tools, documentation sites, and most B2B dashboards.

resource "aws_cloudfront_distribution" "site" {
  # ... origin, default_cache_behavior ...

  # PriceClass_100 = North America + Europe only
  # PriceClass_200 = adds Asia (excluding AU + ZA + South America)
  # PriceClass_All = global
  price_class = "PriceClass_100"
}

The audit query

Run this against every account in the org to see what price classes you have set:

aws cloudfront list-distributions \
  --query 'DistributionList.Items[].[Id,DomainName,PriceClass,Enabled]' \
  --output table

Anything set to PriceClass_All with traffic concentrated in North America and Europe is a candidate for the downgrade. The change is a one-line Terraform diff and rolls out in 15 minutes. No DNS change, no client-side anything.

When the CDN is more expensive than going direct

Three patterns where CloudFront is the wrong call:

Internal traffic served on a VPN or private link. If the audience is your own employees on a corporate network, a Gateway Endpoint to S3 in the same region is free. CloudFront adds cost with no benefit.

Origin-side rewrites that bust the cache. If every request gets a unique signed URL, query string, or cookie that the cache key includes, hit ratio collapses, origin egress goes back to $0.09 per GB on top of the CDN charge, and you pay twice. Caching strategy fix first, CDN second.

Heavy traffic concentrated in a single high-cost zone. An Australian-only consumer app hitting an APAC user base from an ap-southeast-2 origin is a case to model carefully. The CloudFront APAC rate is $0.114 per GB. The S3 egress in ap-southeast-2 is $0.114 per GB. The CDN saves nothing on egress and adds the request charge. The only reason to use it there is latency from the nearest edge, which can still be worth it.

The CloudFront line items most teams miss

Beyond standard egress and requests, four lines hide on the CloudFront bill:

Origin Shield. A regional cache layer between edges and origin. Costs $0.0075 per 10,000 HTTPS requests plus its own data-out. For high-fanout origins it cuts origin load and saves money. For low-fanout origins it just adds a line.

Real-time logs and CloudWatch metrics. Free tier is generous, but global distributions with verbose real-time logs hit the line in five figures a month. Standard access logs to S3 are free.

Field-level encryption and Lambda@Edge. Per-request charges that compound at scale. Worth the cost when needed, worth pruning when not.

Functions. CloudFront Functions are $0.10 per million invocations and almost always cheaper than Lambda@Edge for simple header rewrites. If you have Lambda@Edge doing nothing more than a redirect or header tweak, the function is the same logic at a fraction of the price.

The before-lunch change

Two changes most teams can ship today:

1. Audit price class on every distribution. Move PriceClass_All to PriceClass_200 or PriceClass_100 where the user mix supports it.
2. Verify the cache key. Strip query strings, cookies, and headers from the cache key unless they actually vary content. Hit ratio is the single biggest CDN economics lever.

Plug your monthly egress and request volume into the CloudFront cost calculator to see the dollar value of each lever, side by side with the raw S3 egress baseline. For most workloads it pays back the change in the same month.