Networking & Content Delivery

Analyzing AWS Transit Gateway Data Processing charges with cost allocation tags

Introduction

AWS recently announced the general availability of support for cost allocation tags for AWS Transit Gateway. With cost allocation tags, you can tag your AWS resources and see cost breakouts on a per-tag basis. Previously, Transit Gateway supported cost allocation tags for categorizing and allocating Attachment Hours charges only. With this announcement, you can now use tags to allocate data processing charges in multi-account scenarios. In this post, we show you how cost allocation tags can be used with Transit Gateway to categorize and allocate data processing charges by tags.

Transit Gateway pricing and cost allocation

In Transit Gateway you are charged for the number of attachments per hour and the amount of traffic that flows through the Transit Gateway. In large multi-account environments, it is a typical pattern to deploy the Transit Gateway in a central infrastructure account. Then, it’s shared with all or some accounts in the organization using AWS Resource Access Manager (AWS RAM). The shared accounts can view and create VPC attachments to the Transit Gateway for inter-VPC connectivity. In this scenario, Transit Gateway usage is charged to the shared accounts, as explained in the following:

  1. The per-hour charges for the VPC attachments
  2. The data processing charges for the amount of data sent to the Transit Gateway
    For detailed pricing and examples, see the Transit Gateway pricing page.

When VPC attachments to a Transit Gateway are owned by different teams in a company, there is often a need to determine the Transit Gateway usage and charges for each team for charge back. When these accounts are part of a consolidated billing family and all charges roll up to the payer account in the organization, tracking, reporting and visualizing Transit Gateway costs for each team can be challenging. This previous post shows how to use Transit Gateway Flow logs to determine individual account charges. This approach involves querying Flow logs using Amazon Athena, which may require additional setup and configuration.

Transit Gateway support for cost allocation tags

This task is simplified with the launch of support for cost allocation tags in Transit Gateway. Tagging the Transit Gateway resource in each shared account and activating the tag in cost allocation tags allows you to track Transit Gateway costs by these tags, both hourly attachment charges and data processing charges.

A tag is a key-value pair that you assign to an AWS resource. In AWS Cost Explorer you can activate tags as cost allocation tags. Once activated, you can categorize and track your costs by cost allocation tags. For example, you can create a tag named ‘Team’ with value ‘A’ and assign it to resources owned by Team A in your company. After activating the ‘Team’ tag as a cost allocation tag, you can track charges with this tag, filter or group by tags in Cost Explorer, and add to reports such as the Cost and Usage Report for further analysis and visualization.

Cost allocation in AWS is a three-step process:

  1. Attach cost allocation tags to your resources
  2. Activate your tags in the Cost Allocation Tags section of the AWS Billing Console
  3. Filter the tags, group by tags in Cost Explorer, and create Cost Categories

After you create and attach tags to resources, they appear in the AWS Billing Console’s Cost Allocation Tags section under User-defined cost allocation tags within 24 hours. You must activate these tags for AWS to start tracking them for your resources. Typically, after a tag is activated, it can take up to 24 hours for the tag to get activated and show up in Cost Explorer. When the tag shows up under Tags in the Filter or Group By fields in Cost Explorer, you can start filtering or grouping by the tag to view usage and charges by tag.

How to tag Transit Gateway for Cost Allocation

As noted earlier, Transit Gateway usage is charged by attachment hours and volume of data processed. To categorize and allocate the per-hour attachment charges, tag the Transit Gateway Attachments with a tag key and unique value. Similarly, to allocate the Transit Gateway data processing charges, tag the Transit Gateway resource in each shared account with a key and unique value. The example architecture in Figure 1 demonstrates this approach.

Figure 1: Example architecture

Figure 1: Example architecture

Here we have one Transit Gateway in a shared services account. This account has one shared services VPC attached to the Transit Gateway. We also have two workload VPCs from different accounts attached to the same Transit Gateway. To start, follow these steps:

Step 1: Tag the Transit Gateway resource in each account and the Transit Gateway attachments as follows:

  1. Shared Services VPC attachment tagged as ‘Team:Infra’
  2. Workload VPC A attachment tagged as ‘Team:A’
  3. Workload VPC B attachment tagged as ‘Team:B’
  4. Transit Gateway in Shared Services account tagged ‘Team:Infra’
  5. Transit Gateway resource in workload account A tagged as ‘Team:A’
  6. Transit Gateway resource in workload account B tagged as ‘Team:B’

Step 2: Activate ‘Team’ tag in cost allocation tags

After the resources are tagged appropriately in Step 1, it can take up to 24 hours for the tags to be available in the payer account’s Billing and Cost Management console. You can then activate them as cost allocation tags.

Figure 2 shows the ‘Team’ tag as available for activation in the Billing and Cost Management console under cost allocation tags.

Figure 2: Viewing cost allocation tags

Figure 2: Viewing cost allocation tags

Figure 3 shows the ‘Team’ tag as an activated cost allocation tag.

Figure 3: Activating cost allocation tag

Figure 3: Activating cost allocation tag

Step 3: Use the ‘Team’ tag in Cost Explorer to filter and group by tag

When applying the tag filter, Cost Explorer displays charges only for resources tagged with the selected tag values. And when grouped by a particular tag, the charges are grouped by each value of the selected tag. Figure 4 shows the Transit Gateway per hour attachment charges and data processing charges for each Team.

Figure 4: Filtered and grouped by tag ‘Team’

Figure 4: Filtered and grouped by tag ‘Team’

If there are other resources tagged with the ‘Team’ tag, then their charges are also reflected in this view in Figure 4.

To see only the Transit Gateway data processing charges for each Team, add a ‘Usage Type’ filter for “<Region>-TransitGateway-Bytes (GigaBytes)”. In our example, the Transit Gateway is in the us-east-1 AWS Region, so we filter for USE1-TransitGateway-Bytes (GigaBytes) as shown in Figure 5.

Figure 5: Filtered usage type ‘USE1-TransitGateway-Bytes (GigaBytes)’ and grouped by tag ‘Team’

Figure 5: Filtered usage type ‘USE1-TransitGateway-Bytes (GigaBytes)’ and grouped by tag ‘Team’

Visualizing with AWS Cost Categories

AWS Cost Categories enables you to group cost and usage information into meaningful categories based on your needs. You can create custom categories and map your cost and usage information into these categories based on the rules defined by your use of various dimensions, such as account, tag, or service. When the cost categories are set up and enabled, you can view your cost and usage information by these categories in AWS Cost Explorer, AWS Budgets, and AWS Cost and Usage Report (CUR).

For our example, in Cost Categories you can define a category named ‘Team’ and build rules to categorize cost and usage based on the value of the tag ‘Team’. This categorizes the costs for each team and can be visualized in Cost Categories as shown in Figure 6.

Figure 6: Visualizing team costs with Cost Categories

Figure 6: Visualizing team costs with Cost Categories

Considerations and limitations

Data processing charges apply for each gigabyte sent from a VPC, AWS Direct Connect, or VPN to the Transit Gateway. When you attach AWS Site-to-Site VPN connections to a Transit Gateway, the VPN connection must be in the same account as the Transit Gateway. Therefore, the data processing charges are aggregated in that account. For Direct Connect attachments, data processing charges apply to the account that owns the Direct Connect Gateway. There are no data processing charges for traffic sent from a Transit Gateway peering or Transit Gateway Connect attachment.

For effective charge back, it’s important to note while individual Transit Gateway attachments can be tagged for cost allocation per attachment, the data processing charges are aggregated at the account level. This means that data processing charges are aggregated for all VPCs from a single account attached to the same Transit Gateway.

Moreover, for Transit Gateway peering attachments, each Transit Gateway owner is billed hourly for the peering attachment with the other Transit Gateway.

Conclusion

In this post, we showed how cost allocation tags can simplify viewing Transit Gateway data processing charges in a multi-account environment. We also showed how you can visualize costs with Cost Categories using cost allocation tags. To learn more about cost allocation tags, see the documentation page.

About the authors

Suresh Samuel

Suresh Samuel

Suresh is a Principal Technical Account Manager at AWS. He helps customers in Financial Services Industry with their operations in AWS. When not working, he can be found photographing birds in Texas or hanging out with family.

Anbu Kumar Krishnamurthy

Anbu Kumar Krishnamurthy

Anbu is a Senior Technical Account Manager at AWS specializing in helping customers integrate their business processes with the AWS Cloud to achieve operational excellence and efficient resource utilization. He helps customers design and implement solutions, troubleshoot issues, and optimize their AWS environments. He works with customers to architect solutions aimed at achieving their desired business outcomes.