VPC pricing

This page describes the networking pricing for resources in Virtual Private Cloud (VPC) networks.

For pricing for other Google Cloud products, see All networking pricing.

General network pricing information

ingress traffic
Traffic coming in to a Google Cloud resource, such as a VM. If you send traffic between two VMs, then the traffic is counted as egress traffic as it leaves one VM and counted as ingress traffic as it arrives at the other VM.
egress traffic
Traffic leaving a Google Cloud resource, such as a VM. Egress traffic is charged based on whether the traffic uses an internal or external IP address, whether the traffic crosses zone or region boundaries, whether the traffic leaves or stays inside Google Cloud, and how far the traffic travels before leaving Google Cloud. When two VMs or two cloud resources internal to Google Cloud communicate with each other, there are two traffic paths—one in each direction. Traffic in each direction is designated as egress at the source and ingress at the destination, and each direction is priced accordingly.
Premium Tier
The Network Service Tiers Premium Tier leverages Google's premium backbone to carry traffic from and to your external users. The public internet is usually only used between the user and the closest Google network ingress point.
Standard Tier
The Network Service Tiers Standard Tier leverages the public internet to carry traffic between your services and your users. While using the public internet provides a lower quality of service, it is more economical than Premium Tier.

Ingress pricing

Traffic type Price
Ingress

No charge for ingress traffic. However there may be a charge for resource that processes ingress traffic. Services that process ingress traffic are as follows:

Responses to requests count as egress and are charged.

VM-VM egress pricing within Google Cloud

This section covers traffic that leaves a Google Cloud VM and travels to another Google Cloud VM. The cost is attributed to the project of the VM that is sending the traffic. This pricing affects Compute Engine VMs, Google Kubernetes Engine (GKE) nodes, and VMs running App Engine flexible environment.

The following prices are applied both during and after the Google Cloud Free Tier period. During the Free Tier period, these prices are charged against the Free Tier credit amount.

Traffic type Price
Egress to the same Google Cloud zone when using the internal IP addresses of the resources1 No charge
Egress to a different Google Cloud zone in the same Google Cloud region when using the internal IP addresses1 (per GB) $0.01
VM-to-VM egress when both VMs are in the same Google Cloud region, regardless of zone, when using the external IP addresses (per GB) $0.01
VM-to-VM egress when both VMs are in different regions of the same network using internal or external IP addresses See the rest of this table.
Egress from a Google Cloud region in the US or Canada to another Google Cloud region in the US or Canada (per GB) $0.01
Egress between Google Cloud regions within Europe (per GB) $0.02
Egress between Google Cloud regions within Asia (per GB) $0.05
Egress between Google Cloud regions within South America (per GB) $0.08
Egress to a Google Cloud region on another continent (excludes Oceania) (per GB) $0.08
Indonesia and Oceania2 to/from any Google Cloud region (per GB) $0.15

If you pay in a currency other than USD, the prices listed in your currency on Cloud Platform SKUs apply.

1The prices are used regardless of network or subnet. The price for traffic within a zone using internal IP addresses is the same even if the traffic is to a different subnet or network. The price on traffic between zones in the same region is the same if the two instances are in the same subnet, different subnets, or different networks. Pricing is the same whether the instances are in a VPC network or a legacy network.
2 Oceania includes Australia, New Zealand, and surrounding Pacific Ocean islands such as Papua New Guinea and Fiji. This region excludes Hawaii.

VM-to-Google Cloud service

This section covers traffic that leaves a Google Cloud VM and travels to a Google service. The cost is attributed to the project of the VM that is sending the traffic. This pricing affects Compute Engine VMs, Google Kubernetes Engine nodes, and VMs running App Engine flexible environment.

The following prices are applied both during and after the Google Cloud Free Tier period. During the Free Tier period, these prices are charged against the Free Tier credit amount.

Traffic type Price
Egress to specific Google non-cloud products such as YouTube, Maps, Doubleclick, and Drive, whether from a VM in Google Cloud with an external IP address or an internal IP address. No charge
Egress to a different Google Cloud service within the same region using an external IP address or an internal IP address, except for Memorystore for Redis, Filestore, GKE, and Cloud SQL No charge
Egress to Memorystore for Redis, Filestore, Cloud SQL, and Google Kubernetes Engine within the same region is priced the same as VM-to-VM traffic. VM-VM egress pricing within Google Cloud
Egress to a Google Cloud service in a different region. VM-VM egress pricing within Google Cloud
For Cloud Spanner network pricing, see Cloud Spanner pricing.
For Cloud Storage network pricing, see Cloud Storage pricing.

If you pay in a currency other than USD, the prices listed in your currency on Cloud Platform SKUs apply.

Internet egress rates

The following prices are applied both during and after the Google Cloud Free Tier period. During the Free Tier period, these prices are charged against the Free Tier credit amount.

If you pay in a currency other than USD, the prices listed in your currency on Cloud Platform SKUs apply.

External IP address pricing

You are charged for static and ephemeral external IP addresses according to the following table.

If you reserve a static external IP address and do not assign it to a resource such as a VM instance or a forwarding rule, you are charged at a higher rate than for static and ephemeral external IP addresses that are in use.

You are not charged for static external IP addresses that are assigned to forwarding rules.

In use or not

Google Cloud considers a static external IP address as in use if it is associated with a VM instance whether the instance is running or stopped. If the instance is deleted or if the IP address is dissociated from the instance, Google Cloud considers the static IP address as not in use.

For an ephemeral IP address, Google Cloud considers the address as in use only when the associated VM instance is running. When the instance is stopped or deleted, Google Cloud releases the ephemeral IP address and no longer considers it as in use.

You can check whether a static external IP address is in use by making a gcloud compute addresses list request. This command returns a list of static external IP addresses and their statuses:

gcloud compute addresses list

NAME          REGION  ADDRESS        STATUS
address-1             130.211.8.68   IN_USE
address-2             35.186.217.84  RESERVED

In this example, IPv4 address-1 is in use while IPv4 address-2 is reserved but not being used. Both addresses are charged according to the External IP address pricing table in this document.

Firewall rules

VPC firewall rules are free of charge.

Hierarchical firewall policies and hierarchical firewall policy rules (beta) are offered without charge until General Availability.

Network telemetry

Network logs generate charges. You are charged for the following products:

  • VPC Flow Logs
  • Firewall Rules Logging
  • Cloud NAT logging
Log generation Price (USD)
0—10 TB per month 0.50/GB
10—30 TB per month 0.25/GB
30—50 TB per month 0.10/GB
>50 TB per month 0.05/GB

Logs are sent to Cloud Logging. Logs can be further exported to Pub/Sub, Cloud Storage, or BigQuery. Pub/Sub, Cloud Storage, or BigQuery charges apply in addition to log generation charges. For more information on exporting logs, see Overview of logs export.

If you store your logs in Cloud Logging, logs generation charges are waived, and only Logging charges apply.

If you send and then exclude your logs from Cloud Logging, log generation charges apply.

Packet Mirroring

You are charged for the amount of data processed by Packet Mirroring. You are not charged for packet mirroring forwarding rules. The costs for the data processed by Packet Mirroring are described in the following table.

Normal egress rates are charged for traffic outbound from a load balancer. There is no additional load balancer egress cost beyond normal egress rates.

Load balancing and forwarding rules

The following pricing applies to all types of load balancing other than Internal HTTP(S) Load Balancing. For Internal HTTP(S) Load Balancing, see the Internal HTTP(S) Load Balancing section.

Normal egress rates are charged for traffic outbound from a load balancer. There is no additional load balancer egress cost beyond normal egress rates.

HTTP(S) Load Balancing pricing with Serverless NEGs

If you are using serverless NEG backends for an external HTTP(S) load balancer, existing HTTP(S) Load Balancing charges will apply in addition to the serverless compute charges for Cloud Run (fully managed), Cloud Functions, or App Engine backends. If Google Cloud Armor or Cloud CDN are used, their respective charges also apply.

However, you will not be charged for both serverless egress and Internet egress. Only Internet egress rates apply. Cloud Functions outbound data (egress) charges, App Engine outgoing network traffic charges and Cloud Run (fully managed) egress charges do not apply to requests passed from an HTTP(S) load balancer (using serverless NEGs) to a Cloud Functions, App Engine, or Cloud Run (fully managed) service.

Forwarding rules pricing examples

Google Cloud charges for forwarding rules whether they are created for load balancing or other uses, such as Packet Mirroring.

The following examples use US pricing:

You can create up to 5 forwarding rules for the price of $0.025/hour. For example, if you create one forwarding rule, you are charged $0.025/hour. If you have 3 forwarding rules, you are still charged $0.025/hour. However, if you have 10 forwarding rules, you are charged as follows:

  • 5 forwarding rules = $0.025/hour
  • Each additional forwarding rule = $0.01/hour

$0.025/hour for 5 rules + (5 additional rules * $0.01/hour) = $0.075/hour

For most load balancing use cases, you need only one forwarding rule per load balancer.

Google Cloud charges for global forwarding rules and regional forwarding rules separately, and also per project. For example, if you use one global forwarding and one regional forwarding rule in two separate projects (four rules total), you are charged $0.10/hour (4 x $0.025/hour).

Estimating load balancing charges

To estimate load balancing charges:

  1. Go to the Pricing Calculator.
  2. On the Cloud Load Balancing tab.
  3. From the dropdown menu, select a region.
  4. Enter your estimated number of forwarding rules.
  5. Enter your monthly estimated amount of network traffic processed.

For example:

  • Iowa
  • Forwarding rules: 10
  • Network ingress: 2,048 GB
  • Total Estimated Cost: USD 71.13 per 1 month

This example doesn't include the egress cost of sending replies from the backends.

Internal HTTP(S) Load Balancing

Proxy instance charge

Internal HTTP(S) Load Balancing is a proxy-based load balancer. The load balancer automatically scales the number of proxies available to handle your traffic based on your traffic needs. The proxy instance charge is based on the number of proxy instances needed to satisfy your traffic needs. Each additional proxy incurs an additional hourly charge according to the prices indicated in the previous table.

The number of proxies is calculated based on the measured capacity needed to handle your traffic over a 10-minute time period. During this time period, we look at the greater of:

  • The number of proxies needed to serve your traffic's bandwidth needs. Each proxy instance can handle up to 18 MB per second. We monitor the total bandwidth required and divide that total by the bandwidth that a proxy instance can support.
  • The number of proxies needed to handle connections and requests. We count the total of each of the following resources and divide each value by what a proxy instance can handle:
    • 600 (HTTP) or 150 (HTTPS) new connections per second
    • 3,000 active connections
    • 1,400 requests per second*

*A proxy instance can handle 1,400 requests per second if Cloud Logging is disabled. If you enable Logging, your proxy instance can handle fewer requests per second. For example: logging 100% of requests decreases the proxy's request handling capacity to 700 requests per second. You can set Logging to sample a smaller percentage of traffic. This enables you to meet your observability needs while controlling your cost.

Example calculation

In a 10-minute period, 180 MB per second of data pass through the load balancer. 180 MB per second / 18 MB per second per proxy instance = 10 proxy instances

During this same period, 300 new HTTPS connections are established per second, 3,000 connections are active and 2,800 requests are sent per second:

300 new HTTPS connections per second / 150 new HTTPS connections per second per proxy instance = 2 proxy instances 3,000 active connections / 3,000 active connections per proxy instance = 1 proxy instance 2,800 requests per second / 1,400 requests per second per proxy instance = 2 proxy instances

This sums up to 5 proxy instances. This amount is lower than the 10 proxy instances required to serve bandwidth. Thus, the proxy instance charge for this 10-minute time period would be calculated as follows:

10 proxy instances * $0.025 per proxy instance per hour * (10 minutes / (60 minutes per hour)) = $0.0417

Billing is calculated based on the measured capacity needed to satisfy your traffic needs, not the number of proxy instances that are establishing connections to your backends. As such, you might be billed for a different number of proxy instances than you see in your infrastructure.

Minimum proxy instance charge

To ensure optimal performance and reliability, each load balancer is allocated at least three proxy instances in the Google Cloud region where the load balancer is deployed. These proxy instances are allocated even if the load balancer handles no traffic. After a forwarding rule (with load balancing scheme INTERNAL_MANAGED) is deployed to your project, you start to accrue proxy instance charges. Additional forwarding rules incur additional proxy instance charges as described previously (in other words, three additional proxy instances per forwarding rule).

The three proxy instances that are allocated to your load balancer result in a minimum hourly proxy instance charge. For example, for the us-central1 Google Cloud region, the minimum charge is calculated as follows:

3 proxy instances * $0.025 per proxy per hour = $0.075 per hour

As described previously, these proxy instances can each handle a certain amount of traffic. Once your traffic needs surpass the capacity of these three proxy instances, you will incur costs for the proxy instances required to handle any additional traffic.

Data processing charge

The data processing charge is calculated by measuring the total volume of data for requests and responses processed by your load balancer during the billing cycle. This charge scales according to your usage and there is no minimum charge for data processing.

User-defined request headers and Google Cloud Armor charges

If a backend service has a Google Cloud Armor policy associated with it, you can use the user-defined request headers feature with that backend service without any additional charge for the user-defined request headers feature.

If a backend service does not have a Google Cloud Armor policy associated with it, the charges are $0.75 per million HTTP(S) requests sent to those backend services that use the user-defined request headers feature.

Protocol forwarding

Protocol forwarding is charged at the same rates as the load balancing service. There is a charge for a forwarding rule and the ingress data processed by a target instance.

SSL certificates

There is no charge for self-managed and Google-managed SSL certificates.