Virtual Private Cloud pricing

This page describes the networking pricing for resources in Virtual Private Cloud (VPC) networks.

For pricing for other Google Cloud products, see All networking pricing.

General network pricing information

Ingress traffic
Traffic coming in to a Google Cloud resource, such as a VM. If you send traffic between two VMs, then the traffic is counted as egress traffic as it leaves one VM and counted as ingress traffic as it arrives at the other VM.
Egress traffic

Traffic leaving a Google Cloud resource, such as a VM, hosted in a Google region. For egress purposes, a region is a set of buildings operated by Google in a geographic location, such as a data center campus. Traffic can travel as follows:

  • Within the set of buildings at the location, which always used Google's network (intra-zone and intra-region pricing)
  • To another building operated by Google in another location, which always used Google's network (inter-region pricing)
  • To a location not operated by Google over a Cloud Interconnect connection (Cloud Interconnect pricing)
  • To a location not operated by Google not over a Cloud Interconnect connection (internet egress pricing)

Traffic leaving Google's network is always internet egress or Cloud Interconnect, regardless of the geographic location of the non-Google destination.

Egress traffic is charged based on whether the traffic uses an internal or external IP address, whether the traffic crosses zone or region boundaries within Google Cloud, whether the traffic leaves or stays inside Google Cloud, and the network tier of traffic that leaves Google's network. When two resources communicate with each other, there are two traffic paths—one in each direction. Traffic in each direction is designated as egress at the source and ingress at the destination, and each direction is priced accordingly.

Premium Tier
The Network Service Tiers Premium Tier leverages Google's premium backbone to carry traffic to and from your external users. The public internet is usually only used between the user and the closest Google network ingress point.
Standard Tier
The Network Service Tiers Standard Tier leverages the public internet to carry traffic between your services and your users. While using the public internet provides a lower quality of service, it is more economical than Premium Tier.

Ingress pricing

Traffic type Price
Ingress

No charge for ingress traffic. However there may be a charge for resource that processes ingress traffic. Services that process ingress traffic are as follows:

Responses to requests count as egress and are charged.

VM-VM egress pricing within Google Cloud

This section covers traffic that leaves a Google Cloud VM and travels to another Google Cloud VM. The cost is attributed to the project of the VM that is sending the traffic. This pricing affects Compute Engine VMs, Google Kubernetes Engine (GKE) nodes, and VMs running App Engine flexible environment.

The following prices are applied both during and after the Google Cloud Free Trial period. During the Free Trial period, these prices are charged against the Free Trial credit amount.

Traffic type Price
Egress to the same Google Cloud zone when using the internal IP addresses of the resources1 No charge
Egress to a different Google Cloud zone in the same Google Cloud region when using the internal IP addresses1 (per GiB) $0.01
VM-to-VM egress when both VMs are in the same Google Cloud region, regardless of zone, when using the external IP addresses (per GiB) $0.01
VM-to-VM egress when both VMs are in different regions of the same network using internal or external IP addresses See the rest of this table.
Egress from a Google Cloud region in the US or Canada to another Google Cloud region in the US or Canada (per GiB) $0.01
Egress between Google Cloud regions within Europe (per GiB) $0.02
Egress between Google Cloud regions within Asia (per GiB) $0.05
Egress between Google Cloud regions within South America (per GiB) $0.08
Egress between Google Cloud regions within Oceania (per GiB) $0.08
Egress to a Google Cloud region on another continent (excludes Oceania) (per GiB) $0.08
Egress from Indonesia or Oceania2 to any other Google Cloud region (per GiB) $0.15
Egress from any other Google Cloud region to Indonesia or Oceania2 (per GiB) $0.15

If you pay in a currency other than USD, the prices listed in your currency on Cloud Platform SKUs apply.

1The prices are used regardless of network or subnet. The price for traffic within a zone using internal IP addresses is the same even if the traffic is to a different subnet or network. The price on traffic between zones in the same region is the same if the two instances are in the same subnet, different subnets, or different networks. Pricing is the same whether the instances are in a VPC network or a legacy network.
2 Oceania includes Australia, New Zealand, and surrounding Pacific Ocean islands such as Papua New Guinea and Fiji. This region excludes Hawaii.

VM-to-Google service

This section covers traffic that leaves a Google Cloud VM and travels to a Google service. The cost is attributed to the project of the VM that is sending the traffic. This pricing affects Compute Engine VMs, Google Kubernetes Engine nodes, and VMs running App Engine flexible environment.

The following prices are applied both during and after the Google Cloud Free Trial period. During the Free Trial period, these prices are charged against the Free Trial credit amount.

Traffic type Price
Egress to specific Google products such as Gmail, YouTube, Google Maps, DoubleClick, and Google Drive, whether from a VM in Google Cloud with an external IP address or an internal IP address. No charge
Egress to a different Google Cloud service within the same region using an external IP address or an internal IP address, except for Memorystore for Redis, Filestore, GKE, and Cloud SQL. No charge
Egress from Compute Engine and GKE to Cloud CDN and Media CDN. No charge (cache fill might apply for Cloud CDN).
Egress to Memorystore for Redis, Filestore, Cloud SQL, and Google Kubernetes Engine within the same region is priced the same as VM-to-VM traffic. VM-VM egress pricing within Google Cloud
Egress to a Google Cloud service in a different region. VM-VM egress pricing within Google Cloud
For Cloud Spanner network pricing, see Cloud Spanner pricing.
For Cloud Storage network pricing, see Cloud Storage pricing.

If you pay in a currency other than USD, the prices listed in your currency on Cloud Platform SKUs apply.

Internet egress rates

Premium Tier pricing

Premium Tier is the default tier for all Google Cloud egress. To use Standard Tier, you must specify it explicitly.

The following prices are applied both during and after the Google Cloud Free Trial period. During the Free Trial period, these prices are charged against the Free Trial credit amount.

If you pay in a currency other than USD, the prices listed in your currency on Cloud Platform SKUs apply.

Standard Tier pricing

Egress pricing is per GiB delivered. Pricing is based on source geolocation of traffic. Ingress pricing is still free. Always Free usage limits do not apply to Standard Tier.

Standard Tier pricing took effect at beta and remains in effect.

Contact sales for pricing beyond 500 TiB.

Internal IP address pricing

There is no charge for static or ephemeral internal IP addresses.

External IP address pricing

You are charged for static and ephemeral external IP addresses according to the following table.

If you reserve a static external IP address and do not assign it to a resource such as a VM instance or a forwarding rule, you are charged at a higher rate than for static and ephemeral external IP addresses that are in use.

You are not charged for static external IP addresses that are assigned to forwarding rules.

You are not charged for external IPv6 address ranges that are assigned to subnets or for external IPv6 addresses that are assigned to VM instances. You are not charged for static regional IPv6 addresses (Preview).

If you pay in a currency other than USD, the prices listed in your currency on Cloud Platform SKUs apply.

In use or not

Google Cloud considers a static external IP address as in use if it is associated with a VM instance whether the instance is running or stopped. If the instance is deleted or if the IP address is dissociated from the instance, Google Cloud considers the static IP address as not in use.

For an ephemeral IP address, Google Cloud considers the address as in use only when the associated VM instance is running. When the instance is stopped or deleted, Google Cloud releases the ephemeral IP address and no longer considers it as in use.

You can check whether a static external IP address is in use by making a gcloud compute addresses list request. This command returns a list of static external IP addresses and their statuses:

gcloud compute addresses list

NAME          REGION  ADDRESS        STATUS
address-1             130.211.8.68   IN_USE
address-2             35.186.217.84  RESERVED

In this example, IPv4 address-1 is in use while IPv4 address-2 is reserved but not being used. Both addresses are charged according to the External IP address pricing table in this document.

Firewall rules

For Cloud Firewall pricing, see the Cloud Firewall pricing page.

Private Service Connect

The costs associated with Private Service Connect vary depending on the configuration.

Using a Private Service Connect endpoint (forwarding rule) to access Google APIs

Item Price per hour (USD) Price per GiB processed,
both egress and ingress (USD)
Private Service Connect endpoint (forwarding rule) used to access Google APIs $0.01 No data charge

Using a Private Service Connect backend (load balancer) to access Google APIs

Private Service Connect backends use a load balancer to access Google APIs. All load balancer pricing applies. Traffic to Private Service Connect NEGs that is directed to Google APIs incurs load balancing charges for data processed by load balancer. However, there is no Private Service Connect charge for ingress or egress traffic between the Private Service Connect NEG and Google APIs.

For pricing information for your load balancer, see pricing for global external HTTP(S) load balancer or internal HTTP(S) load balancer pricing.

Using a Private Service Connect service attachment to publish a managed service

Item Price per hour (USD) Price per GiB processed,
both egress and ingress (USD)
Private Service Connect service attachment used by a service producer to provide access to services No hourly charge $0.01
Services that are published using Private Service Connect can be hosted on the following load balancers:
  • Internal TCP/UDP load balancer: For pricing information, see Load balancing and forwarding rules.
  • Internal HTTP(S) load balancer: For pricing information, see Internal HTTP(S) load balancer.
  • Internal protocol forwarding: For pricing information, see Protocol forwarding.
  • Internal regional TCP proxy load balancer:
    • Pricing for Preview: Internal regional TCP proxy load balancer used with Private Service Connect is offered without charge until it reaches General Availability.
    • Pricing for General Availability: Internal TCP/UDP load balancer pricing applies for internal regional TCP proxy load balancer at General Availability. For pricing information, see Load balancing and forwarding rules.

Using a Private Service Connect endpoint (forwarding rule) to access a published service

Item Price per hour (USD) Price per GiB processed,
both egress and ingress (USD)
Private Service Connect endpoint (forwarding rule) $0.01

$0.01

For endpoints with global access, when the endpoint is accessed by resources in other regions, inter-regional egress charges also apply to that traffic.

Using a Private Service Connect backend (load balancer) to access a published service

Private Service Connect backends use a load balancer to access published services. All load balancer pricing applies. Traffic between Private Service Connect NEGs and Private Service Connect published services incurs both load balancing charges for data processed by load balancer and Private Service Connect charges for ingress and egress traffic between the NEG and the published service.

The following table summarizes the applicable charges for this configuration.

Item Price (USD)
Private Service Connect endpoint (load balancer) used to access services in another VPC network All global external HTTP(S) load balancer or internal HTTP(S) load balancer pricing applies
Traffic between a Private Service Connect NEG and the published service $0.01 per GiB processed, both egress and ingress

Deploying a service by using service connection maps

When you deploy a service by using service connection maps, there are no charges for the deployment itself. However, you are charged for the following:

Private services access

When you create a private services access connection, there are no hourly or data charges for the connection itself. However, you are charged for the following:

  • Resources that you provision in the service producer's network
  • Egress traffic from your VMs to the service producer's network

Serverless VPC Access

Serverless VPC Access is priced as follows.
Resource Price
Serverless VPC Access connector Charged by the number of instances in your connector. See the pricing for your instance type:
Network egress Charged at Compute Engine networking rates. Serverless VPC Access connector instances are distributed across zones for increased reliability. The rate is based on which connector instance handles the request and whether the destination resource is in the same zone. Egress to a connector from a serverless resource such as a function, app, or service is not charged.
You can view your Serverless VPC Access costs in the Google Cloud console by filtering your billing reports by the label key serverless-vpc-access.

Network telemetry

Network logs generate charges. You are charged for the following products:

  • VPC Flow Logs
  • Firewall Rules Logging
  • Cloud NAT logging
Log generation Price (USD)
0—10 TiB per month 0.50/GiB
10—30 TiB per month 0.25/GiB
30—50 TiB per month 0.10/GiB
>50 TiB per month 0.05/GiB

Logs are sent to Cloud Logging. Logs can be further exported to Pub/Sub, Cloud Storage, or BigQuery. Pub/Sub, Cloud Storage, or BigQuery charges apply in addition to log generation charges. For more information on exporting logs, see Overview of logs export.

If you store your logs in Cloud Logging, logs generation charges are waived, and only Logging charges apply.

If you send and then exclude your logs from Cloud Logging, log generation charges apply.

Packet Mirroring

You are charged for the amount of data processed by Packet Mirroring. You are not charged for Packet Mirroring forwarding rules. Currently, there is no additional per-VM charge for using Packet Mirroring. The costs for the data processed by Packet Mirroring are described in the following table.

If you pay in a currency other than USD, the prices listed in your currency on Cloud Platform SKUs apply.

Normal egress rates are charged for traffic outbound from a load balancer. There is no additional load balancer egress cost beyond normal egress rates.

Load balancing and forwarding rules

The pricing tables in this section apply to all types of load balancers other than internal HTTP(S) load balancers. For internal HTTP(S) load balancers, see the Internal HTTP(S) load balancer section.

For Private Service Connect forwarding rules, see the Private Service Connect section.

The following table shows the pricing for global forwarding rules. There are no global data processing charges. Data processing is charged by the region, depending on where the traffic is processed.

Item Price per unit (USD) Pricing unit
First 5 forwarding rules $0.025 Per Hour
Per additional forwarding rule $0.01 Per Hour
If you pay in a currency other than USD, the prices listed in your currency on Cloud Platform SKUs apply.

The following table shows regional forwarding rule charges and inbound and outbound data processing charges by region.

* To see the SKUs associated with this charge, see the full pricing announcement for Outbound data processing charges.
If you pay in a currency other than USD, the prices listed in your currency on Cloud Platform SKUs apply.

Ways to lower external HTTP(S) load balancer costs

Global external HTTP(S) load balancer users can use Google Cloud Armor, Cloud CDN, or both, to minimize the impact of Outbound data processing charges.

  • Cloud CDN: Static objects that are served to the client from the cache do not transit through the load balancer. An effective caching strategy would reduce the amount of outbound data being processed by the load balancer and lower your costs. To implement caching, it is necessary to understand which portion of your traffic is static and cacheable. For additional information, refer the Cloud CDN documentation.

  • Google Cloud Armor: If your application receives a significant amount of undesirable traffic, you can deploy Google Cloud Armor to block such traffic. Requests that are blocked by Google Cloud Armor do not transit through the load balancer, effectively reducing the amount of outbound data processed by the load balancer. The impact on your costs depends on the percentage of undesirable traffic blocked by the Google Cloud Armor security policies you've implemented.

If your application can operate in a single region or is required to operate in a single region, you can use the Regional external HTTP(S) load balancer. The regional external HTTP(S) load balancer uses only the Standard Network Tier which has lower egress charges making it a cost effective option.

External HTTP(S) load balancer pricing with Serverless NEGs

If you are using serverless NEG backends for an external HTTP(S) load balancer (global, regional, or classic), existing load balancer charges will apply in addition to the serverless compute charges for Cloud Run, Cloud Functions, or App Engine backends as applicable. If Google Cloud Armor or Cloud CDN are used, their respective charges also apply.

However, you will not be charged for both serverless egress and Internet egress. Only Internet egress rates apply. Cloud Functions outbound data (egress) charges, App Engine outgoing network traffic charges and Cloud Run egress charges do not apply to requests passed from an external HTTP(S) load balancer (using serverless NEGs) to a Cloud Functions, App Engine, or Cloud Run service.

Cross-project service referencing with Shared VPC

For data processing charges, the forwarding rule project is charged.

Forwarding rules pricing examples

Google Cloud charges for forwarding rules whether they are created for load balancing or other uses, such as Packet Mirroring.

The following examples use US pricing:

You can create up to 5 forwarding rules for the price of $0.025/hour. For example, if you create one forwarding rule, you are charged $0.025/hour. If you have 3 forwarding rules, you are still charged $0.025/hour. However, if you have 10 forwarding rules, you are charged as follows:

  • 5 forwarding rules = $0.025/hour
  • Each additional forwarding rule = $0.01/hour

$0.025/hour for 5 rules + (5 additional rules * $0.01/hour) = $0.075/hour

For most load balancing use cases, you need only one forwarding rule per load balancer.

Google Cloud charges for global forwarding rules and regional forwarding rules separately, and also per project. For example, if you use one global forwarding and one regional forwarding rule in two separate projects (four rules total), you are charged $0.10/hour (4 x $0.025/hour).

Estimating load balancing charges

To estimate load balancing charges:

  1. Go to the Pricing Calculator.
  2. On the Cloud Load Balancing tab.
  3. From the dropdown menu, select a region.
  4. Enter your estimated number of forwarding rules.
  5. Enter your monthly estimated amount of network traffic processed.

For example:

  • Iowa
  • Number of forwarding rules: 10
  • Inbound data processed by load balancer: 2,048 GiB
  • Total Estimated Cost: USD 71.13 per 1 month

This example doesn't include the Internet egress cost of sending replies from the backends.

Internal HTTP(S) load balancer

If you pay in a currency other than USD, the prices listed in your currency on Cloud Platform SKUs apply.

* Internal HTTP(S) load balancers use a fleet of managed proxy instances that are dynamically allocated to your network to handle traffic volume. The per proxy instance charge is determined based on the number of proxy instances required to handle your traffic over a specific time period.

Proxy instance charge

An internal HTTP(S) load balancer is a proxy-based load balancer. The load balancer automatically scales the number of proxies available to handle your traffic based on your traffic needs. The proxy instance charge is based on the number of proxy instances needed to satisfy your traffic needs. Each additional proxy incurs an additional hourly charge according to the prices indicated in the previous table.

The number of proxies is calculated based on the measured capacity needed to handle your traffic over a 10-minute time period. During this time period, we look at the greater of:

  • The number of proxies needed to serve your traffic's bandwidth needs. Each proxy instance can handle up to 18 MB per second. We monitor the total bandwidth required and divide that total by the bandwidth that a proxy instance can support.
  • The number of proxies needed to handle connections and requests. We count the total of each of the following resources and divide each value by what a proxy instance can handle:
    • 600 (HTTP) or 150 (HTTPS) new connections per second
    • 3,000 active connections
    • 1,400 requests per second*

*A proxy instance can handle 1,400 requests per second if Cloud Logging is disabled. If you enable Logging, your proxy instance can handle fewer requests per second. For example: logging 100% of requests decreases the proxy's request handling capacity to 700 requests per second. You can set Logging to sample a smaller percentage of traffic. This enables you to meet your observability needs while controlling your cost.

Example calculation

In a 10-minute period, 180 MB per second of data pass through the load balancer. 180 MB per second / 18 MB per second per proxy instance = 10 proxy instances

During this same period, 300 new HTTPS connections are established per second, 3,000 connections are active and 2,800 requests are sent per second:

300 new HTTPS connections per second / 150 new HTTPS connections per second per proxy instance = 2 proxy instances 3,000 active connections / 3,000 active connections per proxy instance = 1 proxy instance 2,800 requests per second / 1,400 requests per second per proxy instance = 2 proxy instances

This sums up to 5 proxy instances. This amount is lower than the 10 proxy instances required to serve bandwidth. Thus, the proxy instance charge for this 10-minute time period would be calculated as follows:

10 proxy instances * $0.025 per proxy instance per hour * (10 minutes / (60 minutes per hour)) = $0.0417

Billing is calculated based on the measured capacity needed to satisfy your traffic needs, not the number of proxy instances that are establishing connections to your backends. As such, you might be billed for a different number of proxy instances than you see in your infrastructure.

Minimum proxy instance charge

To ensure optimal performance and reliability, each load balancer is allocated at least three proxy instances in the Google Cloud region where the load balancer is deployed. These proxy instances are allocated even if the load balancer handles no traffic. After a forwarding rule (with load balancing scheme INTERNAL_MANAGED) is deployed to your project, you start to accrue proxy instance charges. Additional forwarding rules incur additional proxy instance charges as described previously (in other words, three additional proxy instances per forwarding rule).

The three proxy instances that are allocated to your load balancer result in a minimum hourly proxy instance charge. For example, for the us-central1 Google Cloud region, the minimum charge is calculated as follows:

3 proxy instances * $0.025 per proxy per hour = $0.075 per hour

As described previously, these proxy instances can each handle a certain amount of traffic. Once your traffic needs surpass the capacity of these three proxy instances, you will incur costs for the proxy instances required to handle any additional traffic.

Data processing charge

The data processing charge is calculated by measuring the total volume of data for requests and responses processed by your load balancer during the billing cycle. This charge scales according to your usage and there is no minimum charge for data processing.

Cross-project service referencing with Shared VPC

For data processing, hourly proxy instance usage, and inter-zone VM egress, the forwarding rule project is charged.

Internal HTTP(S) load balancer pricing with serverless NEGs

If you are using serverless NEG backends for an internal HTTP(S) load balancer, existing internal HTTP(S) load balancer charges will apply in addition to the serverless compute charges for Cloud Run. Costs attributable to the internet egress will continue to apply.

Custom request headers and Google Cloud Armor charges

If a backend service has a Google Cloud Armor policy associated with it, you can use the custom request headers feature with that backend service without any additional charge for the custom request headers feature.

If a backend service that uses the custom request headers feature does not have a Google Cloud Armor policy associated with it, the charges are $0.75 per 1,000,000 HTTP(S) requests per month per account. You are only charged for the first 666,666,667 requests per month per account.

Global access for internal load balancers

Global access allows client instances from any region to access your internal load balancer. If a forwarding rule has global access enabled, additional cross-region egress traffic transit charges are incurred when traffic is sent to or from a client in a different region than the load balancer.

Global access is generally available for internal TCP/UDP load balancers, internal HTTP(S) load balancers, and internal regional TCP proxy load balancers.

Protocol forwarding

Protocol forwarding is charged at the same rate as load balancing. There is a charge for the forwarding rule and a charge for the inbound data processed by the target instance.

SSL certificates

There is no charge for self-managed and Google-managed SSL certificates.

What's next

Request a custom quote

With Google Cloud's pay-as-you-go pricing, you only pay for the services you use. Connect with our sales team to get a custom quote for your organization.
Contact sales