CloudFront Pricing in 2026: 9 Ways to Cut Egress Costs 50%

A mid-size streaming platform we advise discovered in Q1 2026 that 38% of their total AWS bill was CloudFront egress — not compute, not storage, not DynamoDB. Just bytes leaving edge locations. Their CloudFront pricing had quietly ballooned to $47,000/month on roughly 120 TB of transfer, largely because nobody had revisited cache policy or price-class configuration since 2024. Within six weeks of applying the tactics in this article, they cut that number to $21,400. This piece gives you the exact framework: nine engineered methods, current 2026 rate cards, a cost-model walkthrough you can drop into a spreadsheet, and a workload-profile decision matrix to determine which optimizations yield the largest delta for your traffic shape.

CloudFront Pricing in 2026: What the Rate Card Actually Says

As of May 2026, CloudFront data transfer pricing remains tiered by volume and geography. The US/Europe tier — where most traffic lands — starts at $0.085/GB for the first 10 TB/month, drops to $0.080 at 50 TB, $0.060 at 150 TB, $0.040 at 500 TB, and reaches $0.030 at 1 PB+. India and South America remain the most expensive regions, ranging from $0.109 to $0.170/GB at lower tiers. HTTPS request costs sit at $0.01 per 10,000 requests in the US/Europe tier. Origin Shield adds per-request charges that vary by region ($0.0090 per 10,000 in US-East).

Two structural points that the pricing page buries: first, CloudFront-to-origin transfer from S3 is free, but CloudFront-to-origin for custom origins (your ALB, your API gateway) is not — that is billed at standard EC2 data transfer rates. Second, invalidation requests beyond the first 1,000/month cost $0.005 each, which adds up fast if your CI/CD pipeline invalidates aggressively.

The Cost Model: Where Your Money Actually Goes

Before optimizing, you need to decompose your CloudFront bill into its three cost drivers. Here is a representative breakdown for a SaaS platform pushing 100 TB/month with a 78% cache hit ratio (CHR), mostly US/Europe traffic:

Edge egress dominates. Everything below targets reducing that number first, request costs second.

9 Proven Tactics to Cut CloudFront Egress Costs

1. Push Cache Hit Ratio Above 95%

Every origin fetch you eliminate is bytes you stop paying for twice (origin compute + edge egress on the next miss). The single highest-ROI move: audit your cache key. CloudFront hashes on the full URI plus whatever headers, cookies, and query strings you forward. If you forward all cookies on a static asset endpoint, every unique session generates a cache miss. Strip the cache key to the minimum discriminating set. Use CloudFront cache policies (not legacy forwarding settings) to separate what goes to origin from what builds the cache key. A platform running at 78% CHR that reaches 95% on the same 100 TB traffic profile drops effective origin-fetched bytes from 22 TB to 5 TB and reduces total edge-served unique bytes, cutting the monthly bill by roughly $1,000 on origin-related overhead alone.

2. Brotli Compression with Quality Tuning

Brotli at quality level 4-6 on text assets (HTML, CSS, JS, JSON, SVG) typically achieves 15-25% smaller payloads than gzip level 6, with negligible CPU overhead at origin. On a workload where text assets represent 30% of total transfer, that is 4.5-7.5% off total egress cost. Enable Brotli in your origin response and configure CloudFront to cache by Accept-Encoding — this is the default behavior with the new managed cache policies as of 2026, but verify it explicitly if your distribution predates 2024.

3. Serve Modern Image Formats at the Edge

AVIF and WebP are 30-50% smaller than JPEG at equivalent perceptual quality. If images compose 40%+ of your transfer (common for e-commerce, media, and gaming asset delivery), format migration alone can shave 12-20% off total egress. Use CloudFront Functions or Lambda@Edge to rewrite Accept headers into the cache key and route to the correct format variant. As of 2026, most browsers support AVIF — the Safari holdout ended with iOS 16.

4. Configure Price Classes Deliberately

CloudFront offers three price classes as of 2026: Price Class All (all edge locations), Price Class 200 (excludes South America and Australia), and Price Class 100 (US, Canada, Europe, Israel only). If less than 5% of your traffic originates from South America, Africa, or the Middle East, switching from All to 200 removes the highest-cost edges. The delta: South America edges charge $0.110-$0.170/GB vs. $0.085/GB in US/Europe. For a workload with 8% LATAM traffic on 100 TB, moving to Price Class 200 and accepting ~40ms additional latency for those users saves approximately $500-$700/month.

5. Origin Shield as a Cost Reducer, Not Just a Performance Layer

Origin Shield collapses multiple edge-to-origin paths into a single mid-tier cache. On distributions with high cache key cardinality or frequent TTL expiry, Origin Shield reduces origin fetches by 50-80%. The per-request cost ($0.0090/10K in US regions) is almost always cheaper than the redundant origin fetches it prevents. Run the math: if Origin Shield costs you $150/month but eliminates 15 TB of redundant origin processing, the net savings are substantial on both origin compute and eventual cache-fill egress.

6. Commit to a CloudFront Security Savings Bundle

AWS offers 1-year and 3-year commitment plans through the CloudFront Security Savings Bundle, which bundles CloudFront usage with AWS WAF. As of Q1 2026, committing $5,000/month on a 1-year term gives you approximately 30% more usage than pay-as-you-go pricing at the same spend. This is a straightforward discount mechanism if your traffic is predictable. The critical caveat: the commitment applies to your entire CloudFront and WAF usage combined. If you are not using AWS WAF, the effective discount is lower than the headline number suggests.

7. Reduce Request Volume via HTTP/2 and Connection Reuse

HTTPS request costs are often overlooked because per-unit pricing looks cheap at $0.01/10K. At 2 billion requests/month, that is $2,000. HTTP/2 multiplexing, combined with asset bundling and sprite consolidation for appropriate workloads, reduces request counts. More importantly, verify your origins support HTTP/2 back to CloudFront — if the origin connection falls back to HTTP/1.1, CloudFront opens more connections and you pay for inefficiency at the origin tier.

8. Monitor and Eliminate Wasted Transfer

Set up CloudWatch metrics for CacheHitRate, 4xx/5xx error rates, and BytesDownloaded broken down by distribution and behavior. A surprisingly common pattern: distributions serving soft-404 HTML pages (200 status, custom error body) for every invalid URL hit by bots. One SaaS operator found 11 TB/month of egress was custom error pages served to automated scanners. A simple WAF rule blocking known bot signatures eliminated the waste entirely.

9. Evaluate Multi-CDN and Alternative CDN Providers

CloudFront pricing at scale compresses but never reaches the lowest rates available in the market. At 100 TB/month, CloudFront's blended US/Europe rate is roughly $0.060/GB. Providers focused purely on delivery — without bundling compute, WAF, and serverless into the pricing model — can offer substantially lower rates. BlazingCDN, for example, prices delivery at $0.004/GB for up to 25 TB and scales down to $0.002/GB at the 2 PB tier. At 100 TB/month, that is $350/month versus approximately $6,100 on CloudFront — a 94% reduction in egress cost. BlazingCDN delivers 100% uptime, flexible configuration, and handles demand spikes without renegotiation, making it a viable primary or secondary CDN for enterprises including clients like Sony. For teams whose primary need is high-volume delivery rather than edge compute, the cost arithmetic is difficult to ignore.

Workload-Profile Decision Matrix

Not every optimization applies equally to every workload. This matrix maps the nine tactics above to four common traffic profiles so you can prioritize the highest-impact changes first.

Read the columns. If you run a video platform, start with Origin Shield, CHR tuning, and evaluating an alternative CDN for bulk delivery. If you run a SaaS API, start with cache key audits and bot-traffic elimination. The ordering matters because the first three changes for your profile will deliver 80% of the savings.

FAQ

Is CloudFront cheaper than direct S3 egress?

Yes. As of 2026, S3 data transfer to the internet costs $0.09/GB for the first 10 TB in US-East, while CloudFront starts at $0.085/GB for the same tier. More importantly, CloudFront's tiered pricing drops faster at volume — $0.030/GB at 1 PB+ versus S3's $0.05/GB. For any public-facing workload, routing through CloudFront is strictly cheaper than direct S3 egress.

How do CloudFront price classes reduce cost?

Price classes restrict which edge locations serve your content. Price Class 100 limits delivery to US, Canada, Europe, and Israel — the lowest-cost regions. Traffic that would have been served from South American or Asian edges is instead routed to the nearest included edge, adding latency but avoiding per-GB rates that can be 2x higher. The tradeoff is measurable: expect 30-80ms added latency for excluded regions.

How to improve CloudFront cache hit ratio above 90%?

Three changes get most distributions past 90%: first, minimize the cache key by removing unnecessary query strings, headers, and cookies from the cache policy. Second, normalize Accept-Encoding and Accept-Language in the cache key so variant proliferation does not fragment your cache. Third, set appropriate minimum TTLs — even 60 seconds on semi-dynamic content prevents thundering herd misses during traffic spikes.

CloudFront flat-rate pricing vs. pay-as-you-go: which is better?

The CloudFront Security Savings Bundle (flat-rate commit) makes sense when your monthly usage is stable and predictable, because the effective discount is roughly 30% over on-demand. If your traffic is spiky or seasonal — Black Friday surges, game launches — pay-as-you-go avoids paying for committed capacity you do not use in low months. Model both against your trailing 6-month usage before committing.

What changed in CloudFront pricing for 2026?

AWS has not adjusted CloudFront's per-GB rate card since late 2024, but two structural changes matter in 2026: the Security Savings Bundle now supports 3-year terms with deeper discounts, and Origin Shield pricing expanded to cover three new regions (Milan, Zurich, Hyderabad). The functional impact is that commitment-based savings are more accessible, and multi-region Origin Shield deployments are now viable without workaround architectures.

Your Move This Week

Pull your CloudFront cost allocation tags for the last 90 days. Decompose the bill into egress, requests, and origin-fetch components. Calculate your actual cache hit ratio per behavior, not the distribution-level average — the per-behavior number reveals which path rules are bleeding money. If your CHR on any behavior is below 85%, that is your first fix. If it is already above 95% and the bill is still too high, the answer is not more optimization — it is a different price point. Run the numbers against an alternative provider, instrument the latency delta, and make the decision with data.