Cloud Network Architecture: Hub-Spoke vs Mesh vs Flat Network Design Costs
Network Architecture: More Than a Technical Decision
Cloud network architecture choices have direct and significant cost implications. A poorly designed network can add 10-20% to your total cloud bill through unnecessary data transfer charges, redundant VPN connections, and over-provisioned transit capacity.
Flat Network (Single VPC/VNet)
All resources in one VPC. Simple, but problematic at scale:
- No workload isolation — dev and production share the same network
- Security group sprawl as the environment grows
- CIDR exhaustion as you add subnets
- Cost: Lowest — no inter-VPC transit fees
Best for: small environments under 50 resources, development accounts, startups in early growth phase.
Hub-and-Spoke (Most Common Enterprise Pattern)
Central hub VPC contains shared services (firewall, VPN, Active Directory). Spoke VPCs for each environment or application connect to hub.
AWS Hub-and-Spoke with Transit Gateway
- Transit Gateway: $0.05/attachment/hour + $0.02/GB processed
- 10 spoke VPCs: $0.05 × 10 = $0.50/hour → $365/month just for attachments
- Data transit: 10TB/month × $0.02 = $200/month
- Monthly hub cost: ~$565
Azure Hub-and-Spoke with Virtual WAN
- Azure Virtual WAN: $0.25/hour per connection unit
- VNet peering within same region: $0.01/GB
- Monthly hub cost: ~$180-400
GCP Hub-and-Spoke with Shared VPC
- GCP Shared VPC: No additional charge for the structure
- Internal traffic within region: Free
- Cross-region: $0.01-$0.08/GB depending on regions
- Monthly hub cost: ~$50-200 (mostly cross-region traffic)
Full Mesh
All VPCs connected directly to each other. Used for applications requiring direct, low-latency communication between all components.
- Higher connectivity cost than hub-and-spoke
- Complex to manage at scale (N×(N-1)/2 connections)
- Rarely justified — hub-and-spoke with Transit Gateway handles most use cases
Network Cost Optimisation by Pattern
| Pattern | Monthly Cost (10 VPCs) | Best For |
|---|---|---|
| Single VPC (flat) | $0 extra | Simple dev environments |
| VPC Peering (selective) | $20-100 in data transfer | Small networks, 3-5 VPCs |
| Hub-spoke (Transit GW) | $400-800 | 10-50 VPCs, enterprise |
| Shared VPC (GCP) | $50-200 | GCP environments |
Reducing Network Costs
- Use VPC endpoints for AWS services — eliminates NAT Gateway costs for S3, DynamoDB
- Keep traffic within the same AZ where possible — free vs $0.01/GB cross-AZ
- Use PrivateLink for service connectivity instead of Transit Gateway where appropriate
- On GCP, Shared VPC is free for the structure — prefer it over VPC peering for same-project connectivity
For enterprises with 10+ VPCs, AWS Transit Gateway and Azure Virtual WAN provide essential network management but add meaningful cost. Size your Transit Gateway attachments carefully — $0.05/hour per VPC attachment adds up.
Ready to Calculate Your Cloud Costs?
Use TCOIQ's free comparison tool or build a full inventory across all 5 clouds.