The Cloud Horizons blog.
Cloud cost mechanics, line item by line item.
- ALB: the line item nobody watches AWS Application Load Balancer has a quiet hourly base and a loud LCU column. The LCU is the maximum of four dimensions, so tuning the wrong one saves nothing. Here is how to read the bill, audit your inventory, and cut 30 percent without breaking traffic.
- API Gateway REST vs HTTP API: the 71 percent discount most teams missed AWS HTTP API has been a 71 percent discount on REST API since 2020. Most teams who started before that are still on REST. The migration is one Terraform resource for new APIs and a measured cutover for existing ones. The math, the trade-offs, and the audit query.
- How to spot anomalies in your AWS bill before they wreck the quarter Real examples: a lapsed RDS Reserved Instance, a misconfigured Lambda hammering S3, a NAT Gateway data transfer surprise. What the patterns look like and how to catch them next time.
- Reserved Instance or Savings Plan? Pick the right commitment for the right workload Most teams pick one over the other and stop thinking about it. The right answer is usually both. Here is how to decide, with the math and the workload patterns that actually show up in production.
- Azure Hybrid Benefit: the discount most teams still miss AHB takes 40 percent off Windows VM rates and up to 55 percent off SQL Server. It stacks with Reserved Instances. The license entitlement was already paid in your EA. The audit, the math, and the reasons teams leave it on the table.
- Azure VM Reserved Instances: when the commitment actually pays Azure Reserved VM Instances cut pay-as-you-go rates by up to 72 percent on a three-year term, but only on stable, always-on compute. Dev clusters, bursty analytics, and right-sized-down production VMs are where RIs lose money. The utilization threshold, the AHB stack, and the audit query.
- Azure SQL DTU vs vCore: when each is the wrong choice DTU bundles compute, memory, and IO into one number and blocks both Hybrid Benefit and Reserved Capacity. vCore unbundles them and stacks both discounts. The migration mapping, the AHB stack math, the Hyperscale break-even, and the audit query.
- CloudFront: the CDN line item that usually pays for itself Raw S3 egress is $0.09/GB. CloudFront in front of S3 is $0.085/GB in North America and Europe and the inter-service hop is free. For most workloads the CDN line is cheaper than going direct, before you count the latency win. The math, the price-class trick, and the audit query.
- CloudWatch Logs: the bill that grows quietly until it doesn't New log groups default to indefinite retention. VPC Flow Logs default to full mode. Together they explain four-figure monthly CloudWatch Logs bills on accounts that never thought of logs as a line item. The pattern, the audit query, and the three-step fix.
- Cold storage compared: S3 Glacier vs Azure Archive vs GCS Archive All three clouds advertise sub-cent-per-GB archival storage. The actual bill depends on retrieval frequency, minimum-duration billing, and how often you accidentally rehydrate. Side-by-side math on real workload shapes.
- Cosmos DB: the RUs vs storage tradeoff (and the model picker most teams skip) Manual provisioned, Autoscale, and Serverless are not interchangeable. The wrong model on a Cosmos workload costs two to four times the right one. The autoscale tipping point, the serverless ceiling, the multi-region multiplier, and the indexing audit that cuts RUs in half before any pricing change.
- Cross-AZ data transfer: the quiet tax on every chatty AWS workload Cross-AZ data transfer charges $0.01 per GB in each direction. That sounds like nothing until you see what a chatty microservice mesh, a multi-AZ RDS, and a misplaced NAT Gateway can do to it. The patterns we see, and the architectural fixes that pay back in weeks.
- Idle Elastic IP: the monthly tax nobody invoices An Elastic IP attached to a running instance is free. One sitting unassociated or on a stopped instance costs $0.005 per hour, about $3.65 per month, forever. After a migration or teardown the addresses linger. The audit query, the math, and the release checklist.
- DynamoDB: the on-demand vs provisioned tipping point On-demand DynamoDB is roughly 7x the per-request cost of fully-utilized provisioned. The tipping point is 14 to 18 percent sustained utilization. Below, on-demand wins. Above, switch and turn on autoscaling. The math, the GSI multiplier, the audit query.
- EBS snapshot storage: the hidden multiplier on the backup line EBS snapshots look incremental until you count the chains, the orphaned AMIs, and the DLM policy nobody reviewed. At $0.05 per GB-month the line stays quiet for years, then a retention change doubles it overnight. The audit query, the math, and the lifecycle fix.
- EBS gp2 to gp3: the easiest AWS savings still left on the table in 2026 gp3 launched in December 2020. It is 20 percent cheaper per GB than gp2 and includes 3,000 IOPS and 125 MB/s for free. Most accounts still run gp2. The math, the migration command, and why it is the safest production change AWS offers.
- GCP sustained use vs committed use: pick the discount that matches your uptime Sustained use discounts apply automatically and cap around 30 percent on compute that runs all month. Committed use discounts require a one- or three-year spend pledge and push toward 57 percent on vCPUs. The wrong choice leaves money on the table or locks you into capacity you no longer run.
- Lambda cost: the three knobs that matter (and the one that does not) Lambda pricing has two components and three knobs that move the bill. Memory, architecture, duration. Provisioned Concurrency is the fourth knob most teams should not touch. The math, the audit query, and the change you can ship before lunch.
- MCP for AWS: connecting S3, EC2, and Cost Explorer to Claude with zero infrastructure AWS has no native MCP endpoint, so we built one. Cloud Horizons's AWS MCP server lets Claude ask about EC2 inventory, S3 buckets, CloudWatch logs, and Cost Explorer data in plain English. No agents, no Terraform, no VPC access. Here is how it works and what we learned.
- MCP for GCP: how Cloud Horizons connects to Compute Engine and Cloud SQL without touching your network The Model Context Protocol is an open standard for connecting AI assistants to live systems. We built a GCP MCP server that reads Compute Engine, Cloud SQL, and Cost data with nothing but a service account key. The architecture, the security model, and why it matters for multi-cloud operations.
- MCP for Microsoft 365: reading Entra ID and audit logs through a protocol that does not exist yet Microsoft does not ship an MCP server for M365 or Entra ID. We built a bridge that turns Microsoft Graph API calls into MCP tools, so Claude can reason about user licenses, sign-in logs, and conditional access policies in real time. Why this is harder than it looks, and what is coming next.
- Multi-cloud cost attribution without agents (AWS Organizations + Azure Management Groups) Tag-based plus account-based attribution across AWS and Azure, using the cost data both clouds already give you. No agents, no Terraform, no extra runtime.
- Multi-cloud egress: when leaving AWS for cheaper egress actually pays for itself Cloudflare R2 has $0 egress. AWS charges around $0.05 per GB at scale. The math is obvious until you price the migration. Three workload shapes where the move pays back in months, and three where it never does.
- NAT Gateway: the AWS bill that hides in private subnets NAT Gateway looks like plumbing until the private-subnet traffic grows. The hourly fee is predictable, the per-GB processing fee is not, and the expensive traffic is usually S3, ECR, package mirrors, or cross-AZ chatter that should not be there. The audit path, the math, and the fixes that cut the line without breaking production.
- RDS: the quiet doubler on the AWS bill Multi-AZ doubles instance and storage hours. A read replica adds another 100 percent. Backup retention past 100 percent of storage is paid. None look big in isolation. Together they explain the four-figure RDS line that started at $400. The audit, the math, the fixes.
- S3 Intelligent-Tiering vs Standard-IA: when each is the wrong choice Both classes look like a free lunch at first glance. The math says otherwise on small objects, short-lived data, and predictable access patterns. The decision tree we run on every audit, with the dollar thresholds where each class breaks even.
- The S3 Gateway Endpoint nobody enabled (and the $40k NAT bill it explains) A Gateway Endpoint for S3 is free. It costs zero hourly, zero per GB, and routes private-subnet S3 traffic around NAT entirely. It is also the single most-missed line in the AWS audit playbook. The pattern, the math on a real account we audited, and the one Terraform resource that fixes it.
- Transit Gateway: the hub-and-spoke tax on multi-VPC AWS Transit Gateway looks cheap on the spec sheet. $0.05 per attachment per hour, $0.02 per GB processed. Then a 12-VPC hub-and-spoke quietly costs $1,300 a month, and the cross-AZ surcharge is hidden on a different bill line entirely. The patterns that drive the cost and the four moves that bring it down.
- The egress bill you only discover the day you try to leave the cloud A director plans a multi-cloud or repatriation move to cut cost, then learns the one-time data-egress charge to move petabytes out dwarfs a year of the savings. The exit cost was never modeled, and the lock-in was financial all along.
- The forecast that was last month times twelve, and the budget that believed it Finance builds the annual cloud budget by extrapolating a single month, ignoring seasonality, committed-discount amortization, and the growth curve of new workloads. The forecast holds until a launch or a seasonal peak blows through it, and the variance lands on the director who signed off.
- The AWS account a team opened on a personal card, until finance found the spend A product team spins up its own cloud account outside the central organization to move fast, and its spend never appears in the consolidated bill, the commitment pool, or any showback report. The director discovers the shadow account only when its spend grows large enough to notice it's missing.
- Three clouds, three billing formats, and a director comparing apples to invoices The director is asked which cloud is cheapest for a workload, but AWS, Azure, and GCP each export cost data in incompatible schemas with different cost types and amortization rules. Without the FOCUS standard normalizing them, every cross-cloud comparison is a spreadsheet argument nobody can win.
- Every RDS instance is Multi-AZ, including the ones that didn't need to be A default to Multi-AZ for safety means dev, staging, and ephemeral databases all run the doubled-cost high-availability configuration. The resilience policy was right for production and quietly doubles the bill everywhere it shouldn't apply.
- The board asked why cloud cost jumped 40 percent. The CTO had no answer ready. Two-thirds of CFOs now treat cloud spend as a board-level issue, and the quarter it jumps the CTO is expected to explain the driver, the owner, and the plan. Without line-item attribution and a forecast, 'we're looking into it' becomes a credibility event, not a status update.
- Someone left debug logging on in production. The CloudWatch bill found out first. A debug log level shipped to production during an incident and never got reverted, multiplying CloudWatch Logs ingestion and retention across the fleet. The observability bill quietly overtakes the compute it was meant to observe, and no alert fires because logs aren't an outage.
- The Cosmos DB RU/s setting one engineer doubled, and the bill nobody questioned To clear a latency complaint, an engineer doubles provisioned Cosmos DB throughput across containers and never dials it back. The change ships invisibly, the RU/s burn becomes the new baseline, and the director only learns the number when it's a renewal line.
- The GCP committed-use discount that locked you into last year's architecture A finance partner signs a three-year GCP committed-use discount to maximize the rate, then the team migrates half the workload to GKE Autopilot and a different machine family. The CUD now covers capacity the architecture moved past, and the commitment outlives the design it priced.
- Your microservices architecture is billing you per chatty cross-AZ hop A director champions a move to multi-AZ microservices for resilience, and every inter-service call now crosses an availability-zone boundary at a per-gigabyte rate. The resilience is real; so is the cross-AZ transfer line that scales with every chatty service you add.
- The engineer who understood the bill just left. Now nobody can. The one person who knew why the GCP committed-use discounts were sized that way, which accounts mapped to which products, and what the untagged spend really was, gives notice. The cost knowledge walks out the door with no runbook, and the next renewal decision is a guess.
- The EBS snapshot graveyard nobody owns, growing 8 percent a quarter Automated snapshot policies were set once and never pruned, so orphaned snapshots from deleted volumes and terminated instances accumulate for years. The line item is individually trivial and collectively a steady, owner-less drain that no single team will claim.
- You claimed Azure Hybrid Benefit. Can you prove the licenses on audit? A finance partner books the Azure Hybrid Benefit discount across the estate to hit a savings number, but the Software Assurance entitlements and core counts were never reconciled. When Microsoft's licensing audit lands, the unprovable claims convert into back-billing plus the discount clawed back.
- The Savings Plan lapsed on a Friday. The On-Demand bill arrived Monday. A one-year Compute Savings Plan expires with no owner watching the calendar, and the entire baseline reverts to On-Demand pricing overnight. The 40 percent rate increase is invisible until the next bill, because nothing broke and nothing alerted.
- The acquirer's diligence found the cloud waste your forecast hid During acquisition diligence, the buyer's technical team pulls the cloud cost trend and finds 25 percent waste, no commitment strategy, and unit economics that contradict the pitch. The valuation haircut comes not from the spend itself but from the absence of any FinOps discipline behind it.
- The NAT Gateway bill that turned a cost-down initiative into a cost-up quarter A director mandates moving workloads into private subnets for security, and the architecture quietly routes every package update and S3 pull through NAT Gateways billed per gigabyte. The security win lands the same month as an egress bill nobody modeled.
- A third of your cloud bill belongs to nobody, and the board just asked who When the CFO asks which product line drove the cloud increase, the FinOps lead discovers 30 to 50 percent of resources are untagged and the unallocated bucket has become a dumping ground. There is no defensible showback answer, so every team plausibly blames every other team.
- The bill anomaly your CFO found before your monitoring did A misconfigured cron loops cross-region replication for six weeks, but the spike only surfaces when finance reconciles the closed quarter. The director who owned cost visibility learns about a six-figure overrun from the same email that goes to the CFO.
- You bought three-year Reserved Instances. Then SRE right-sized the fleet. A platform lead locks in a three-year RI commitment to hit a savings target, then the SRE team right-sizes and re-platforms the exact instance families the reservations were bought for. Now you're paying upfront for capacity nobody runs, and the savings plan you should have used is off the table.
- The FinOps hire every VP Engineering makes 18 months too late By the time cloud spend is painful enough to justify a dedicated FinOps lead, the commitment mistakes, untagged sprawl, and missed discounts have already compounded into a seven-figure annual leak. The role is reactive when it should have been the cheapest insurance you ever bought.