When to leave AWS for Hetzner, Vultr, or DigitalOcean

Most "should we leave AWS?" discussions start with the bill and end with vibes. Here's a decision checklist with measurable criteria. If you score above ~6 on this, the math is almost certainly on the side of moving (at least some workloads).

The 10-question audit

Score each item 0-3 based on how strongly the statement applies:

1. Our monthly AWS bill is >$5,000 (1 point per $5k up to 3).
2. Compute (EC2 + ECS + Fargate + Lambda) is more than 40% of the total bill.
3. Egress is more than 15% of the total bill.
4. We use few or no AWS-specific managed services beyond RDS / ElastiCache / S3 / CloudFront.
5. Our application is containerized or trivially portable (12-factor compliant).
6. We are not in a regulated industry requiring FedRAMP / HIPAA-BAA / specific AWS contractual commitments.
7. Our compliance is satisfied by SOC 2 / ISO 27001 (both Hetzner and DO have these).
8. We have at least one engineer comfortable with infrastructure-as-code (Terraform / Pulumi / Ansible).
9. We're not heavily invested in AWS-specific SDKs (DynamoDB client patterns, SQS-specific code, Lambda triggers).
10. Our workload has a steady, predictable baseline (not 100% spiky / serverless).

Score interpretation:

• 0-9: Stay on AWS. Either too small to be worth migrating, too regulated, or too entangled.
• 10-18: Worth investigating a partial move. Stateless tier + bandwidth-heavy parts likely save significantly.
• 19-27: Strong case for moving most workloads. Run a real POC.
• 28-30: You're paying the AWS tax for no reason. Move.

The "bandwidth dominates" signal

If egress + inter-region + inter-AZ exceeds 30% of your AWS bill, you're already paying so much for AWS networking that the saving from migrating bandwidth-heavy components to Hetzner or to Cloudflare R2 is going to dominate every other consideration.

Specific example: a SaaS doing $8K/month on AWS with $2.5K of egress. The same workload on Hetzner with a Cloudflare CDN in front of static assets: the egress disappears entirely. Net saving: ~$2.4K/month, or 30% of total spend, just from the network tier.

The "manageable stateful surface" signal

The single biggest blocker to leaving AWS is RDS dependence. Production-grade Postgres with:

• Automated daily backups + PITR
• Read replicas across AZs
• Automatic failover within 1-2 minutes
• Encryption at rest with KMS
• Performance Insights + Enhanced Monitoring
• SOC 2 audit-friendly access logging

...is actually a lot of work to replicate. Self-hosted Postgres can do all of this, but the operational overhead is real. Tools like Crunchy Postgres or StackGres close the gap, but somebody on your team has to own the upgrade path.

The pragmatic answer: keep RDS on AWS, move everything else. The "60% Hetzner, 40% AWS RDS" pattern is the sweet spot.

The "we've never done it before" signal

Operational maturity matters. If your team has never:

• Patched a Linux box manually,
• Configured nginx as a reverse proxy,
• Set up firewall rules on a Linux distro,
• Restored a backup,

...then moving off AWS is a step backwards in reliability before it's a step forward in cost. AWS managed services are absorbing operational work your team isn't yet equipped to do. Don't migrate and learn at the same time.

The right path: hire one or two infra-capable engineers first, do a small POC (migrate dev/staging), then production. The cost saving will pay for the hire many times over.

The "regulated industry" signal

If you're SaaS in healthcare, finance, government, or PCI-DSS scope, AWS' compliance catalogue is genuinely worth paying for. The signed BAA, the FedRAMP authorisation, the named compliance contact — these matter at procurement time. Hetzner has GDPR + ISO 27001 but doesn't have HIPAA BAAs. DigitalOcean has SOC 2 Type II and HIPAA-eligible features but limited US-only regions.

For SOC 2 alone, Hetzner / DO / Vultr / Linode all work. Above that, evaluate carefully.

The "we're growing internationally" signal

Hetzner is EU-strong (Falkenstein, Nuremberg, Helsinki) and has US East/West and Singapore. That's six DCs. AWS has 30+. If your traffic genuinely needs Brazil, India, Australia, the Middle East, Africa, or West Africa with low-latency local presence, AWS or Azure is still the right answer — or a hybrid with Cloudflare as the edge.

For most B2B SaaS, "EU + US East + US West + maybe Asia" covers 90% of traffic. Hetzner can hit all of those.

What to migrate first

1. Dev / staging. Risk-free practice. Cuts non-prod bill 70%+. Build the muscle memory.
2. CI/CD runners. Self-hosted runners on Hetzner Spot equivalent is the cheapest CI in existence. Easy migration.
3. Static asset hosting. Move to Cloudflare R2 or Hetzner Object Storage + CDN. Zero risk, immediate egress savings.
4. Stateless API tier behind a load balancer. Containerize, deploy to Hetzner, connect back to AWS RDS via Tailscale. Cut over with a DNS flip.
5. Background workers. Same as above. Workers reading from SQS / RabbitMQ work fine cross-cloud as long as the queue isn't saturating bandwidth.
6. Caches. Self-host Redis. The operational cost is genuinely low if you use a managed Redis distribution like KeyDB or Dragonfly.
7. Databases. Last, with the most preparation. Or maybe never — see "Hetzner + AWS RDS" pattern.

The honest summary

The right question is rarely "should we leave AWS entirely" — it's "which parts of the workload are paying the AWS tax for no operational gain". Bandwidth-heavy, compute-bulk, stateless workloads are easy wins. Stateful managed services are sticky and often worth keeping.

For a side-by-side compute price comparison see AWS vs Hetzner, AWS vs Vultr, or AWS vs DigitalOcean. The TCO calculator includes egress as a first-class input.