AWSAmazon VPCNetworking

`aws_nat_gateway` cost estimation

A managed NAT gateway for outbound internet access from private subnets. Notoriously expensive: $0.045/hour plus $0.045/GB processed.

An aws_nat_gateway lets resources in a private subnet make outbound connections to the internet without being directly reachable. It's the most commonly underestimated cost in AWS architectures, often the second or third largest line item in real bills.

Pricing has two components, both at the same rate, which is the trap. First, $0.045 per hour just for the gateway existing (~$32/month per NAT). Second, $0.045 per GB of data processed (in either direction). A workload that pulls 1 TB/month through the NAT for software updates and external API calls pays $32 for the gateway plus $45 for data processing, totaling $77/month per gateway.

The processing fee compounds badly at scale. A microservices architecture where every service pulls dependencies from npm, downloads container images from external registries, or makes outbound API calls can easily push 50-100 TB/month through NAT gateways, costing $2,250 to $4,500 monthly just for NAT.

Production-grade VPCs typically have one NAT gateway per availability zone for high availability, multiplying the base cost. A 3-AZ deployment is $96/month minimum before any data.

c3x estimates the per-hour cost from the resource. Data processing is usage-based and requires c3x-usage.yml to estimate.

Terraform example

A minimal but realistic configuration that C3X can estimate.

resource "aws_eip" "nat" {
  domain = "vpc"
}

resource "aws_nat_gateway" "main" {
  allocation_id = aws_eip.nat.id
  subnet_id     = aws_subnet.public.id

  tags = {
    Name = "production-nat"
  }
}

Pricing dimensions

What you actually pay for when you provision aws_nat_gateway.

Dimension	Unit	What's being charged
NAT gateway hours	per hour	Flat hourly rate for the gateway to exist. $0.045/hour ≈ $32.85/month
Data processed	per GB	Bytes flowing through the gateway in either direction. Add expected volume to c3x-usage.yml. $0.045/GB
Elastic IP	per hour	Each NAT gateway needs an aws_eip. The IP itself is free while attached but billed separately at $0.005/hour when detached.

Optimization tips

Common ways to reduce aws_nat_gateway cost without changing the workload.

Add VPC endpoints for S3 and DynamoDB

Up to 100% on S3/DynamoDB traffic

VPC Gateway Endpoints for S3 and DynamoDB are free. Any S3 or DynamoDB traffic from private subnets bypasses the NAT entirely. For workloads that read/write S3 heavily, this can cut NAT bills by 50%+.

Add Interface endpoints for chatty AWS services

Service-dependent

Interface VPC Endpoints (~$7/month per endpoint per AZ) route traffic to ECR, Secrets Manager, KMS, etc. through PrivateLink instead of NAT. Cheaper than NAT processing fees if you're moving more than ~10 GB/month per service.

Pull container images from ECR, not Docker Hub

Workload-dependent

Each EKS or ECS node pulling images from external registries pays NAT data processing on every pull. Mirroring to ECR + VPC endpoint eliminates this cost.

Use a single NAT gateway for non-production environments

$64/month per non-prod VPC

Multi-AZ NAT gateways are right for production. For dev/staging, one NAT in a single AZ is fine and cuts the base cost from $96/month to $32/month.

Consider a NAT instance for very small workloads

Up to 95% for tiny workloads

A t4g.nano running fck-nat or similar costs ~$3/month plus minimal data transfer. Not HA, but fine for personal projects or non-critical workloads.

FAQ

Why is my NAT gateway my biggest AWS bill item?

Two reasons. First, the per-GB processing fee is the same as the per-hour rate but compounds with volume. Second, microservices architectures route a surprising amount of traffic through NAT (image pulls, API calls, package installs) that engineers don't think about. c3x's recommend command flags NAT-heavy patterns.

Are VPC endpoints really free for S3?

S3 and DynamoDB Gateway Endpoints have no hourly charge and no data processing fee. They're a strict cost win if you have any S3 or DynamoDB traffic at all from private subnets. Interface endpoints to other AWS services have hourly + per-GB charges but are still usually cheaper than NAT for that traffic.

Does c3x estimate NAT data processing?

Only if you add expected GB/month to c3x-usage.yml under the NAT gateway resource. Without it, c3x shows the hourly cost and flags processing as usage-dependent.

Should I replace NAT with VPC Lattice or PrivateLink?

Both are alternatives for specific traffic patterns. PrivateLink is right for accessing specific external services (other AWS accounts, partner SaaS). VPC Lattice is for service-to-service communication within and across VPCs. Neither fully replaces NAT for general internet egress.

Related resources

AWS

aws_vpc

NAT gateways live inside a VPC

AWS

aws_eip

Each NAT gateway needs an Elastic IP

Estimate this resource in your own Terraform

Free, open source, no API key. C3X parses your Terraform and shows line-item cost for every resource, including aws_nat_gateway.

Get Started Star on GitHub

← Browse all AWS resources