AzureAzure NAT GatewayNetworking

azurerm_nat_gateway cost estimation

Managed outbound SNAT for a subnet. Priced per gateway-hour plus per-GB of data processed, with the attached public IP billed separately.

An azurerm_nat_gateway provides scalable, managed outbound connectivity for the VMs in a subnet, replacing the SNAT limitations of a basic load balancer or individual public IPs. It has two cost dimensions and one billed dependency.

The gateway itself bills per resource-hour at roughly $0.045/hour (about $32.85/month), running continuously once attached. On top of that, every gigabyte that flows through the gateway is billed at roughly $0.045/GB of data processed. For a quiet subnet the gateway hour dominates; for a high-egress workload the data-processed charge can exceed it.

The third piece is the public IP: a NAT Gateway needs at least one Standard public IP (or an IP prefix), and that azurerm_public_ip bills separately at about $3.65/month for a static Standard IP. c3x prices the gateway hours and the data-processed dimension (the latter from usage you supply), and prices the attached public IP as its own resource.

Terraform example

A minimal but realistic configuration that C3X can estimate.

resource "azurerm_nat_gateway" "egress" {
  name                = "subnet-egress"
  resource_group_name = azurerm_resource_group.net.name
  location            = "eastus"
  sku_name            = "Standard"
}

resource "azurerm_nat_gateway_public_ip_association" "egress" {
  nat_gateway_id       = azurerm_nat_gateway.egress.id
  public_ip_address_id = azurerm_public_ip.nat.id
}

Pricing dimensions

What you actually pay for when you provision azurerm_nat_gateway.

DimensionUnitWhat's being charged
Gateway hoursper hourPer-resource hour for the NAT gateway, billed continuously. c3x assumes 730 hours/month.
~$0.045/hour (~$32.85/month)
Data processedper GBEvery GB flowing outbound through the gateway. Usage-based; define expected egress in c3x-usage.yml.
~$0.045/GB
Public IP (separate resource)per hourA Standard public IP or IP prefix is required and billed as azurerm_public_ip, about $3.65/month for a static IP.

Sample C3X output

Example output from c3x estimate (100 GB processed):

azurerm_nat_gateway.egress
├─ Gateway                        730  hours    $32.85
└─ Data processed                 100  GB        $4.50

OVERALL TOTAL                                   $37.35
(public IP billed via azurerm_public_ip)

Optimization tips

Common ways to reduce azurerm_nat_gateway cost without changing the workload.

Share one NAT gateway across subnets in a zone

Per duplicate gateway

A single NAT gateway can serve multiple subnets in the same availability zone. Deploying one per subnet multiplies the always-on gateway-hour cost for no benefit.

Route known destinations through service/private endpoints

Data-processed on PaaS traffic

Traffic to Azure PaaS services via service endpoints or private endpoints bypasses the NAT gateway, cutting the data-processed charge for that traffic to zero.

Reassess for very low egress workloads

Workload-dependent

If a subnet egresses only a trickle, the ~$33/month gateway plus IP may exceed the value. Basic outbound or a small instance-level IP can be cheaper at tiny scale.

FAQ

How does c3x estimate Azure NAT Gateway cost?

It prices the gateway hour at 730 hours/month and the data-processed dimension from the egress volume you supply in c3x-usage.yml. The required public IP is priced separately as azurerm_public_ip.

Why does a NAT gateway cost money even with no traffic?

The gateway bills per hour continuously once attached, around $32.85/month, plus the public IP. Data-processed charges are on top of that. There is no scale-to-zero.

Is the public IP included in the gateway price?

No. A NAT gateway requires at least one Standard public IP or IP prefix, which bills separately (about $3.65/month for a static Standard IP). c3x prices it as its own resource.

How can I reduce the data-processed charge?

Route traffic to Azure PaaS services through service or private endpoints, which bypass the NAT gateway. Only traffic that actually transits the gateway is billed per GB.

Can multiple subnets use one gateway?

Yes, within the same availability zone. Consolidating to one gateway per zone, rather than one per subnet, directly reduces the always-on cost.

Related resources

Azure
azurerm_public_ip

Required by the NAT gateway and billed separately

Azure
azurerm_lb

Load balancer outbound rules as an alternative SNAT source

Azure
azurerm_firewall

Azure Firewall provides SNAT plus filtering at higher cost

Estimate this resource in your own Terraform

Free, open source, no API key. C3X parses your Terraform and shows line-item cost for every resource, including azurerm_nat_gateway.

Get StartedStar on GitHub
← Browse all Azure resources