<img height="1" width="1" style="display:none;" alt="LinkedIn" src="https://px.ads.linkedin.com/collect/?pid=1310905&amp;fmt=gif">

AWS: Reduce NAT Gateway Costs in 5 Steps

|January 13, 2020|

Having trouble connecting engineering decisions to business results? CloudZero  makes it easy for engineering teams to understand their AWS cloud spend (such  as unit cost) to make informed decisions.Click here to learn more.  <https://www.cloudzero.com/>

We’re often asked what are some of the top areas where we see customers overspending. High AWS NAT Gateway costs from misplaced data transfers definitely tops our list as one of the most common.

In this article, we’ll walk you through five steps to find which data transfers you’re overspending on and how you can eliminate those excess charges.

What Is a Nat Gateway and Why Is It Expensive?

Before we get into how to identify and reduce NAT Gateway costs, let's talk a little about what a NAT Gateway is and how the pricing works.

A NAT Gateway is a way for your private network to communicate with public networks, like the internet. It can send and receive traffic from a single IP address without exposing the identities of your hosts. A great use case for this is when you're ready to push out software updates across your organization, but don’t want to give software update servers from the internet direct access to devices on your private network.

So, why can it be so expensive?

AWS charges you per hour and per gigabye for all data traveling through your NAT Gateway. However, depending on where you're sending that data (inside of AWS or outside) and what your security requirements are, there are often cheaper alternatives.

For those of you who like to learn through metaphors: NAT Gateway is like living in an apartment building with a doorman. People from the outside can mail you packages to the address of your building, without knowing which apartment you live in. Your doorman will then route that package to your apartment. However, every time you send or receive packages, you pay the doorman a fee. If you're sending the package within your apartment community (Amazon), there are cheaper ways to do it.

The first step to reduce NAT Gateway costs is to take inventory of what kind of data is being transferred and where it's going. Then, you can start to replace some of those with cheaper options. Here are some recommendations for where to start:

1. Determine What Types of Data Transfers Occur the Most

The best place to start is by figuring out which kinds of data transfers occur most in your organization. After this, you can have a better idea of how to reduce NAT Gateway costs stemming from your company’s primary traffic source.

VPC Flow Logs hold details about your NAT gateway traffic, so you want to ensure that they are enabled. You can find instructions for that here. Next, navigate to the CloudWatch console and select Insights from the navigation panel. Click on the dropdown to choose the log group linked to your NAT gateway.

Run the following script to determine which instances pass the most data through your NAT gateway. Note: x.x.x.x represents your NAT gateways private IP Address, while y.y. represents the first and second octets of the VPC CIDR range.


filter (dstAddr like 'x.x.x.x' and srcAddr like 'y.y.') 

| stats sum(bytes) as bytesTransferred by srcAddr, dstAddr

| sort bytesTransferred desc

| limit 10


Run the following script to see what data your instances are sending to- or receiving from the internet.


filter (dstAddr like 'x.x.x.x' and srcAddr like 'y.y.')

or (srcAddr like 'xxx.xx.xx.xx' and dstAddr like 'y.y.')

| stats sum(bytes) as bytesTransferred by srcAddr, dstAddr

| sort bytesTransferred desc

| limit 10


Run the following script to see from which destinations your instances upload data to the most.


filter (srcAddr like 'x.x.x.x' and dstAddr not like 'y.y.') 

| stats sum(bytes) as bytesTransferred by srcAddr, dstAddr

| sort bytesTransferred desc

| limit 10


Run the following script to see from which destinations your instances download data from the most.


filter (dstAddr like 'x.x.x.x' and srcAddr not like 'y.y.')

| stats sum(bytes) as bytesTransferred by srcAddr, dstAddr

| sort bytesTransferred desc

| limit 10


Once you've figured out where you're transferring a lot of data, you'll also want to figure out which AWS services they are using. In particular, you should know which ones are using Amazon S3 and AWS DynamoDB. This may require a little digging, but will be helpful for the next steps.

2. Eliminate Costly Cross Availability Zone Transfer Charges

The next step to reduce NAT Gateway costs is to confirm that these high-traffic instances are within the NAT Gateway’s Availability Zone. If your instances are in a different availability zone from your NAT Gateway, you don’t have to delete your instances. Instead, create new NAT Gateways in the same availability zone as your instances.



Want to Reduce Your AWS Bill?

Our on-demand workshop has tons of tips and practical guidance

Lower My Bill



3. Consider Sending Amazon S3 and Dynamo Traffic Through Gateway VPC Endpoints Instead of NAT Gateways

AWS offers free and low cost alternatives to NAT Gateway if you're sending data within AWS. On example of that is VPC Endpoints. VPC Endpoints are a free alternative to NAT Gateway, but can only talk to S3 or DynamoDB. If you've discovered that your NAT Gateway cost is comprised of data transfers to those two services within the same region, you can use these instructions to establish a Gateway VPC endpoint.

4. Consider Setting up Interface VPC Endpoints Instead of NAT Gateways for Other Intra-AWS Traffic

If you're sending traffic to an AWS service that is not S3 or Dynamo DB, you can still use a lower cost alternative: Interface VPC endpoints. For a cost-savings estimate according to the number of VPC endpoints per availability zones, gigabytes of data processed, and your instances’ (or any other services’) regions, see here.

5. Depending on Security Requirements, Consider Replacing Your NAT Gateway With an Internet Gateway

For data transfers that are going to resources outside of AWS, you could potentially use an Internet Gateway. Like VPC endpoints, internet gateways are a no-cost alternative to NAT Gateways, but there are tradeoffs to consider. One concern is that in order to use internet gateways, your instances must be in public subnets. However, internet gateways have the added benefit of providing Internet Access Management (IAM) for added security through the use of security groups and network access control lists. This approach can mitigate some risk. If you have a security team, you can talk to them about the best way to structure this.

See CloudZero in Action


Join thousands of engineers who already receive the best AWS and cloud cost intelligence content.