NAT Gateway is the single largest hidden line item on most AWS bills under 50K a month. It is not because the per-unit pricing is bad. It is because the pricing has two components that compound and one of them is invisible to most engineers.
The numbers below are public. The calculator that does the math for your account is at /tools/nat-gateway-calc.
The two components
NAT Gateway charges:
- An hourly per-AZ charge. $0.045 per hour per NAT Gateway. If you have two AZs (the default for prod), that is two NAT Gateways. $0.045 x 2 x 730 hours = $65.70 per month before any traffic.
- A per-GB data processing charge. $0.045 per GB of data that passes through the gateway. Both directions. This is the part that bites.
The hourly cost is predictable. The per-GB cost is where teams lose four figures a month without noticing.
The case that bites
Take a typical small SaaS: two AZs, modest egress (a few hundred GB per month), Lambda functions talking to third-party APIs. You would assume the NAT bill is small.
Then:
- A Lambda starts hitting a third-party API with a 50KB payload, 200 times per minute.
- That is 50KB x 200 x 60 x 24 x 30 = roughly 13TB per month.
- 13TB x $0.045 per GB = $586 per month, just for that one Lambda's NAT egress.
Now imagine three such Lambdas. Or a malformed retry policy that quadruples request volume.
The horror story version, where retries went into a tight loop with no backoff, is in this post. The projected 24-hour exposure was $47,000.
The VPC endpoint alternative
For traffic that targets AWS services (S3, DynamoDB, ECR, Secrets Manager, SQS, SNS, Kinesis, and many more), you do not need a NAT Gateway at all. You need a VPC endpoint.
Two flavors:
- Gateway Endpoints (S3 and DynamoDB only). Free. Yes, free. No hourly cost. No per-GB cost. There is no reason any production VPC should route S3 or DynamoDB traffic through NAT.
- Interface Endpoints (PrivateLink) for the other AWS services. $0.01 per ENI per hour, plus $0.01 per GB. That is 4.5x cheaper per GB than NAT, and the hourly cost is 4.5x lower per ENI.
Even at small traffic volumes, an interface endpoint beats NAT once you cross roughly 6 GB per month. Below that, NAT is fine.
The decision rule
For each destination your VPC talks to, ask:
- Is the destination an AWS service? Use a VPC endpoint. Almost always cheaper. Gateway endpoint if S3 or DynamoDB. Interface endpoint otherwise.
- Is the destination an internet host (public API, third-party service, package registry)? NAT is your option. Add monitoring on the per-GB charge.
- Is the destination something you control on another VPC? Use VPC peering or Transit Gateway. Different pricing model, often cheaper than NAT at scale.
The four-step audit
If you have not looked at your VPC in 12 months, run this checklist.
Step 1: Identify your top NAT consumers
aws ec2 describe-flow-logs ...
Or pull your VPC flow logs into Athena. Group by destination and bytes. The top 5 destinations are usually 80 percent of your bill.
Step 2: Check if any of them are AWS service endpoints
S3 bucket hostnames. ECR registry hostnames. Secrets Manager. SQS. If yes, you are paying NAT for traffic that should be flowing through a free or cheap VPC endpoint.
Step 3: Add the endpoints
resource "aws_vpc_endpoint" "s3" {
vpc_id = aws_vpc.main.id
service_name = "com.amazonaws.us-east-1.s3"
route_table_ids = [aws_route_table.private.id]
}
Gateway endpoint, free. Two lines of HCL.
Step 4: Re-route and monitor
After deploying endpoints, watch flow logs for a week. Confirm traffic is flowing through the endpoint, not NAT. Then turn down or remove unused NAT Gateways.
The savings, in real numbers
I have audited 12 AWS accounts in the last 90 days. The median NAT-related saving from this audit was $1,400 per month. The biggest single account saving was $11,800 per month (a startup that had been routing all S3 traffic through NAT for two years).
The calc that gives you your number is here.
What is not modeled
- Cross-AZ data transfer. $0.01 per GB between AZs. If your NAT and your Lambda are in different AZs, you pay this on top.
- Inter-region transfer. Different pricing. Not relevant if you are single-region.
- Spot pricing changes. AWS sometimes reduces pricing in specific regions. Always check the current AWS pricing page for your region.
Receipts
- 12 audits in 90 days.
- 11 of 12 had at least one NAT-routable workload that should have been on a VPC endpoint.
- Median monthly saving from the NAT + endpoint audit: $1,400.
- Largest single saving: $11,800 per month.
- Total annualized saving across the 12 audits: roughly $190K.
The bill is not in the per-unit pricing. The bill is in the routing decision. Fix the routing.