Cloudsoft Spotlight - NAT Gateways Pricing

NAT Gateway, offered by AWS, is a managed solution that allows resources in a private subnet to talk to the outside world but prevents the outside world from initiating a connection to a resource in the private subnet.
However, as with every AWS service, there is a catch. It can come with several hidden charges that can add up quickly. Understanding these costs and exploring optimization strategies can significantly reduce your AWS bill. 

When using NAT Gateways, you are charged for two main components:

1. Hourly Charges: Each NAT Gateway costs $0.045 per hour
2. Data Processing Charges: There is an additional charge of $0.045 per GB of data processed by the NAT Gateway.
   
   

In addition to these charges, cross-AZ data transfer fees apply if your instances and NAT Gateways are in different Availability Zones (AZs).
This can add a substantial amount to your monthly costs, particularly in architectures that span multiple AZs. (Source for pricing costs).
CloudZero has a very good blog post here that goes through it in more detail.

Cost Optimization Strategies

There are various strategies to use in that instance:

1. Reduce the number of NAT Gateways: Consolidate your NAT Gateways to minimize hourly charges. If feasible, reduce from three, one in each Availability Zone(AZ),  to one NAT Gateway, only in one AZ.  This will reduce cost and is a good option in non production accounts, though to be cautious about data transfer costs across AZs.
2. Minimize Cross-AZ Data Transfers: Ensure that your instances and NAT Gateway are in the same AZ to avoid additional data transfer costs. If your architecture requires multiple AZs for high availability(HA), consider deploying a NAT Gateway in each AZ, but manage traffic to minimize cross-AZ communication
3. Use VPC Endpoints: For traffic to AWS Services like S3 and DynamoDB, use VPC Gateway Endpoints instead of NAT Gateways. The endpoints allow private connections to these services without incurring data processing charges.
4. Calculate Cross-AZ Data Transfers: When considering cross-AZ data transfer costs for a NAT Gateway, if the cross-AZ charge is $0.01 per GB, the breakeven point is when data transfer exceeds 4.5 GB per hour. This is because the NAT Gateway costs $0.045 per hour. If your cross-AZ data transfer is more than 4.5 GB per hour, deploying a separate NAT Gateway in each AZ becomes cheaper than paying the cross-AZ data transfer fee. This calculation ensures cost-effectiveness by balancing NAT Gateway hourly charges with cross-AZ data transfer fees.

Consolidating NAT Gateways: Risks and Considerations

While consolidating NAT Gateways can save money, it comes with potential risks:

• Single Point of Failure: Despite the fact that NAT Gateways are highly available by design, they can still go down in case of an AZ failure and that can lead to a single point of failure.AWS docs recommend deploying one in each AZ for resilience. We recommend for production environments to deploy one in each AZ however for non-production environments, ensuring your architecture can tolerate the potential downtime, to reduce to just one in one AZ.
• Cross-AZ Costs: If instances in other AZs need to communicate through a single NAT Gateway, cross-AZ data transfer costs might offset some savings.
• Performance Bottlenecks: Substantial traffic going through the NAT Gateway might become a performance bottleneck. Monitor performance metrics to ensure they meet your application needs.

Using AWS Network Firewall

There is an added benefit regarding NAT Gateway charges for AWS Organizations or companies/enterprises using AWS Network Firewall. If you use an AWS Network Firewall along with a NAT Gateway, the standard NAT Gateway Data Processing Charges and per-hour usage charges are waived if the NAT Gateway and Network Firewall Endpoint are located in the same AZ. This means you don't need to worry about these specific costs as they are covered by the Network Firewall charges​ (AWS Network Firewall pricing)​​ (Amazon AWS Docs)​

AWS Network Firewall provides a managed service for deploying network protections across your VPCs. 

It includes features such as URL, IP address, and domain-based traffic filtering, which helps meet compliance requirements and blocks malicious communications. When combined with a NAT Gateway, as long the NAT Gateway and the Network Firewall endpoint are in the same AZ,  AWS is considerate that they shouldn’t charge you twice and you end up paying on a one-to-one basis with the Network Firewall Endpoint per-hour usage and the traffic processed by that endpoint. 

Conclusion

NAT Gateways provide essential functionality for secure internet access from private subnets, but they can be expensive. By consolidating NAT Gateways, minimizing cross-AZ data transfers, and utilizing VPC endpoints, you can significantly reduce these costs. Always analyze your specific use case and monitor performance and costs to ensure an optimal balance between cost savings and application requirements.

Cloudsoft Spotlight for AWS

Cloudsoft can scan your AWS accounts and if we spot a version of RDS that will be moving to extended support, we’ll notify you.  We proactively monitor these calendars and our Spotlight tool can highlight extended support in good time.

If you have arrived here from the Cloudsoft Spotlight report, we have identified that you have a lot of NAT Gateways and could potentially reduce your bill or change your approach. Please contact Cloudsoft if you need help with this.

This post is part of our Spotlight series where Cloudsoft experts use advanced tooling to look across your AWS estate for opportunities to optimize cost, increase security and take advantage of the latest innovations in AWS.  We let you focus on your business objectives by ensuring you use AWS effectively.