NAT Gateway is AWS's most underestimated cost. It charges you twice: once for existing ($0.045/hour) and again for every gigabyte that flows through it ($0.045/GB). Most teams deploy one per AZ for high availability — that's three NAT Gateways at $97/month in hourly charges alone, before a single byte of data passes through.
The data processing charge is where the bill explodes. A workload pushing 1TB/month through NAT Gateway adds $45 in processing fees — on top of the hourly charge, on top of the standard data transfer charges. It's a cost triple-dip.
TL;DR: Each NAT Gateway costs $32.40/month just to exist, plus $0.045/GB processed. A typical 3-AZ setup with 500GB of traffic costs $120/month. Heavy workloads easily hit $500-$1,000/month on NAT alone. Alternatives: VPC endpoints ($0.01/GB, no hourly fee for Gateway endpoints), NAT instances (cheaper for low traffic), and architecture changes to reduce NAT traversal.
NAT Gateway Pricing Breakdown
| Component | Price | Notes |
|---|---|---|
| Hourly charge | $0.045/hour | $32.40/month per gateway |
| Data processing | $0.045/GB | Every GB in both directions |
| Cross-AZ data | $0.01/GB | If traffic crosses AZ boundaries |
| Data transfer out | $0.09/GB first 10TB | Standard internet egress (on top of NAT charges) |
The Real Cost of "High Availability"
AWS recommends one NAT Gateway per AZ for resilience. In a typical 3-AZ setup:
| Component | Calculation | Monthly Cost |
|---|---|---|
| 3x NAT Gateways (hourly) | 3 x $0.045 x 730 hours | $98.55 |
| Data processing (500GB) | 500 x $0.045 | $22.50 |
| Internet egress (500GB) | 500 x $0.09 | $45.00 |
| Total | $166.05 |
At 2TB/month of traffic, that jumps to $368/month. At 10TB, you're looking at $1,000+/month — just for NAT.
Why NAT Gateway Costs Surprise You
Double Billing on Data
NAT Gateway processing charges are in addition to standard data transfer charges. When a private subnet instance downloads 1GB from the internet:
- NAT processing: $0.045
- Data transfer in: Free (inbound is free)
- Total: $0.045/GB
When it uploads 1GB to the internet:
- NAT processing: $0.045
- Data transfer out: $0.09
- Total: $0.135/GB
S3 and DynamoDB Traffic
Every API call from a private subnet to S3 or DynamoDB goes through NAT Gateway by default — and gets charged $0.045/GB. If your application downloads 100GB/month from S3, that's $4.50/month in completely avoidable NAT charges. VPC Gateway Endpoints route this traffic for free.
Docker Image Pulls
ECS and EKS tasks in private subnets pull container images through NAT Gateway. A 500MB image pulled 100 times/month = 50GB through NAT = $2.25/month per image. Across a fleet of services, this adds up fast. Use VPC endpoints for ECR to eliminate this.
How to Reduce NAT Gateway Costs
1. Deploy VPC Endpoints (Biggest Win)
VPC Gateway Endpoints for S3 and DynamoDB are free — zero hourly charge, zero data processing. This alone can cut NAT Gateway traffic by 30-60%.
VPC Interface Endpoints for other AWS services cost $0.01/GB (vs $0.045/GB through NAT) plus $0.01/hour:
| Service | Endpoint Type | Data Cost | Hourly Cost |
|---|---|---|---|
| S3 | Gateway | Free | Free |
| DynamoDB | Gateway | Free | Free |
| ECR | Interface | $0.01/GB | $0.01/hr |
| CloudWatch | Interface | $0.01/GB | $0.01/hr |
| SQS, SNS, STS | Interface | $0.01/GB | $0.01/hr |
| Secrets Manager | Interface | $0.01/GB | $0.01/hr |
2. Consolidate to Fewer NAT Gateways
If your workload can tolerate AZ failure for non-critical traffic, use a single NAT Gateway instead of one per AZ. This cuts the hourly charge from $97 to $32/month. Route critical traffic through AZ-specific NAT Gateways and non-critical traffic through a shared one.
3. Use NAT Instances for Low Traffic
For dev/test environments or workloads under 100GB/month, a t4g.nano NAT instance costs $3/month — versus $32/month for NAT Gateway. The trade-off: you manage the instance, patching, and failover.
| Criteria | NAT Gateway | NAT Instance (t4g.nano) |
|---|---|---|
| Hourly cost | $32.40/month | ~$3.00/month |
| Data processing | $0.045/GB | Free |
| Bandwidth | Up to 100 Gbps | Limited by instance type |
| Availability | Managed, multi-AZ | Self-managed |
| Best for | Production, high traffic | Dev/test, low traffic |
4. Move Workloads to Public Subnets
Services that need internet access but not inbound connections (like batch processors pulling from APIs) can run in public subnets with security groups. No NAT Gateway needed. This only works for services that don't require private subnet isolation.
5. Use IPv6
IPv6 traffic doesn't need NAT — instances communicate directly with the internet via an Egress-Only Internet Gateway (free). If your application and dependencies support IPv6, this eliminates NAT costs entirely.
Related Guides
- AWS Data Transfer Pricing Guide
- AWS Data Transfer Cost Optimization Guide
- AWS EC2 Pricing Guide
- AWS Load Balancer Pricing Guide
Frequently Asked Questions
How much does NAT Gateway cost per month?
A single NAT Gateway costs $32.40/month in hourly charges ($0.045/hour x 730 hours). Add $0.045/GB for every gigabyte processed. A typical 3-AZ production setup costs $97/month before any data transfer.
Why is my NAT Gateway bill so high?
Check two things: (1) How many NAT Gateways you have deployed (one per AZ per VPC adds up fast), and (2) How much traffic flows through them. S3 traffic, ECR image pulls, and CloudWatch metrics all traverse NAT Gateway unless you have VPC endpoints.
Should I use VPC endpoints instead of NAT Gateway?
Always deploy S3 and DynamoDB Gateway Endpoints — they're free and reduce NAT traffic significantly. For other services (ECR, CloudWatch, SQS), Interface Endpoints cost $0.01/GB versus $0.045/GB through NAT. The break-even is low: Interface Endpoints save money on any meaningful traffic volume.
Stop Feeding the NAT Gateway
NAT Gateway is a necessary service, but most organizations overpay by 50-70%. The fix:
- Deploy S3 and DynamoDB Gateway Endpoints — free, immediate savings
- Add Interface Endpoints for ECR and CloudWatch — 78% cheaper per GB than NAT
- Audit NAT Gateway traffic — Use VPC Flow Logs to see what's flowing through NAT
- Use NAT instances for dev/test — $3/month vs $32/month
Lower Your NAT Gateway Costs with Wring
Wring helps you access AWS credits and volume discounts to lower your NAT Gateway costs. Through group buying power, Wring negotiates better rates so you pay less per GB processed.
