Every AWS audit, same line: "NAT Gateway — $450/month."
Then I look at the VPC, and there are six of them.
The reason is always the same: a well-meaning SRE added a NAT per AZ "for HA" two years ago. Then another team spun up a second VPC for a new service. Another NAT. Then someone replicated the whole thing to us-east-1 for disaster recovery. Three more NATs.
Six NAT Gateways, each $0.045/hour plus $0.045/GB processing. Monthly: $450-900 depending on traffic. Annual: ~₹5L-10L.
For a company with $15K/mo AWS bill, NAT is 4-6% of total spend. For what?
The honest breakdown:
→ 70% of traffic through NAT is to S3, DynamoDB, or SSM — all of which have free VPC Gateway Endpoints
→ Inter-AZ NAT redundancy is theater. If us-east-1a fails, AWS still runs your NAT in another AZ via the underlying service.
→ A single NAT per VPC + private subnets + gateway endpoints handles 95% of production needs
Fix (literal 30-min Terraform diff):
→ Add aws_vpc_endpoint for S3 (gateway, free) and DynamoDB (gateway, free)
→ Add interface endpoints for SSM, ECR, Secrets Manager (small cost, offsets NAT traffic)
→ Consolidate NAT to one per VPC unless you've actually measured AZ isolation as a requirement
→ Tag your NAT traffic — 95% of what leaves should go through endpoints, not NAT
One company in our audit cut NAT bill 83% in 2 weeks. Total effort: ~4 hours of engineer time.
The NAT line item is where lazy architecture goes to charge your AWS account monthly rent.
Repost if your VPC diagram has more NATs than services.
Top comments (0)