Most AWS cost conversations focus on EC2 instances and RDS databases. Meanwhile, NAT Gateways quietly burn $32.85 per month each — whether they process a terabyte of data or zero bytes.
How NAT Gateway Billing Works
NAT Gateway pricing has two components:
| Component | Rate (us-east-1) | Monthly Estimate |
|---|---|---|
| Hourly base charge | $0.045/hour | $32.85/month (730 hrs) |
| Data processing | $0.045/GB | Varies by traffic |
The base charge is the one that catches teams off guard. It runs 24/7 from the moment the NAT Gateway is created until it's deleted. No traffic? Doesn't matter — you're still paying $0.045 for every hour it exists.
Where the Real Cost Hides: Multi-AZ Deployments
The standard Terraform pattern for a production VPC creates one NAT Gateway per Availability Zone:
resource "aws_nat_gateway" "main" {
count = length(var.availability_zones)
allocation_id = aws_eip.nat[count.index].id
subnet_id = aws_subnet.public[count.index].id
}
Three AZs means three NAT Gateways. That's $98.55/month in base charges alone — before a single byte of data is processed. For a staging environment that mirrors production network architecture, you're paying nearly $100/month for network redundancy that staging doesn't need.
The Math at Scale
Let's walk through realistic scenarios:
Small team (1 VPC, 3 AZs):
- 3 NAT Gateways × $32.85 = $98.55/month base
- 500 GB data processed × $0.045 = $22.50
- Total: $121.05/month
Mid-size company (4 VPCs across dev/staging/prod/sandbox, 3 AZs each):
- 12 NAT Gateways × $32.85 = $394.20/month base
- Most non-prod NAT Gateways processing near-zero traffic
- Likely waste: 6–9 idle gateways = $197–$296/month wasted
Enterprise (20+ VPCs, multi-region):
- 60+ NAT Gateways × $32.85 = $1,971/month base
- Traffic typically concentrated in 1–2 AZs per VPC
- Idle NAT Gateways can easily exceed $500/month in pure waste
How to Find Idle NAT Gateways
Two CloudWatch metrics tell you everything:
-
BytesOutToDestination— total bytes sent through the NAT Gateway -
ActiveConnectionCount— number of concurrent active connections
If both are zero for 7+ days, the NAT Gateway is idle. Here's how to check:
# List all NAT Gateways
aws ec2 describe-nat-gateways \
--query 'NatGateways[?State==`available`].{
ID:NatGatewayId,
SubnetId:SubnetId,
VpcId:VpcId,
State:State
}' \
--output table
# Check traffic for a specific NAT Gateway (last 7 days)
aws cloudwatch get-metric-statistics \
--namespace AWS/NATGateway \
--metric-name BytesOutToDestination \
--dimensions Name=NatGatewayId,Value=nat-0abc123def456 \
--start-time $(date -u -v-7d +%Y-%m-%dT%H:%M:%S) \
--end-time $(date -u +%Y-%m-%dT%H:%M:%S) \
--period 86400 \
--statistics Sum
If every daily sum is 0.0, that NAT Gateway is costing you $32.85/month for nothing.
Alternatives for Low-Traffic Environments
1. VPC Endpoints (Gateway type — free)
If your private subnets only need to reach S3 or DynamoDB, a Gateway VPC Endpoint handles it with zero hourly or data processing charges:
aws ec2 create-vpc-endpoint \
--vpc-id vpc-abc123 \
--service-name com.amazonaws.us-east-1.s3 \
--route-table-ids rtb-abc123
This single command can eliminate the NAT Gateway entirely for S3-only workloads.
2. NAT Instances (for dev/staging)
A t4g.nano instance running as a NAT instance costs ~$3.07/month — roughly 10x cheaper than a NAT Gateway. The tradeoff is no managed HA, no automatic scaling, and you manage the instance yourself. For non-production environments, that's often acceptable.
3. Consolidate AZs in non-production
Staging doesn't need 3 NAT Gateways. Route all private subnets through a single NAT Gateway in one AZ. Cross-AZ data transfer adds $0.01/GB, but at low staging traffic volumes, that's negligible compared to saving $65.70/month in base charges.
The Regional NAT Gateway Option
AWS recently introduced Regional NAT Gateways, which span multiple AZs but are billed per AZ per hour. If your Regional NAT Gateway covers 3 AZs, you're charged $0.045 × 3 = $0.135/hour — the same as running 3 individual NAT Gateways. The advantage is operational simplicity, not cost savings.
A Quick Audit Checklist
-
Count your NAT Gateways:
aws ec2 describe-nat-gateways --query 'NatGateways[?State==available]' | jq length— multiply by $32.85/month -
Check for zero-traffic gateways: Query CloudWatch for
BytesOutToDestinationover the past 14 days - Review non-production VPCs: Do dev/staging environments truly need NAT Gateway HA across 3 AZs?
- Evaluate VPC Endpoints: If traffic is primarily S3/DynamoDB, Gateway Endpoints are free
NAT Gateways are one of those AWS resources where the "set it and forget it" mentality costs real money. A five-minute audit can often save $100–$300/month.
CloudWise automates AWS cost analysis across 38+ services — including idle NAT Gateway detection. Try it at cloudcostwise.io
Top comments (1)
This is a great breakdown of a pattern I keep seeing in AWS environments.
What makes NAT Gateways tricky is that the default infrastructure templates encourage the multi-AZ pattern, which is correct for production but often gets replicated unchanged across dev, staging, and sandbox VPCs.
In several environments I’ve audited, the NAT layer ended up being one of the most expensive parts of the network stack simply because the gateways were sitting idle.
One additional scenario that shows up frequently in data platforms is private workloads accessing S3 through a NAT Gateway. If the traffic is primarily S3 or DynamoDB, a Gateway VPC Endpoint removes both the hourly NAT charge and the data processing cost entirely.
In those cases the “cost problem” is really an architecture pattern that was never revisited.