DEV Community

Cover image for Save NAT Gateway Costs by Using an EC2 - Terraform Code Included
Gergo Vadasz
Gergo Vadasz

Posted on • Originally published at gergovadasz.hu

Save NAT Gateway Costs by Using an EC2 - Terraform Code Included

#terraform #aws #devops #cloud

AWS NAT Gateways cost at least $33/month before you even send a byte of data. For dev environments, small startups, or personal projects, that's a lot of money for something a $3.50/month EC2 instance can handle.

In this post, I'll show you how to use a small EC2 instance as a NAT device — and provide the complete Terraform code to deploy it.

 

The Cost Comparison

Solution Monthly Base Cost
AWS NAT Gateway ~$33 + data processing fees
EC2 NAT Instance (t2.micro) ~$3.50
Elastic IP (per instance) $3.60

The trade-off: an EC2 NAT instance introduces a potential single point of failure without an HA setup. For production, you'd want multiple instances. But even two EC2 NAT instances (one per AZ) are more economical than a single NAT Gateway.

 

How It Works

The concept is simple:

  1. Deploy a Linux server in a public subnet
  2. Create a route table for private subnets pointing 0.0.0.0/0 to the EC2 instance's network interface
  3. Disable source/destination check on the EC2 instance
  4. Configure IP forwarding and iptables NAT rules on the instance

 

Configuration Commands

The EC2 instance needs IP forwarding enabled and iptables configured for NAT:

# Enable IP forwarding
echo 1 | tee /proc/sys/net/ipv4/ip_forward

# Make it persistent
sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf
sed -i '/net.ipv4.conf.all.accept_redirects=0/s/^#//g' /etc/sysctl.conf
sed -i '/net.ipv4.conf.all.send_redirects=0/s/^#//g' /etc/sysctl.conf
sysctl -p

# Configure iptables for NAT masquerading
mkdir -p /etc/iptables
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables-save > /etc/iptables/rules.v4
Enter fullscreen mode Exit fullscreen mode

 

Terraform Implementation

The Terraform code handles everything:

  • VPC with CIDR 10.0.0.0/16
  • Internet Gateway
  • 2 public subnets (10.0.1.0/24, 10.0.2.0/24)
  • 2 private subnets (10.0.3.0/24, 10.0.4.0/24)
  • EC2 NAT instance (t2.micro, Ubuntu 22.04 LTS)
  • Route tables and security groups
  • Disabled source/destination checking
  • Cloud-init script for automated NAT configuration

Deployment is straightforward:

terraform init
terraform apply
Enter fullscreen mode Exit fullscreen mode

The cloud-init script handles all the NAT configuration automatically on first boot — no SSH required.

 

When to Use This

Good for:

  • Development and testing environments
  • Startups and small businesses watching cloud costs
  • Personal projects and labs
  • Any environment where $33/month per NAT Gateway adds up

Stick with NAT Gateway for:

  • Production workloads requiring high availability out of the box
  • High-throughput scenarios (NAT Gateway scales to 45 Gbps)
  • Environments where operational simplicity outweighs cost savings

 

Conclusion

For high availability, deploying multiple EC2 NAT instances (one per AZ) remains more economical than multiple NAT Gateways while maintaining secure private resource internet access.

Get the complete Terraform code at gergovadasz.hu.

Originally published on gergovadasz.hu. I write hands-on cloud networking guides with production-ready Terraform code for AWS, Azure, and GCP. Subscribe for more.

Top comments (0)