NAT Gateways cost money. A lot of it if you're not careful. If you're using them to connect private resources to AWS services like S3 or DynamoDB, you're probably overpaying. VPC Endpoints do the same job for a fraction of the cost.
The problem
You have an EC2 instance in a private subnet. It needs to upload files to S3, write logs to CloudWatch, hit DynamoDB. Basic stuff. But it has no internet access.
How does it talk to AWS services?
Using a NAT Gateway
A NAT Gateway gives your private resources internet access.
Your EC2 wants to upload to S3. The request goes: instance → NAT Gateway → Internet Gateway → actual internet → S3 public endpoint → all the way back.
Even though S3 is an AWS service, your data goes out to the internet first. Feels backwards.
Cost breakdown: $0.045/hour for the gateway (roughly $32/month) plus $0.045 per GB. Moving 800GB monthly? That's another $36. One NAT Gateway = $68/month. Need two for high availability? Double it.
Security-wise, your traffic is leaving your VPC. It's encrypted, sure, but it's still going through the public internet to reach AWS services that are... also in AWS. Never sat right with me.
Option 2: VPC Endpoints (wish I'd known about this sooner)
This one's different. VPC Endpoints create a direct private connection from your VPC to AWS services. No internet involved.
Same scenario with S3: your request goes from EC2 → straight to S3 through AWS's private network. Done. Traffic never leaves AWS infrastructure.
Cost difference is huge. Gateway endpoints for S3 and DynamoDB? Free. Actually free. Interface endpoints for other services run about $0.01/hour (roughly $7/month).
I replaced my NAT Gateway setup with VPC Endpoints and cut that $136/month down to around $15. No joke.
Security is better because everything stays internal. You can also set policies on endpoints to control exactly which S3 buckets your instances can access.
Here's a real situation from my project
I'm running a data processing pipeline. Lambda functions pull CSV files from S3, process them, dump results in DynamoDB, and send completion notifications through SNS. All this runs in private subnets.
What I was doing (NAT Gateway):
- Two NAT Gateways (one per AZ) = $64/month
- Processing about 500GB = $22.50/month
- Total = $86.50/month
What I switched to (VPC Endpoints):
- S3 Gateway Endpoint = $0
- DynamoDB Gateway Endpoint = $0
- SNS Interface Endpoint = $7/month
- Total = $7/month
Saved almost $80 monthly on one project. Multiply that across environments and projects, and it adds up fast.
So when should you actually use each?
NAT Gateway makes sense when:
Your app needs to call external APIs (Stripe, Twilio, whatever)
You're pulling packages from npm, pip, apt repositories
You need actual internet access for patches and updates
VPC Endpoints make sense when:
You're talking to AWS services (and most support endpoints now).
You care about keeping costs down.
Compliance requires traffic stay off the public internet.
Most of the time, you'll use both. I keep a NAT Gateway for external API calls and package downloads, but use VPC Endpoints for all AWS service communication.
Quick setup notes
Creating an S3 endpoint is straightforward:
VPC console → Endpoints → Create
Pick com.amazonaws.your-region.s3
Select your VPC and route tables
Done
Your application code doesn't change. S3 SDK calls automatically route through the endpoint.
Mistakes I made (so you don't have to)
First mistake: I created Interface Endpoints for S3. Turns out Gateway Endpoints exist for S3 and they're free. Interface Endpoints cost money. Oops.
Second mistake: Forgot to update security groups for Interface Endpoints. Spent 20 minutes debugging why my Lambda couldn't reach SNS. Security group wasn't allowing the traffic.
Third mistake: Left my NAT Gateways running after setting up endpoints "just to be safe." Wasted $130 over two months before I actually verified I didn't need them anymore.
What I'd recommend
Look at your CloudTrail logs or VPC Flow Logs. See what services you're actually calling. If they support VPC Endpoints (S3, DynamoDB, Lambda, SQS, SNS, Secrets Manager, ECR, and tons more), switch to endpoints.
Keep NAT Gateway only for actual internet access needs. Don't use it as a catch-all for AWS service communication.
Check your bill after a month. You'll probably see the difference immediately.
One more thing
Different endpoint types matter:
Gateway Endpoints (S3, DynamoDB): Free, route table based, no security groups needed.
Interface Endpoints (everything else): Cost money, need security groups, ENI-based.
Always check if a Gateway Endpoint exists before creating an Interface Endpoint.
That's pretty much it. This change alone dropped our AWS networking costs by 60%. Your mileage may vary, but it's worth looking into.
Top comments (0)