Summary

Compoze Labs outlines strategies to reduce AWS NAT Gateway costs through the use of VPC Endpoints, public IP addresses, and alternative NAT Gateway appliances.

Abstract

Compoze Labs, a company managing multiple AWS accounts, has identified high networking costs due to NAT Gateway usage as a significant expense. They detail how NAT Gateways incur charges both per hour and per GB of data processed, leading to substantial monthly and annual fees. To mitigate these costs, Compoze Labs suggests three alternative solutions: VPC Endpoints, which can reduce the need for NAT by providing direct, private connections to AWS services; assigning public IP addresses to instances, which bypasses the need for NAT but increases security risks; and using alternative NAT Gateway appliances, such as Cohesive’s NATe, which can be more cost-effective than AWS's native offering. The company has successfully implemented these strategies, particularly VPC Endpoints, to achieve significant cost savings for both themselves and their customers.

Opinions

Compoze Labs views the cost of AWS NAT Gateways as a "data tax" that is too high and seeks alternatives to reduce this expense.
They believe that AWS's architecture recommendations tend to favor higher bills and therefore look for more cost-effective solutions.
The company values security and privacy, as evidenced by their use of NAT Gateways and cautious approach to assigning public IP addresses directly to instances.
Compoze Labs is satisfied with the performance and cost savings achieved by using Cohesive’s NATe appliance as an alternative to AWS's NAT Gateway.
They advocate for proactive cost optimization in AWS, emphasizing that even modest savings can lead to significant reductions in overall AWS spending when applied across multiple services.

How to reduce your AWS NAT Gateway bill

At Compoze Labs we manage dozens of AWS accounts, both for our customers and our own. As part of our management services we are always looking for ways to optimize AWS costs.

One area that always bothered us was how much was spent on networking costs. Most accounts see the highest spend in RDS, EC2, ECS, etc but networking was commonly one of the top spends on our AWS bills. After some initial analysis we found that our NAT Gateways (both per hour & per GB processed) made up a significant portion of these networking costs.

What is a NAT Gateway

A NAT Gateway manages the flow of internet traffic to and from instances in a private subnet. When an instance in the private subnet sends a request to the internet, the NAT Gateway translates the private IP address of the instance into a public IP address, ensuring the instance can communicate with external services. This translation process is vital for maintaining the security and privacy of the instances, as it masks their internal IP addresses from the outside world.

image from https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-scenarios.html

AWS charges their NAT gateway per hour ($0.045) and per GB data processed ($0.045/GB egress). Our default networking topology contains a VPC per environment (dev, stage, prod) so we tend to have 3 NAT Gateways per account.

In addition we typically would see ~2,000GB / month of egress traffic on our lower volume accounts. That cost breakdown looks like:

3 NAT Gateways * $0.045 / hour * 24 hours * 30 days = $97.20 / month

2,000GB * $0.045 / GB = $90 / month

Which is ~$197.20 per month or $2366.40 a year.

However, for some of our larger scale projects, this number has scaled up quickly. Some accounts were over 5 figures a month! This “data tax” didn’t sit well with us, so we decided to look for alternatives.

Alternative Solutions

VPC Endpoints
Public IP addresses
Alternative NAT Gateway appliances

VPC Endpoints

In AWS, a VPC Endpoint allows you to privately connect instances in your VPC to supported AWS services without sending that traffic through a NAT device. Basically, it creates a local private interface that can be called from within your VPC, eliminating the need to route to the public IP addresses of AWS service APIs.

There are two types of VPC endpoints:

Interface Endpoints: An interface endpoint is an elastic network interface with a private IP address that serves as an entry point for traffic destined to a supported service. It uses AWS PrivateLink, a technology that enables private connectivity between AWS services using Elastic Network Interfaces (ENIs) with private IPs in your VPCs.
Gateway Endpoints: A gateway endpoint is a gateway that is a target for a specified route in your route table, used for traffic destined to either Amazon S3 or DynamoDB. The gateway endpoint redirects traffic to these services within the Amazon network.

This solution can work to reduce egress traffic, but a NAT is generally still required.

We now leverage VPC endpoints when our egress traffic source is consistently AWS services. For example, we had one customer that was doing mostly data retrieval from S3 (~100 gb per day). In this case we were seeing monthly egress bills from our NAT Gateway of around $150 / month. In this case, we were able to leverage S3 Gateway endpoints to reduce this cost to less than $30 / month.

image from https://docs.aws.amazon.com/vpc/latest/privatelink/gateway-endpoints.html

We have also leveraged Interface Endpoints when we have seen high volumes of traffic to services other than S3. One non-obvious situation we encountered was a high volume of log data being sent to Datadog. Fortunately, Datadog offers a VPC Endpoint that we were able to leverage to significantly reduce our customer’s NAT Gateway egress cost.

image from https://docs.datadoghq.com/agent/guide/private-link/?tab=connectfromsameregion

It is worth noting that, while Gateway endpoints have no additional charge, VPC Endpoints do incur charges of ~$7.30 / month and $0.01 / GB. However, this is roughly a 77% savings in network charges.

Public IP addresses

Since a NAT Gateway translates a private IP to a public IP, you can deploy your instances with a public IP directly assigned to it. This eliminates the need for a NAT Gateway.

For example, if you are running ECS Fargate services you can deploy the tasks to a public subnet and auto-assign a public IP.

image from https://aws.amazon.com/blogs/compute/task-networking-in-aws-fargate/

It is worth noting that opening your instances directly to the public internet opens up the attack surface of your account. While do not recommend this approach, for the sake of brevity, we felt it was worth mentioning.

Alternative NAT Gateway appliances

There are other appliances that can act as a drop-in replacement for an AWS NAT Gateway. For example, we have leveraged Cohesive’s NATe appliance and have been very happy with the results. Cohesive also supports more complex networking use cases as well as functionality such as client VPNs.

image from https://www.cohesive.net/aws-nat-gateway/

Cohesive has a free edition, which reduces the cost of what you would pay for a AWS NAT Gateway to ~$3.75 / month (the cost of the t3.nano needed to run Cohesive). As your networking needs increase, they have paid editions to support those use cases as well.

Conclusion

It is very easy to let AWS bills grow unbounded if you are not careful. We find that AWS too often recommends architectures that optimize for higher bills.

Even with our low traffic customers, we leverage VPC Endpoints & third party NAT Gateways (like Cohesive) for both modest and significant cost savings for ourselves and our customers. And while the modest savings may not seem worth the trouble, when applied to each AWS service, we have found significant cost savings across the board.

If you are interested in learning more about what we do at Compoze Labs, please reach out!

[email protected]