Skip to content
Refine

Glossary · Networking

What is a NAT Gateway?

A managed AWS service that gives private-subnet instances outbound internet access — and silently accumulates cost on hourly + per-GB-processed charges.

Connect AWS AccountAll glossary terms

By HabileLabs

Definition

NAT Gateway

A NAT Gateway is a managed network address translation service that lets EC2 instances in a private subnet reach the public internet (e.g. for package installs, third-party API calls) without exposing themselves to inbound traffic. AWS charges two ways:

  • Hourly — flat ~$0.045/hour per NAT Gateway, per AZ. A single multi-AZ deployment can run $100+/month before any traffic.
  • Per-GB processed — $0.045/GB. Traffic from your private instances to any destination through the NAT — including S3 in the same region — gets billed at the per-GB rate.
Why it matters for AWS cost

NAT Gateway is one of the most common surprise cost lines on an AWS bill. The hourly charge is small but constant; the per-GB processing charge compounds the moment a workload accidentally routes high-volume traffic through it.

The most common waste mode: applications fetching S3 objects in the same region but going via the NAT instead of a VPC Gateway Endpoint for S3. The endpoint is free and eliminates the per-GB charge entirely. For DynamoDB, the same applies. For other AWS services, VPC Interface Endpoints have a smaller per-hour cost but no per-GB charge.

Common gotchas
  • !Run one NAT Gateway per AZ for high availability — but verify each is actually carrying traffic. Idle per-AZ NAT Gateways are pure waste.
  • !Add VPC Gateway Endpoints for S3 and DynamoDB on day one — free, easy, eliminates a major chunk of NAT charges.
  • !Cross-AZ traffic to NAT Gateway also incurs inter-AZ data transfer charges on top of the NAT processing fee.

Related

Cost Visibility

Cost Anomaly

A statistically significant unexpected spike or drop in AWS cost for a given service / account / region, relative to its recent baseline.

Compute

Idle Resource

An AWS resource that is provisioned and billed but doing no real work — common offenders: unattached EBS volumes, idle EC2, unused elastic IPs, abandoned load balancers.

How Refine helps

Cost Optimization

See how Refine surfaces this in your AWS account.

Find waste like this in your own AWS account free

60-second IAM-role connection. Read-only. No signup needed for the bill analyzer.

Connect AWS AccountUpload My AWS Bill

Refine is built and supported by HabileLabs, an AWS Advanced Tier Services Partner.

Back to glossary15 terms in the AWS cost & FinOps glossary