Bandwidth costs shouldn’t be a mystery—but in AWS, they often are. One day your network charges look normal, the next they’re up by thousands of dollars with no clear explanation.

That’s exactly what happened to us. As it turns out, the culprit wasn’t the flashy new data warehouse we deployed—it was a silent misconfiguration buried deep in our NAT Gateway setup. In this post, we’ll show you how we uncovered the root cause using VPC Flow Logs and nOps, and how we slashed $12,000/month off our bill by fixing a single routing issue.

But first, let’s briefly go over what NAT gateways are and how they work.

What Is a NAT Gateway?

A NAT (Network Address Translation) Gateway allows resources in a private subnet to access the internet or other AWS services without exposing them to inbound traffic. It acts as a middleman, routing outbound traffic while keeping internal IPs hidden. NAT Gateways are fully managed by AWS, but they come at a cost—$0.045 per GB of data processed, plus $0.065 per hour. That means even low levels of egress traffic can result in surprising charges.

AWS NAT Gateway Use Cases

Here the most common use cases for NAT Gateways:

Use Case

Description

Secure outbound internet access

Private subnet instances access the internet without exposing themselves to inbound traffic

Logging and monitoring

Send logs/metrics to external systems securely

Database backups/data transfers

Back up databases or transfer data securely to external/cloud storage

Software updates and dependency management

Download patches, updates, and dependencies from the internet

Security compliance

Meet regulatory requirements by keeping resources private while allowing necessary access

Multi-region/hybrid architectures

Enable cross-region or hybrid cloud communication securely

Application servers/backend services

Allow backend servers to interact with external APIs/services without public exposure

What Caused the Network Cost Spike?

Sounds like an easy question right?

If you are responsible for managing cloud spend, AWS NAT Gateways are one of the classic AWS gotchas. What causes a networking spike is not an easy question to answer. NAT gateway cost can run up your AWS bill quickly without you realizing it. The challenge with bandwidth cost is that it is a black box. You can’t solve it if you can’t see it.

We experienced bandwidth-related problems firsthand. We process hundreds of millions of AWS spend. We recently started using Databricks for our data warehouse.

Something interesting happened at the same time we deployed the data warehouse. Our networking cost went up by $1,000 a day. We thought it was related to the new data we were processing.

To our surprise, the increase didn’t come from the Databricks. Instead, it came from a misconfiguration in the NAT gateway. In this blog post, we’ll walk you through how we used nOps to find NAT misconfiguration.

How to Get Insight into NAT Gateway to Reduce AWS Costs?

The best way to get an understanding of your bandwidth costs is to look at the traffic flow. You can do that by enabling VPC logs. nOps ingests VPC logs, so we can show you the traffic and how much you’re paying for that bandwidth.

When we looked at our bandwidth cost, we saw traffic going from one private IP address to another private IP address. That was already a red flag, because normally you use NAT gateway to route traffic to a public subnet. We quickly found the source of our traffic issues. We came to realize that we are not the only ones who have this problem. Once you shed light on it, you’re able to find the true cost of the bandwidth.

 

AWS Network Interface Flow Logs

Visualizing Routing Table with nOps VCP Endpoint Service

If you haven’t figured it out yet, a potential way to avoid NAT Gateways (or at least reduce their costs) is to utilize VPC endpoints. Some AWS services support VPC endpoints, and using them would be cheaper than using a NAT gateway. But it becomes incredibly difficult to track different routing tables. nOps automatically creates your routing table diagram so you can easily spot misconfigurations in your environment.

Once we fixed our routing table, our cost dropped by $12,000 monthly. Here is graph showing the drop.

 

Visualize NAT configuration and VCP Endpoints via Routing Table

We work with many customers with complex environments. We came to the realization that many of the cost issues are related to misconfiguration. Sign up for nOps today to review your environment.

Different Ways to Reduce NAT Gateway Costs

Optimize Resource Placement to Avoid Cross-AZ Charges

Place your NAT Gateway and the resources that use it (such as EC2 instances) in the same Availability Zone. Data transfer within the same AZ is free, while cross-AZ traffic incurs significant charges. If you have high-traffic resources in multiple AZs, consider deploying a NAT Gateway in each AZ to avoid these extra costs.

Leverage Gateway VPC Endpoints for AWS Services

Use Gateway VPC Endpoints (such as for S3 or DynamoDB) to route traffic directly to AWS services without passing through the NAT Gateway. This can eliminate a large portion of NAT Gateway data transfer charges, especially for workloads that interact heavily with these services.

Consolidate NAT Gateways Where Possible

If you have multiple VPCs or workloads, consider consolidating their internet-bound traffic through a single NAT Gateway using VPC peering or a transit gateway. This approach can maximize the utilization of each NAT Gateway and reduce the total number required, spreading the fixed hourly cost more efficiently.

Use NAT Instances for Low-Traffic Scenarios

For environments with low or predictable traffic, consider replacing NAT Gateways with NAT Instances (EC2 instances configured for NAT). NAT Instances can be cheaper, especially when using smaller instance types or taking advantage of AWS’s free tier, though they do require more management and do not scale automatically.

Schedule NAT Gateway Usage

Employ scheduled scaling by creating and deleting NAT Gateways based on predictable traffic patterns. For example, only run NAT Gateways during business hours or maintenance windows when outbound internet access is required. Automate this process with AWS Lambda and CloudWatch events to avoid manual intervention.

How Does AWS NAT Gateway Pricing Work?

AWS NAT Gateway pricing is composed of two main charges:

  1. Hourly Charge – You pay $0.045 per hour for each NAT Gateway you deploy, per Availability Zone.

  2. Data Processing Charge – You’re charged $0.045 per GB for all traffic that flows through the NAT Gateway.

These charges are region-specific, but the rates above are common in many U.S. regions. It’s important to note that these are separate from other network transfer fees (like inter-AZ or cross-region data transfer), which may apply depending on how your traffic flows.

There’s no free tier for NAT Gateway, and charges begin as soon as the gateway is created—even if no traffic flows through it.

See What You’re Really Paying For with nOps

NAT Gateway costs are one of the easiest ways to lose thousands on your AWS bill—and one of the hardest to trace. With nOps, you can instantly visualize routing misconfigurations, analyze traffic flow from VPC logs, and pinpoint exactly where your bandwidth costs are coming from.

We’ve helped teams uncover hidden routing issues and cut five-figure bills in a single day.

See how much you can save with nOps in less than 30 minutes. 

nOps manages $2 billion in AWS spend and is rated 5 stars on G2. Our mission is to make it easy for engineers to save, so they can focus on building and innovating. 

Frequently Asked Questions

How to troubleshoot and optimize AWS NAT Gateway costs?

Start by analyzing VPC Flow Logs and Cost Explorer to identify high data transfer volume through the NAT Gateway. The main charges come from $0.045/GB for data processed plus a flat $0.065/hour per gateway. Look for chatty services (e.g., frequently polling containers or external APIs), misconfigured routes, or resources unintentionally routing all traffic through the NAT. Consider consolidating NAT usage per AZ, using endpoint services, or moving egress-heavy workloads to public subnets with security groups and IP whitelisting instead.

Are NAT Gateways too expensive?

NAT Gateway pricing can be expensive. For low-throughput workloads, NAT Gateway costs often outpace the actual compute costs, especially in systems with lots of small egress traffic. A single NAT Gateway costs about $48/month idle—and much more if you’re moving large volumes of data. For smaller environments or dev/test workloads, it’s often overkill. Cheaper alternatives like NAT Instances or interface VPC endpoints (for AWS services) can significantly reduce cost if you’re willing to manage a bit more yourself.

How to reduce NAT Gateway cost for a smaller system?

Use interface VPC endpoints (e.g., for S3, DynamoDB) to bypass NAT Gateway for AWS service traffic. Consider replacing the NAT Gateway with a NAT instance, which you can scale down, stop when unused, or run on Spot. Also review if your workloads really need a private subnet—some small services can safely run in public subnets with tight security groups. Finally, consolidate NAT traffic through a single AZ if multi-AZ fault tolerance isn’t critical for the workload.

What is NAT Gateway cost optimization?

NAT Gateway cost optimization means reducing the unnecessary spend caused by AWS NAT Gateway usage. NAT Gateways charge a per-hour fee and $0.045/GB for all outbound data, so costs can spike with high egress traffic or idle gateways in multiple AZs. Optimization involves:

  • Minimizing data processed through NAT
  • Using VPC endpoints to bypass NAT for AWS services
  • Replacing with NAT Instances where appropriate
  • Right-sizing subnet architecture to limit NAT dependency

AWS Billing and Cost Management: The Secret to Keeping Cloud Costs in Check

How to Reduce Data Transfer Costs on AWS: Seven Things to Do Today

Picture of JT Giri

JT Giri

JT Giri is a father, husband, and entrepreneur. I focus on building a culture that allows teams to reach their highest potential. I enjoy HIIT workouts, learning, and meditating.