Excessive NAT Gateway Data Processing Charges from Unoptimized Traffic Routing

Trig Ghosh

CER:

CER-0325

Service Category

Networking

Cloud Provider

AWS

Service Name

AWS NAT Gateway

Inefficiency Type

Inefficient Architecture

Explanation

NAT Gateway charges a per-gigabyte data processing fee on all traffic that passes through it — in either direction — regardless of whether the destination is the public internet or another AWS service in the same region. This per-GB charge is separate from and additive to the hourly provisioning cost, and for workloads with meaningful throughput, it quickly becomes the dominant cost component. In many US regions, the data processing charge matches the hourly rate (e.g., $0.045/GB in US East Ohio), meaning that once monthly traffic exceeds roughly 720 GB, data processing costs surpass the baseline hourly charges entirely. For internet-bound traffic, a compounding effect occurs: hourly provisioning, per-GB data processing, and standard data transfer out charges all apply simultaneously — creating a combined variable cost that can reach $0.135 per GB or more.

This cost structure is frequently underestimated during architecture planning. Teams designing VPC layouts often account for the hourly cost of NAT Gateways but overlook how significantly the per-GB processing fee scales with traffic volume. The result is that workloads routing high-throughput traffic to AWS services like S3, DynamoDB, container registries, or logging endpoints through NAT Gateway incur substantial and avoidable data processing charges. Gateway VPC endpoints for S3 and DynamoDB carry no hourly or data processing charges at all, and interface VPC endpoints for other AWS services process data at a fraction of the NAT Gateway rate. Without deliberate traffic routing decisions, NAT Gateway data processing can quietly become one of the largest line items on an AWS bill.

Relevant Billing Model

NAT Gateway billing has multiple additive dimensions that compound for high-throughput workloads:

Hourly provisioning charge — incurred for each hour (or partial hour) the NAT Gateway is provisioned and available, regardless of whether any traffic flows through it. Rates vary by region (e.g., $0.045/hour in US East Ohio). Following high-availability best practices with one NAT Gateway per availability zone multiplies this base cost.
Data processing charge — applied per gigabyte of data processed through the NAT Gateway in either direction, regardless of the traffic's source or destination. This charge applies even when traffic stays entirely within the AWS network. The per-GB rate typically matches the hourly rate in each region.
Standard data transfer charges — for internet-bound traffic, standard AWS data transfer out charges apply on top of NAT Gateway charges, creating a compounding cost effect.
Cross-availability-zone charges — when compute resources use a NAT Gateway in a different availability zone, additional cross-AZ data transfer charges apply in both directions, on top of the data processing fee.
Elastic IP charge — each public NAT Gateway requires an Elastic IP address, which incurs an additional $0.005/hour per address.

Gateway VPC endpoints for S3 and DynamoDB eliminate both hourly and data processing charges for traffic to those services. Interface VPC endpoints for other AWS services carry lower per-GB processing rates than NAT Gateway, offering significant savings for high-volume AWS service traffic.

Detection

Identify NAT Gateways where data processing charges consistently exceed the hourly provisioning charges, indicating high-throughput traffic patterns that may benefit from alternative routing
Review the proportion of NAT Gateway traffic destined for AWS services (such as object storage, NoSQL databases, container registries, or logging services) versus external internet destinations
Assess whether gateway VPC endpoints have been deployed for supported services in each VPC containing a NAT Gateway
Evaluate the total variable cost per gigabyte for traffic flowing through NAT Gateways, accounting for data processing, data transfer, and any cross-availability-zone charges
Examine traffic flow patterns to identify workloads in private subnets that generate high volumes of outbound traffic to AWS service endpoints
Confirm whether architecture planning and cost estimation processes account for per-GB data processing charges in addition to hourly provisioning costs

Remediation

Deploy gateway VPC endpoints for S3 and DynamoDB in every VPC — these endpoints are free and immediately eliminate NAT Gateway data processing charges for traffic to those services
Evaluate interface VPC endpoints for other frequently accessed AWS services (such as container registries, secrets management, or monitoring endpoints) where the lower per-GB rate provides meaningful savings over NAT Gateway routing
Update VPC route tables to ensure traffic destined for supported AWS services is directed through VPC endpoints rather than through NAT Gateways
Incorporate per-GB data processing charges into architecture planning and cost estimation processes to prevent bill surprises when deploying workloads in private subnets
Establish periodic reviews of NAT Gateway traffic composition to identify new opportunities for VPC endpoint adoption as workload patterns evolve
For workloads paired with AWS Network Firewall in the same account, verify whether NAT Gateway charges are being waived under the one-to-one offset with Network Firewall endpoint charges

Relevant Documentation

Submit Feedback