Submit feedback on
Suboptimal Cross-AZ Routing to NAT Gateway
We've received your feedback.
Thanks for reaching out!
Oops! Something went wrong while submitting the form.
Close
back arrow
Go back
Suboptimal Cross-AZ Routing to NAT Gateway
Mike Graff
Service Category
Networking
Cloud Provider
AWS
Service Name
AWS NAT Gateway
Inefficiency Type
Inefficient Configuration
Explanation

NAT Gateways are designed to serve private subnets within the same Availability Zone. When subnets in one AZ are configured to route traffic through a NAT Gateway in a different AZ, the traffic crosses AZ boundaries and incurs inter-AZ data transfer charges in addition to the standard NAT processing fees.

This typically happens when:

* NAT Gateways are deployed in multiple AZs (as recommended for resilience), but * Route tables for all subnets are configured to send traffic to a single NAT Gateway, ignoring AZ placement

In high-throughput environments, this misalignment silently generates excess cost. Ensuring that each subnet routes through the NAT Gateway in its own AZ avoids inter-AZ charges and aligns with AWS architectural best practices.

Relevant Billing Model
  • NAT Gateway costs include:
  • A flat hourly charge per gateway
  • A per-GB charge for all data processed
  • If traffic crosses Availability Zones (e.g., from a subnet in AZ-A to a NAT Gateway in AZ-B), **inter-AZ transfer charges** apply
  • These are billed separately from NAT Gateway processing fees and increase total data egress cost
Detection
  • Identify whether multiple NAT Gateways exist across different Availability Zones
  • Review route table configurations to determine if subnets route to a NAT Gateway in a different AZ
  • Assess whether route tables are shared or duplicated across subnets without AZ awareness
  • Analyze inter-AZ traffic patterns associated with NAT Gateway usage to confirm misrouted flows
Remediation
  • Update route tables to ensure that each subnet routes outbound traffic through the NAT Gateway in the same AZ
  • Ensure one NAT Gateway is deployed per Availability Zone for fault tolerance and cost efficiency
  • Review and revise any infrastructure templates or automation that create non-AZ-aware routing
  • Incorporate AZ-based routing validation into network hygiene checks
Relevant Documentation
Submit Feedback
Powered by
Copyright © PointFive | All Rights Reserved 2025
Privacy Policy
Terms & Conditions
Cookie Policy
Cookies Preferences