FinOps & Cost Practical By Samson Tanimawo, PhD Published Jan 16, 2026 4 min read

NAT Gateway Cost Audit

NAT eats budget. The audit pattern.

Overview

NAT gateway costs compound silently. AWS bills NAT gateway both per hour ($0.045 typical) and per GB processed ($0.045 typical), and the per-GB cost dominates at scale. Workloads that route AWS-internal traffic through NAT (S3, DynamoDB, ECR pulls) pay the per-GB cost on traffic that should never have left the AWS network. The audit pattern is to inventory NAT usage per account, identify traffic that could route through VPC endpoints instead, and review quarterly because architecture drift adds new NAT-routed traffic over time.

NAT eats budget. Per-NAT the cost compounds across volume; the per-GB charge dominates at scale.
NAT data processing cost. Per-byte cost on every byte through NAT; the cost lands on workloads that should not have hit NAT in the first place.
VPC endpoints alternative. Per-service VPC endpoints (Gateway endpoints for S3 and DynamoDB are free; Interface endpoints have lower per-GB than NAT) reduce or eliminate NAT cost.
Per-account NAT audit plus quarterly review. Per-account NAT inventory tracked; quarterly cost review catches new traffic patterns before they accumulate.

The approach

The practical approach is to inventory NAT gateways per account, identify per-service traffic that VPC endpoints can replace (S3, DynamoDB, ECR, Secrets Manager all have endpoint options), audit per-byte NAT cost quarterly to catch drift, document per-NAT architecture rationale so the choice is reviewable, and move the highest-volume traffic to VPC endpoints first because the savings recur on every byte.

VPC endpoints alternative. Per-service VPC endpoint where available; Gateway endpoints for S3/DynamoDB cost nothing.
Per-account NAT audit. Per-account NAT inventory; the audit surfaces forgotten NAT gateways and unexpected traffic.
Per-quarter cost review. Quarterly NAT cost review against actual traffic patterns; catches drift before it accumulates.
NAT data processing analysis plus documented architecture. Per-byte cost analysis surfaces top consumers; per-NAT architecture rationale committed for operational review.

Why this compounds

NAT cost discipline compounds across services. Each VPC endpoint deployment removes traffic from NAT permanently; each quarterly audit catches new NAT-routed traffic before it becomes a budget question; the team builds intuition for AWS networking cost that pays off on every new service.

Cost efficiency. Right architecture matches workload; the bill tracks egress that actually leaves AWS rather than internal traffic that should not have hit NAT.
Security. Endpoints keep traffic in the AWS network; reduces internet exposure and supports compliance posture.
Latency. No internet hop; endpoint traffic stays on AWS backbone with lower latency than NAT routing.
Institutional knowledge. Each NAT decision teaches AWS networking patterns; the team learns where endpoints earn their place and where NAT is unavoidable.

NAT cost discipline is an operational discipline that pays off across years. Nova AI Ops integrates with networking telemetry, surfaces NAT patterns, and supports the team’s networking discipline.