By Yair Knijn · April 22, 2025

The NAT Gateway bill that turned a cost-down initiative into a cost-up quarter

The head of SRE signs off on the private-subnet hardening project as cost-neutral. On a whiteboard the logic holds: pull every workload out of public subnets, strip the public IPs, send outbound through a NAT Gateway, and the audit finding closes. Nobody priced the data path, because in a security review the data path is a line on a diagram, not a meter.

The meter is real. Every gigabyte those newly private workloads pull from the internet, from another region, or from an AWS public endpoint now passes through the NAT Gateway, which charges to process it. The hardening ships in the same billing cycle as a network bill that grew for a reason the cost model had no column for.

How a security mandate became a per-gigabyte tax

A public-subnet workload reaches the internet directly. Its egress is billed, but no device in the middle takes a cut per gigabyte. Move that workload to a private subnet and the only sanctioned exit is the NAT Gateway. Traffic volume held steady. The path changed, and the path is the priced part. A flat data-transfer cost became a metered toll on the same bytes, booked as a security win. The isolation decision and the cost decision were the same decision, and only one of them went through review.

The data-processing charge nobody modeled

AWS charges roughly $0.045 per gigabyte processed through a NAT Gateway, plus an hourly fee per gateway, and that processing charge applies to every gigabyte regardless of source or destination. That clause is where the quarter slips. The package mirror your fleet hits on every deploy, the container images pulled on every scale-up, the cross-region replication, the S3 and DynamoDB calls over public endpoints all traverse NAT now. Your internet-egress line can sit flat while the NAT data-processed line climbs, because those bytes never left AWS but still paid the toll. The forecast modeled internet egress; the invoice meters NAT throughput.

VPC endpoints: the fix hiding in plain sight

Gateway VPC endpoints for S3 and DynamoDB carry no hourly fee and no per-gigabyte processing charge. Traffic to those two services leaves the NAT path and routes straight from the VPC. For a private fleet that reads heavily from S3, that is the highest-leverage change on the table, and it costs nothing to keep running once the route-table entry exists.

• Gateway endpoints for S3 and DynamoDB: no hourly charge, no processing charge, pure removal of NAT load.
• Interface endpoints for ECR, Secrets Manager, and the rest: an hourly per-ENI fee plus a per-gigabyte charge, but usually well under the NAT rate for the same traffic.
• In November 2025 AWS added a regional availability mode that spreads a single NAT Gateway across AZs on demand. It trims per-AZ gateway sprawl and leaves the per-gigabyte processing charge untouched.

Attributing egress back to the team that generated it

A NAT Gateway is a shared exit. The bill lands as one number with no tags on the traffic, so the team running a chatty service that pulls fresh container images on every health check carries the same invisible share as the team that ships once a week. Split NAT data-processed by source workload, through flow logs or per-subnet gateways for the noisy tenants, or the cost stays ownerless. Unowned line items do not get optimized. They get expensed.

Reading the network diagram as a cost diagram

The diagram the security review approved is also a cost diagram once you read the arrows as gigabytes rather than trust boundaries. Every arrow crossing a NAT Gateway is metered. Every arrow you can reroute to a gateway endpoint is free. Read it twice, once for isolation and once for unit economics.

Cloud Horizons attributes NAT data-processing back to the workspace and team that generated it, so the SRE owner sees the per-gigabyte toll sitting next to the security change that created it before the quarter closes, not after. Priced as the cost diagram it already is, that is what our FinOps view surfaces.