Reduce NAT Gateway Cost
Why should we use NAT Gateway ?
NAT Gateway is used in scenarios where any application running inside private subnet needs internet connection for outbound requests without directly having to use Internet Gateway. AWS managed NAT Gateway supports 55,000 simultaneous connections to each unique destination or approximately 900 connections per second to a single destination and also, built to be highly available which makes it a very obvious choice.
NAT Gateway is not needed in the scenarios below :
If the application running inside private subnet sends data to DynamoDB or S3 then you can create Gateway VPC endpoints or if it sends data to any other AWS Service then you can create Interface VPC Endpoint, these cost effective solutions are already provided by AWS.
How do we reduce NAT gateway cost ?
Now, let’s address the actual issue here, cost. AWS managed NAT Gateway costs around $0.04 per hour which will roughly be $32–$35 per month. If this amount concerns you or you don’t want to use this option in your testing environments(Dev, QA), then there is a way to significantly reduce the cost i.e. by using EC2 NAT Instances ($2 -$3 per month).
NAT instances are easy to configure:
Step 1: Open EC2 Launch Wizard, and in community AMIs search with “amzn-ami-vpc-nat” and select the AMI with latest version to launch in a public subnet of your VPC.
Step 2: This is an important step in instance configuration to set up security group which acts as a firewall to control traffic for your instance.
As shown above, we have added inbound rules which only allows incoming HTTP & HTTPS traffic from CIDR Block range of private subnet. By default, Outbound rule will have 0.0.0.0/0 as destination for all traffic which allows your application running inside private subnet to make outbound internet requests. Outbound rule can be later edited to only allow HTTP & HTTPS outbound traffic.
Step 3: Now, you can review configuration and launch your instance.
Step 4: This is a very important step, without this, your NAT instance will not work. You need to stop source/destination check for NAT instance. By default EC2 instances are expected to be source or destination for internet traffic but that is not the case with EC2 NAT instance since it will only acts as a gateway for internet traffic. To stop source/destination check select your instance in EC2 and in Actions, select Networking as shown below.
Step 5: Finally, we need to add 2 route tables with routes from public subnet to internet gateway and from private subnet to ENI of NAT instance.
It is sort of going backwards if we’re using NAT instance instead of AWS managed NAT Gateway but it is also reasonable to use it for testing environments(Dev, QA) or else we’d need to shut down resources whenever not in use. It is always better to use NAT Gateway instead of NAT instance in production environment because we wouldn’t want to do maintenance of the instance(s/w updates) or manage failover between instances.
Also, migrating to NAT Gateway from NAT Instance is quite easy and only the route table for private subnet needed to be updated to route to NAT Gateway as the destination.
