NAT Gateway is one of those AWS services that seems straightforward until you get the bill. You provision it, route your private subnet traffic through it, and then wonder why you're paying three times what you expected.
The confusion is understandable. NAT Gateway doesn't have a single price - it has multiple overlapping charges: hourly provisioning, data processing, data transfer out, and cross-AZ fees. Miss any of these in your cost estimate, and your actual bill will exceed your projection.
In this guide, I'll break down exactly how NAT Gateway pricing works, provide an interactive calculator to estimate your specific costs, and share 6 strategies that can reduce your NAT Gateway expenses by up to 78%. Whether you're planning a new deployment or trying to understand an unexpectedly high bill, you'll find actionable guidance here.
Calculate Your NAT Gateway Costs
Before diving into pricing details, let's start with what you probably came here for: how much will NAT Gateway actually cost you?
I've built an AWS NAT Gateway pricing calculator that lets you estimate costs across all AWS regions. Input your expected hours, data volume, and number of gateways to get accurate monthly cost projections.
The calculator accounts for all the pricing components that catch teams off guard:
- Hourly provisioning charges ($0.045/hour in US East)
- Data processing charges ($0.045/GB processed)
- Cross-AZ data transfer (when applicable)
- Public IPv4 address costs ($0.005/hour per IP)
Here's a quick example to set expectations: A single NAT Gateway in US East Ohio running 24/7 with 100 GB of monthly data processing costs approximately $36.90/month ($32.40 hourly + $4.50 data processing). But that's before data transfer out to the internet and any cross-AZ traffic - where the real costs accumulate.
Try the NAT Gateway pricing calculator to estimate your specific scenario, then read on to understand exactly what you're paying for.
How NAT Gateway Pricing Works
Understanding NAT Gateway pricing means grasping how three separate charges compound. Each component bills independently, and they all apply simultaneously when traffic flows through your gateway.
Let me walk you through each cost component and show you how they add up for a typical internet-bound request.
When you send 1 GB of data to the internet through NAT Gateway in US East Ohio, here's the actual cost breakdown:
- NAT Gateway hourly: $0.045 (charged regardless of traffic)
- NAT Gateway data processing: $0.045 (1 GB processed)
- Data transfer out: $0.09 (standard EC2 rate)
- Total: $0.18 for that single hour plus 1 GB
That $0.045/GB data processing charge applies to every gigabyte - both inbound and outbound traffic through the gateway. At 1 TB/month, you're looking at $45 in data processing alone, before any other charges.
Hourly Provisioning Charges
NAT Gateway charges by the hour from the moment you create it until you delete it. In US East Ohio, that's $0.045 per NAT Gateway-hour.
A few things to note:
- Partial hours bill as full hours. Delete a NAT Gateway after 5 minutes, and you pay for the full hour
- Charges apply regardless of traffic. A NAT Gateway sitting idle costs the same as one processing terabytes
- Monthly baseline: $0.045 x 24 hours x 30 days = $32.40/month just for having a NAT Gateway provisioned
This hourly charge is why unused NAT Gateways are such a common cost leak. Each forgotten gateway in a dev or test environment quietly burns $32.40/month.
Data Processing Charges
Every gigabyte that flows through your NAT Gateway incurs a $0.045/GB data processing charge (in US East Ohio). This applies in both directions - data going out to the internet and responses coming back.
Here's what this looks like at scale:
| Monthly Data | Data Processing Cost |
|---|---|
| 100 GB | $4.50 |
| 500 GB | $22.50 |
| 1 TB | $45.00 |
| 5 TB | $225.00 |
The key insight: data processing costs often exceed hourly costs for workloads with significant traffic. At just 720 GB/month, data processing equals your hourly charge. Beyond that, it becomes the dominant cost factor.
Standard vs Regional NAT Gateway Pricing
AWS introduced Regional NAT Gateway in late 2025, and it changes the pricing math for multi-AZ deployments.
Standard (Zonal) NAT Gateway:
- One gateway per Availability Zone
- $0.045/hour per gateway
- 3 AZs = 3 gateways = $97.20/month hourly
Regional NAT Gateway:
- Single gateway that automatically expands across AZs
- Charged per AZ per hour - if your Regional NAT Gateway spans 3 AZs, you pay $0.045 x 3 = $0.135/hour
- Automatically adjusts billing when workload patterns change
The Regional NAT Gateway pricing model is the same per-AZ as zonal - but it automatically scales with your workload. If you only have resources in 2 AZs, you only pay for 2 AZs. The gateway takes 15-20 minutes to expand to a new AZ when it detects traffic, so there's no wasted capacity for dynamic workloads.
One limitation: Regional NAT Gateway doesn't support private connectivity type - it's for public internet access only.
Regional Pricing Comparison
NAT Gateway pricing varies significantly by region. Deploying in Sao Paulo instead of US East doubles your costs.
Here's how hourly rates compare across major regions:
| Region | Hourly Rate | Monthly (730 hrs) | vs. US East |
|---|---|---|---|
| US East (N. Virginia) | $0.045 | $32.85 | Baseline |
| US East (Ohio) | $0.045 | $32.85 | Same |
| US West (Oregon) | $0.045 | $32.85 | Same |
| Europe (Ireland) | $0.048 | $35.04 | +7% |
| Europe (Frankfurt) | $0.052 | $37.96 | +16% |
| Asia Pacific (Tokyo) | $0.062 | $45.26 | +38% |
| Asia Pacific (Sydney) | $0.059 | $43.07 | +31% |
| South America (Sao Paulo) | $0.090 | $65.70 | +100% |
Data processing charges follow similar regional patterns. Always check the Amazon VPC pricing page for current rates in your target region.
Don't forget the IPv4 address charge: Every public NAT Gateway requires an Elastic IP, which costs $0.005/hour (~$3.60/month) per address. Regional NAT Gateways may use multiple EIPs (one per active AZ), increasing this cost.
Hidden Costs You Need to Know
The pricing components above are well-documented. The costs that catch teams off guard are the ones that compound with other AWS charges.
I call this the "triple charge" problem: for internet-bound traffic, you pay hourly provisioning, data processing, AND data transfer out. Each charge is reasonable on its own. Combined, they add up fast.
Data Transfer Out to Internet
When traffic exits to the internet, you pay standard EC2 data transfer rates ON TOP OF NAT Gateway charges.
For US East regions:
- First 10 TB/month: $0.09/GB
- Next 40 TB/month: $0.085/GB
- Next 100 TB/month: $0.07/GB
- Over 150 TB/month: $0.05/GB
Combined cost for 1 GB to internet:
- NAT Gateway processing: $0.045
- Data transfer out: $0.09
- Total: $0.135/GB (plus your share of hourly)
At 1 TB/month to internet, that's $45 processing + $90 transfer = $135 in variable costs alone.
Cross-Availability Zone Charges
This is the hidden cost that surprises most teams. When your NAT Gateway is in a different AZ than your EC2 instances, you pay $0.01/GB in each direction for cross-AZ data transfer.
With a single NAT Gateway serving 3 AZs, two-thirds of your traffic pays cross-AZ fees. For a request-response pattern, that's $0.02/GB extra (each direction).
The break-even calculation: 3,240 GB/month of cross-AZ traffic costs $32.40 - exactly the cost of an additional NAT Gateway. If you're moving more than ~3 TB/month cross-AZ, deploying a NAT Gateway per AZ is cheaper.
Public IPv4 Address Costs
Since February 2024, AWS charges $0.005/hour (~$3.60/month) for every public IPv4 address, including Elastic IPs attached to NAT Gateways.
This applies whether the IP is in use or idle. For a 3-AZ deployment with standard NAT Gateways, that's 3 EIPs = $10.80/month just for IP addresses.
Mitigation options:
- BYOIP (Bring Your Own IP): AWS doesn't charge for your own IP ranges
- Transition to IPv6: IPv6 addresses are free, and Egress-Only Internet Gateways have no hourly or processing charges
6 Strategies to Reduce NAT Gateway Costs
Now that you understand where the costs come from, here's how to reduce them. These strategies can cut your NAT Gateway bill by 78% or more, depending on your traffic patterns.
The key insight is that most NAT Gateway traffic doesn't need to go through NAT Gateway at all. AWS service traffic, S3 and DynamoDB access, and same-VPC communication can all use cheaper or free alternatives.
Use VPC Gateway Endpoints for S3 and DynamoDB
This is the single highest-impact, lowest-effort optimization. Gateway Endpoints for S3 and DynamoDB are completely free - no hourly charges, no data processing charges.
If your applications access S3 or DynamoDB through NAT Gateway, you're paying $0.045/GB for something that could cost $0. At 1 TB/month to S3, that's $45 in pure savings.
Implementation is simple - just add a route table entry:
// AWS CDK
vpc.addGatewayEndpoint('S3Endpoint', {
service: ec2.GatewayVpcEndpointAwsService.S3,
});
vpc.addGatewayEndpoint('DynamoDBEndpoint', {
service: ec2.GatewayVpcEndpointAwsService.DYNAMODB,
});
# Terraform
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
# ... other config
enable_s3_endpoint = true
enable_dynamodb_endpoint = true
}
Recommendation: Deploy S3 and DynamoDB Gateway Endpoints in every VPC that has a NAT Gateway. There's no downside - they're free.
Align Resources with NAT Gateway AZs
Cross-AZ data transfer costs $0.01/GB each direction. If your NAT Gateway is in us-east-1a but your compute is in us-east-1b, every request-response cycle costs an extra $0.02/GB.
Two approaches:
- Place resources in the same AZ as your NAT Gateway - eliminates cross-AZ charges but concentrates resources
- Deploy a NAT Gateway per AZ - increases hourly costs but eliminates cross-AZ charges entirely
The decision comes down to data volume. If cross-AZ traffic exceeds 3,240 GB/month per AZ pair, option 2 is cheaper.
Deploy Interface Endpoints for AWS Services
For AWS services beyond S3 and DynamoDB, Interface Endpoints cost ~78% less than NAT Gateway for the same traffic.
Interface Endpoint pricing (US East):
- Hourly: ~$0.01/hour per endpoint per AZ
- Data processing: ~$0.01/GB
Compared to NAT Gateway ($0.045/GB), that's a significant reduction.
Cost comparison for 1 TB/month to ECR:
| Route | Hourly | Data Processing | Total |
|---|---|---|---|
| NAT Gateway | $32.40 | $45.00 | $77.40 |
| Interface Endpoint | $7.20 | $10.00 | $17.20 |
| Savings | $60.20 (78%) |
Services commonly worth deploying Interface Endpoints for:
- Amazon ECR (container image pulls)
- AWS Systems Manager (SSM agent traffic)
- Amazon CloudWatch Logs
- AWS Secrets Manager
- Amazon SQS/SNS
Calculate your break-even: the Interface Endpoint hourly cost needs to be offset by NAT Gateway data processing savings.
Consider Centralized NAT Architecture
For multi-VPC environments, centralized NAT architecture can dramatically reduce hourly costs.
Instead of deploying NAT Gateways in every VPC, you create a dedicated egress VPC with NAT Gateways and route all traffic through AWS Transit Gateway.
Example: 10 VPCs, 3 AZs each
Distributed approach:
- 30 NAT Gateways x $32.40/month = $972/month
Centralized approach:
- 3 NAT Gateways (egress VPC) = $97.20/month
- 10 Transit Gateway attachments x $36/month = $360/month
- Transit Gateway processing (varies with traffic)
- Base savings: $514.80/month
The trade-off: Transit Gateway charges $0.02/GB for data processing. If your traffic volume is high enough, the distributed approach may be cheaper. Run the numbers for your specific scenario.
Remove Unused NAT Gateways
Every idle NAT Gateway costs $32.40/month minimum. AWS Compute Optimizer now identifies unused NAT Gateways based on these criteria over a 32-day period:
- No active connections
- No incoming packets from VPC or destination
- No active route table associations
Access this through the AWS Compute Optimizer console under "Idle resources" or via the Cost Optimization Hub.
Important caveat: Some "unused" NAT Gateways are intentional backups for HA architectures. Verify the purpose before deleting.
Monitor Traffic Patterns with VPC Flow Logs
You can't optimize what you don't measure. Enable VPC Flow Logs on your NAT Gateway's ENI to identify:
- Top traffic destinations - which IPs receive the most data?
- AWS service traffic - could this route through VPC endpoints instead?
- Cross-AZ patterns - where is cross-AZ transfer occurring?
CloudWatch metrics to monitor:
BytesOutToDestination- track data processing volumeActiveConnectionCount- watch for connection limit approachErrorPortAllocation- detect port exhaustion before it causes failures
Set up Cost Explorer filters for "NatGateway-Hours" and "NatGateway-Bytes" to track spending by individual gateway.
NAT Gateway Alternatives Comparison
Sometimes the best NAT Gateway cost optimization is not using NAT Gateway at all. Here's when each alternative makes sense.
Gateway VPC Endpoints (Free)
Cost: $0 - no hourly, no data processing
Supports: S3 and DynamoDB only
Limitations:
- Cannot access from on-premises networks through Transit Gateway
- Cannot access from peered VPCs in other regions
- Traffic must originate from within the VPC
Recommendation: Always deploy for S3 and DynamoDB traffic. There's no reason not to.
Interface VPC Endpoints
Cost: ~$0.01/hour per AZ + ~$0.01/GB data processing
Supports: Most AWS services including ECR, Lambda, Systems Manager, Secrets Manager, CloudWatch, SQS, SNS, KMS, and many more.
Benefits:
- 78% cheaper than NAT Gateway for AWS service traffic
- Traffic stays within AWS network
- Enables private connectivity from on-premises via Direct Connect
When to use: High-volume traffic to supported AWS services where the hourly cost is offset by data processing savings.
NAT Instances
Cost: Standard EC2 pricing (e.g., t3.nano at $0.0116/hour)
Important: AWS no longer recommends NAT Instances. The NAT AMI has reached end of support.
Drawbacks:
- Manual failover management
- Limited bandwidth (depends on instance type)
- Requires OS patches and security updates
- Less optimized for NAT traffic
When it might make sense: Very low traffic volumes where a t3.nano ($0.0116/hour) beats NAT Gateway ($0.045/hour), and you need capabilities NAT Gateway doesn't support (like port forwarding or bastion server functionality).
IPv6 Egress-Only Internet Gateway
Cost: $0 - no hourly, no data processing
How it works: Enables outbound IPv6 traffic to the internet while preventing inbound connections. Similar to NAT Gateway's functionality, but for IPv6.
Requirements:
- VPC must have IPv6 CIDR block
- Resources need IPv6 addresses
- Target services must support IPv6
Long-term strategy: Transitioning to IPv6 can eliminate NAT Gateway costs entirely for outbound traffic. Public IPv6 addresses are also free (no $0.005/hour charge like IPv4).
Monitoring NAT Gateway Costs
Effective cost management requires ongoing monitoring. Here's how to track NAT Gateway spending and catch anomalies early.
AWS Cost Explorer filters:
- Service: "Amazon Virtual Private Cloud"
- Usage Type: "NatGateway-Hours", "NatGateway-Bytes"
- Group by: Resource (to identify specific gateways)
CloudWatch alarms to configure:
-
High data volume alert
- Metric:
BytesOutToDestination - Threshold: > your baseline + 50%
- Purpose: Catch unexpected traffic spikes before they hit your bill
- Metric:
-
Port allocation errors
- Metric:
ErrorPortAllocation - Threshold: > 0 for 3 consecutive periods
- Purpose: Detect connection limits before application failures
- Metric:
-
Connection count warning
- Metric:
ActiveConnectionCount - Threshold: Approaching 440,000 (NAT Gateway limit)
- Purpose: Scale proactively before hitting limits
- Metric:
VPC Flow Logs provide deeper traffic analysis - identify top destinations, find AWS service traffic that could use endpoints, and analyze cross-AZ patterns. Note that Flow Logs incur CloudWatch Logs charges, so enable them strategically.
Key Takeaways
NAT Gateway pricing is straightforward once you understand all the components:
- Hourly charges apply 24/7 whether you use the gateway or not ($32.40/month baseline in US East)
- Data processing adds $0.045/GB for all traffic through the gateway
- Data transfer out to internet adds another $0.09/GB on top of processing
- Cross-AZ traffic costs an extra $0.01/GB each direction if NAT Gateway and resources are in different AZs
- Regional pricing varies up to 2x between US East and South America
The optimization playbook:
- Deploy Gateway Endpoints for S3 and DynamoDB immediately - they're free
- Evaluate Interface Endpoints for high-volume AWS service traffic - 78% cheaper
- Align AZs or deploy per-AZ NAT Gateways to eliminate cross-AZ charges
- Remove unused gateways using Compute Optimizer recommendations
- Monitor traffic patterns to identify further optimization opportunities
Use the NAT Gateway pricing calculator to model your specific scenario, then implement the relevant optimizations from this guide.
What's your biggest NAT Gateway cost challenge? Have you found other optimization strategies that worked well? Share in the comments below.
See Infrastructure Costs in Code Review, Not on Your AWS Bill
CloudBurn automatically analyzes your Terraform and AWS CDK changes, showing cost estimates directly in pull requests. Catch expensive NAT Gateway decisions during code review when they take seconds to fix.