With high-profile clients including the US government and several Fortune 500 companies, companies like SolarWinds have to be at the top of their game when it comes to online security.
That didn’t stop hackers breaking through and gaining backdoor access to 18,000 of their clients in 2020.
You know this, and it’s why you use a Managed NAT Gateway to provide access to your AWS-hosted applications over the internet without exposing your company to the same level of security risks. But now that your application has significant growth, you can see there are costs to AWS Managed NAT Gateways. That’s why we’re going to lay out the ins and outs of NAT Gateway pricing in this post and provide you with an alternative approach.
We’ll be covering:
- What is a NAT Gateway?
- NAT Gateway pricing
- NAT instances: an alternative with better NAT Gateway pricing
- The best way to consolidate and reduce your AWS bills
Let’s get started.
What is a NAT Gateway?
A network address translation gateway, or NAT Gateway, enables you to connect instances in a private subnet to the internet without the internet having direct access to those resources. In this sense it’s akin to a central customer support inbox that routes tickets to support representatives without letting customers email those representatives directly.
It’s worth noting, however, that the initiation of the connection isn’t a simple open door. Instead, it’s a highly controlled single point of entry and exists for all network traffic.
These are commonly used to establish a single access point for all the resources that power cloud-based applications. The NAT Gateway simply replaces the source of the outgoing traffic with itself, and the destination of any incoming traffic to the private network.
That’s pretty much it for the concept alone. There are plenty of technical details (which we’ll cover most of) but that’s the basic idea behind what a NAT Gateway does.
It starts getting a little more complicated when considering the options for setting up your gateway, as there are two different types you can pick from.
Public NAT Gateways
Public NAT Gateways are the default option when setting up a new Managed NAT Gateway in AWS, which is great because they’re more widely useful for bringing internet connectivity to the private network that houses your application infrastructure.
By creating a public NAT Gateway for your private network and associating an elastic IP address to it, you can bounce traffic from your private network to the internet, letting the network remain closed off but giving it access to the web.
But you don’t have to be connecting to the internet in order to utilize a NAT Gateway (public or private). You can instead use this route to allow access to another private network, or even just tools in AWS-managed private networks to make sure that they can perform their functions unimpeded.
The beauty of this solution is that you’re maintaining the security of your network, since whatever network you’re connecting to cannot initiate a connection back to the original resource making that request. Think of it more as a way to pass the request for whatever information you’re looking for to the desired location without ever directly accessing it. Instead, your private network accesses the NAT Gateway and then the gateway separately accesses the other network, gets the information you need, and then returns the data to your private network. The two networks at either end never directly interface, so there’s a much lower security risk than if you were to directly connect.
That’s it for public gateways, but there is one other option to cover…
Private AWS Managed NAT Gateways
Private AWS Managed NAT Gateways are different from public ones in how they restrict traffic access, and their IP address. You see, Private AWS Managed NAT Gateways cannot be assigned an elastic IP, meaning that any traffic from it shows the IPv4 address of the gateway rather than the elastic address you’d assign to, say, a public gateway. Additionally, Private AWS Managed NAT Gateways restrict inbound traffic by IP address, meaning that only the systems that you want to communicate with can send traffic to your private subnet.
On top of this, while it’s still possible to route traffic from a private network, through a Private AWS Managed NAT Gateway, and out to the internet, not just any traffic from the internet will be accepted back. It’s not a big loss because that’s the purpose of selecting a Private AWS Managed NAT Gateway. Restricting access to your systems is sometimes better to do (particularly for security reasons, for instance), but it’s definitely something you need to bear in mind when choosing what type of gateway you need to set up.
Otherwise, private NAT Gateways are essentially a more restrictive version of their public cousins. You can utilize them to establish a single point of communication in and out of your private network, ensuring none of the resources in your private networks can be accessed directly. The only difference is there’s a short list of approved IP addresses on the Internet which are allowed to communicate back through your private NAT Gateway.
NAT Gateway pricing
Unlike the majority of AWS services, the Managed NAT Gateway pricing is refreshingly simple. The key is to not forget any extra costs that may be incurred.
Managed NAT Gateway pricing is broken down into two charges; one is a flat hourly rate, the other is a per-GB charge. It’s worth noting that the hourly rate is always rounded up in the case of partial hours, and that these charges (much like EC2 instance pricing) will vary based on the AWS Availability Zone the gateway is in.
For example, for a Managed NAT Gateway in the US East (Ohio) zone you will be charged $0.045/hour that the gateway is active, and $0.045 per GB of data processed by it. Plus, the Elastic IP address has its own pricing. In the same zone, you will be charged $0.005/hour that the IP address is active, and $0.10 per address remap after the first 100 free remaps.
As you might imagine, this can quickly stack up, but remember that this bill includes management and updates for the NAT instances. You’re not solely paying for the data transfer here, not that that will ease the burn of a stacked bill due to a large amount of data being processed
Speaking of data, here’s where the sneaky extra costs come in.
On top of the standard Managed NAT Gateway pricing, you’ll incur all of the standard charges related to data transfer into and out of AWS EC2 instances. So, you’ll be charged extra for moving data from zone to zone, for moving data into or out of AWS from the internet, and so on. To be clear, that means you’ll be paying two different data charges for the same set of data.
Again, it’s simple, but especially with these extra charges your Managed NAT Gateway bill can really start to jump to the forefront of your overall AWS costs. So let’s address the alternative.
NAT instances: an alternative with better NAT Gateway pricing
Once your AWS application is handling a meaningful amount of customer data, you’re going to be paying ever-increasing rates for both data transfer and AWS Managed NAT Gateway data processing. Thankfully, there is an alternative.
To get into that we first need to distinguish between the managed offering of AWS and everything else.
Managed NAT Gateways vs NAT Gateway instances
A NAT Gateway instance is a NAT Gateway that you manage yourself instead of relying on AWS to manage for you. While NAT Gateway instances serve functionally the same purpose as AWS Managed NAT Gateways, there are a few core differences to know about (especially when it comes to why their pricing is different). It’s like dialing back the clock to the data center days when it was up to you to configure your own NAT.
AWS Managed NAT Gateways are as we’ve discussed above; fully managed gateways that act as a connector to allow your private networks to access each other, AWS, or the internet while maintaining security. They’re easily scalable and, since they’re managed by AWS, you don’t have to worry about their maintenance. That means that AWS’s systems monitor server instance health, scale up as necessary, and provide failover if an instance performs poorly.
NAT Gateway instances are simply instances. It’s your job to select servers, enable connections between multiple private networks and/or the internet – they’re all yours to scale, configure, and maintain them.
Using alterNAT to manage your own NAT Gateway instances
Instead of paying through the nose for NAT Gateway data charges or accepting the risks associated with NAT instances (in the event that something breaks and you have to fix it yourself), alterNAT is a technique that combines the best of both worlds.
The trick is to use a NAT instance with an elastic IP address to handle your traffic as a baseline. You’ll have to deal with the setup and management yourself, but this can be much cheaper than the constant data costs of a NAT Gateway. However, you also set up a Lambda function to automatically check the health of your NAT instance and, if it fails that check, to redirect traffic to a managed NAT Gateway and alert you of the fault.
In other words, you have the failsafe of a managed NAT Gateway in case your NAT instance needs some work doing on it, but for the entire time that instance is up you’re completely eliminating the extra data processing charges. Remember that the cost of data processing (depending on your region) will be $450 per month for just 10 terabytes and you can start to see just how much money this option can save you!
Speaking of knowing your options…
The best way to consolidate and reduce your AWS bills
Aimably is the best way to consolidate, reduce, and optimize your AWS bills. Our AWS Invoice Management Software collects your AWS bills into one, easy-to-use dashboard so that you can see exactly what you’re being charged, what your usage is, whether those charges line up with your usage, and much, much more.
More interested in reducing and optimizing your bills? Our AWS Cost Reduction Assessment looks at all of your Cost and Usage Report data to create a tailored list of prioritized actions for you to take to cut your bill. Each will come with its own risk assessment according to your business’ purpose and goals, so you’ll know exactly what you can do to reduce costs, how likely it is to affect performance, and you’ll never have to search through AWS’ pricing plans for the best loopholes again.
We’ll look at everything from EC2 instances and S3 costs to NAT Gateway pricing and all of the tricks therein - it’s what we’re best at! Aimably is dedicated to bringing you the insight you need to know all of your options and make the best decision for your business, while also saving a chunk of money.