NAT gateway is a large line on the AWS bill
NAT gateway charges per hour plus per GB processed. With heavy egress it gets expensive.
Try this first
- 1For S3 and DynamoDB, use gateway endpoints, free and bypass NAT
- 2For other AWS services, interface endpoints (PrivateLink) also bypass NAT
- 3Dev environments with little traffic can share one NAT across AZs (acceptable risk)
- 4Audit via VPC Flow Logs which top-talkers go through NAT
When to bring us in
At hundreds of GB per day, consider a dedicated NAT instance or egress architecture.
See also
- Everyone logs in with the AWS root accountRoot is for emergencies and billing. Day-to-day work belongs in IAM users or SSO.
- Every developer has AdministratorAccessAdministratorAccess everywhere is convenient now, painful later. Start with role-based policies.
- Everyone has individual IAM users with their own passwordIdentity Center (formerly AWS SSO) links to your IdP and issues temporary credentials per session.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.