The single biggest "where is this even coming from?" line on most AWS bills above $20k/mo is the NAT Gateway. Not compute. Not databases. Networking. And almost nobody designs for it because at design time it is invisible — a default checkbox in the VPC wizard.
NAT Gateway bills two ways: $0.045/hr per gateway (~$32/mo) and $0.045 per GB processed. The second number is what destroys budgets. A microservice architecture that talks to S3, DynamoDB, and a handful of external APIs can route hundreds of gigabytes per day through a NAT Gateway without anyone noticing — at $0.045 per GB.
Three egress shapes, simulated
From a pinpole canvas of a typical microservice cluster (12 services, mixed S3 + DynamoDB + external API traffic):
| Egress pattern | Processed/day | NAT cost/mo | With VPC endpoints |
|---|---|---|---|
| Light (logs, small payloads) | ~5 GB | $32 (base) + $7 = $39 | $32 + $0 = $32 |
| Moderate (S3 + DynamoDB heavy) | ~200 GB | $32 + $270 = $302 | $32 + $30 (gw endpoints free) |
| Heavy (ML training, video, replicas) | ~2 TB | $32 + $2,700 = $2,732 | $32 + $190 = $222 |
| Multi-AZ HA (3 NAT gateways) | ~2 TB total | ~$8,200/mo | ~$660/mo |
The single most impactful FinOps change we have ever recommended is also the most boring: add S3 and DynamoDB Gateway endpoints to every VPC. They are free. The savings often pay for the rest of your tooling budget.
Why this is invisible at design time
Three reasons:
- The diagram doesn't show egress. draw.io shows boxes, not gigabytes. The NAT Gateway is a line, not a meter.
- The Pricing Calculator is per-resource. You estimate the Lambda, the RDS, the ALB — but processed bytes through the NAT is the cost that depends on the combined behaviour of all those services.
- Multi-AZ HA quietly triples it. Best practice says one NAT per AZ. That's 3× the per-GB cost in three-AZ deployments, because cross-AZ NAT traffic gets routed to the local NAT in each zone.
VPC endpoints — the fix nobody installs
Gateway endpoints (free!)
S3 and DynamoDB. Add to the route table. Zero data processing cost. There is no reason not to use these in every VPC, period.
Interface endpoints (paid)
~$7/mo per endpoint per AZ + $0.01/GB. Break-even vs NAT happens at ~150 GB/mo per endpoint. Worth it for high-traffic services (Secrets Manager, KMS, ECR, CloudWatch).
PrivateLink to your own services
Cross-VPC, cross-account. Different pricing, different use case. Worth a dedicated post.
How simulation surfaces this
On the pinpole canvas, the NAT Gateway node has a "processed GB/mo" output that's computed from the actual traffic patterns of the services routed through it. Add or remove VPC endpoints and the number drops in real time. We have seen single canvas runs surface five-figure annual savings on architectures that had been running in production for over a year.
Open your VPC console. Look at route tables. If you don't see com.amazonaws.<region>.s3 and com.amazonaws.<region>.dynamodb Gateway endpoints, you are paying NAT Gateway costs that you don't have to. Add them today.
Design-time visibility is the only real fix
NAT Gateway cost is structural, not configurational. You cannot tune it after the fact — you have to design around it. That means surfacing egress patterns at design time, when the architecture is still on a canvas and a route can be changed by dragging a line. Doing this in production means a migration. Doing it in simulation means changing one toggle.
The cheapest AWS service is the gigabyte that never leaves your VPC.
Simulate your egress patterns before you deploy. Pinpole's canvas surfaces NAT processed-byte cost as you wire services together.
Start 14-day free trial →