[amluto]

AWS NAT gateway is $0.045 per hour plus $0.045 per GB. The hourly fee seems mostly okay - for largish users, one or two per region is fine.

$0.045 per GB is nuts. That’s $20.25/hour or $14580/mo for 1 Gbps. One can buy a cheap gadget using very little power that can NAT 1 Gbps at line rate for maybe $200 (being generous). One can buy a perfectly nice low power server that can NAT 10Gbps line rate for $1k with some compute to spare. One can operate one of these systems, complete with a rack and far more power than needed, plus the Internet connection, for a lot less money than $14580/mo. (Never mind that your $14580 doesn’t actually cover the egress fee on AWS.)

A company with a couple full time employees could easily operate quite a few of these out of any normal datacenter, charge AWS-like fees, and make a killing, without breaking a sweat. But they wouldn’t get many clients because most datacenter customers already have a NAT-capable router and don’t need this service to begin with.

In other words, the OpEx associated with a service like this, including the sysadmin time, is simply not in the ballpark of what AWS charges.

[kelnos]

Is that $0.045/GB for all data transferred through it, or just egress to the public internet? If it's the latter, that's half the price of normal EC2 instance egress to the public internet.

If it's the former... oh sweet jesus, what? Probably way cheaper to just run an a1.large or something with Linux on it, plus a very short shell script to set up NAT. That's assuming well more than half of the traffic going through it is ingress from the internet. If it's 50/50 ingress and egress, then it's basically the same pricing as NAT gateway.

[Nathan2055]

No, it’s so much worse than that. Look closely at https://aws.amazon.com/vpc/pricing/ and note this line:

> You also incur standard AWS data transfer charges for all data transferred via the NAT gateway.

Yes, the $0.045/GB “data processing” charge is in addition to the usual $0.09/GB egress charge. You are paying an effective $0.135/GB for all of your egress, in addition to the $0.045/hr just to keep the NAT gateway running.

And yes, your ingress and even internal-to-AWS traffic is also billed at the $0.045/GB rate. (An example given on the aforementioned page is traffic from an EC2 instance to a same-region S3 bucket, which they note doesn’t generate an egress charge but does generate a NAT processing charge.) As far as I can tell, the only traffic which isn’t billed is traffic routed with internal VPC private IP addresses, which don’t hit the NAT gateway and thus aren’t counted.

There are highly paid AWS consultants who shave literal millions of dollars off of many company’s AWS bills by just setting it up a cheap EC2 box to handle their NAT instead of using the built-in solution. Doing that instantly wipes out the ingress charges and effectively halves the egress charges, and it’s probably a lower hourly cost than they’re already paying: an a1.large is $0.051/hr on-demand but that immediately drops to just $0.032/hr with a 1 year no upfront reserved plan. If you’re willing to pay upfront and/or sign a longer contract, you can get it as low as $0.019/hr.

[jwestbury]

It's quite unfortunate they sunsetted the NAT instance AMI.

[ttt3ts]

Bit confused. Couldn't you just run a Linux VM to do your NAT and only pay normal egress?

[endgame]

Yes. And AWS do (sorta) offer a NAT AMI (amazon machine image) if you want to do more management yourself and not get extorted for bandwidth.

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Ins...

I say sorta because it's built on an old version of Amazon Linux and is headed towards EOL with no replacement except "go build your own" as you suggest.

https://www.lastweekinaws.com/blog/an-alternat-future-we-now...

AlterNAT uses managed NAT Gateways as a fallback when the NAT Instance is out of service, but again you will have to make your own NAT AMI.

This is not to excuse AWS' frankly absurd NATGW pricing, but to point out other ways around it.

[dwilkie]

You don’t actually need to use the AMI. Here’s an example of a NAT instance we build from scratch:

https://github.com/somleng/somleng-project/blob/main/infrast...

[ttt3ts]

Thanks! That is exactly what I wanted to know.

[endgame]

Another thing: EC2 instances (VMs) have a "Source/Destination IP check" which makes them ignore any packets not intended for them. If you want an instance to do NAT, you need to turn this off.

[tedivm]

I've also got an open source terraform module for this-

https://github.com/tedivm/terraform-aws-nat

[jon_richards]

Weird, I was just looking into this yesterday and found https://fck-nat.dev/

[deadmutex]

> just run a Linux VM

+ Run extra for failover, HA etc + manage security + Monitor performance + ...

[ttt3ts]

You would have to run that in your own data center which is what original poster was comparing to.

[otterley]

You also have to do it in AWS if you don't want to use the NAT Gateway service and still desire reliability over and above the MTBF for an EC2 instance or AZ, or ever want to do anything requiring a reboot.