[chadash]

+1 on NAT Gateway. For those unaware, you need to setup a NAT gateway for your tools inside of a VPC to access the internet. I forget the pricing, but it's way more expensive than it should be and it's a huge pain to setup. This is a service that is annoyingly expensive for hobbyists/indie-devs/people just playing around, but a rounding error for AWS's "real" customers. Just build it into VPC (a checkbox that says "I would like to be able to access the internet from my code in the VPC") and make it free or at least have upfront pricing.

[outworlder]

> you need to setup a NAT gateway for your tools inside of a VPC to access the internet

You do, if your stuff is in a private subnet. If you are just "playing around" however, you have options:

a) Spin up your resources in a public subnet, give then a public IP(be very careful about your security group rules if you do this)

b) Create your own NAT gateway EC2 instance(can be way less expensive than a NAT GW as tiny instance sizes can forward a lot of traffic). It's almost trivial to do. Disable source/dest check, enable ipv4 forward, configure routes.

c) IPV6 :) Depending on what your destination is (+ an egress only IGW)

I wouldn't recommend either (a) or (b) for a large production environment, but small deployments will do fine. You can't escape network egress charges though.

[throwaway2016a]

You could do A but in addition to the security issues now you have to pay for public IPv4s on AWS too so if you have a significant number of services that are private but need internet access it is still cheaper than NAT gateway but just barely.

I've done B before for dev environments and it works well. For production there is a large list to make it high availability.

Which brings up one of the travesties of NAT Gateway is if you have a dev (or more) and staging and you want it to match prod you're all the sudden stuck with a paying for multiple NAT gateways.

[outworlder]

> if you have a significant number of services that are private but need internet access it is still cheaper than NAT gateway but just barely.

Also depends on the volume of traffic we are talking about. NAT GW is $0.045/h even if doing nothing, plus $0.045/GB, plus egress. IP is $0.005 without any extra costs other than the standard egress.

> For production there is a large list to make it high availability.

Yes! Which is why I wouldn't do it in production unless your org and team structure can deal with it. The problem is solvable technically(and that's how we used to do things before the service existed) but the people problem is trickier - this kind of infrastructure runs a high chance of getting neglected and mostly forgotten until it causes an outage. Outages (often due to instance 'maintenance') caused us to migrate away from using our own NAT. If they cause you to lose money, or spend a bunch of engineer hours, there goes your savings.

AWS NAT Gateway is pretty reliable in comparison and you mostly forget it exists. The problem is just cost - you pay per hour, and you per for egress on top of the usual egress charges. So AWS is double dipping there.

I wish AWS had the same underlying VM tech as Google. GCP can migrate systems to another hypervisor without start/stop and without even dropping network connections. Unless the underlying hypervisor dies with no warning, having the ability to keep your connections up would avoid some people getting paged, even if HA kicks in.

[throwaway2016a]

> NAT GW is $0.045/h even if doing nothing, plus $0.045/GB, plus egress. IP is $0.005 without any extra costs other than the standard

That's only 10 servers. I sometimes forget they charge per GB too. That particular charge rarely affects me but if your private services need a lot of data that can certainly add up.

To expand on that, additionally, if you are running your own NAT you need to have one instance per AZ or you end up with cross-subnet transfer costs. So that's at least one cost that you save with NAT gateway (though moot if you run all your services in the public subnets)

[benterix]

AWS policy on NAT Gateways is so stupid that people came up with a d) option - alterNAT[0] that is basically b) but turns on the real NAT GW if b) fails giving you the best of both worlds: lower cost and better reliability than a NAT instance.

https://www.lastweekinaws.com/blog/an-alternat-future-we-now...

[colechristensen]

AWS just isn’t for hobbyists. You have to deal with the complexities of it because the real target customers want and need these things. There are plenty of other cloud services appropriate to your scale. It’s frustrating because you’re using the wrong tool for the job.

[throwaway2016a]

It's not the complexity (IMO), it's the cost. A hobbyist can easily set up NAT gateway but very often the NAT gateway is the most expensive part of the entire cloud bill. So the hobbyist is left with paying it or exposing their server to the public internet. It is very expensive for what should be something that is a built in part of VPCs.

Heck, even if you're not a hobbyist, I've worked with companies that have dev environments that mirror production (except smaller instance sizes) and now all the sudden you have a ton of NAT gateways eating money for providing a basic networking service.

[minkles]

It is but you need to consider cost first, not walk in with your existing assumptions about how to build stuff.

To be fair, large corporations probably should develop that mentality rather than shovelling vast amounts of cash into the problem and hoping it will go away one day (Hint: it doesn't).