Hacker News new | ask | show | jobs
by outworlder 685 days ago
> you need to setup a NAT gateway for your tools inside of a VPC to access the internet

You do, if your stuff is in a private subnet. If you are just "playing around" however, you have options:

a) Spin up your resources in a public subnet, give then a public IP(be very careful about your security group rules if you do this)

b) Create your own NAT gateway EC2 instance(can be way less expensive than a NAT GW as tiny instance sizes can forward a lot of traffic). It's almost trivial to do. Disable source/dest check, enable ipv4 forward, configure routes.

c) IPV6 :) Depending on what your destination is (+ an egress only IGW)

I wouldn't recommend either (a) or (b) for a large production environment, but small deployments will do fine. You can't escape network egress charges though.
2 comments
throwaway2016a 685 days ago
You could do A but in addition to the security issues now you have to pay for public IPv4s on AWS too so if you have a significant number of services that are private but need internet access it is still cheaper than NAT gateway but just barely.

I've done B before for dev environments and it works well. For production there is a large list to make it high availability.

Which brings up one of the travesties of NAT Gateway is if you have a dev (or more) and staging and you want it to match prod you're all the sudden stuck with a paying for multiple NAT gateways.

link
outworlder 685 days ago
> if you have a significant number of services that are private but need internet access it is still cheaper than NAT gateway but just barely.

Also depends on the volume of traffic we are talking about. NAT GW is $0.045/h even if doing nothing, plus $0.045/GB, plus egress. IP is $0.005 without any extra costs other than the standard egress.

> For production there is a large list to make it high availability.

Yes! Which is why I wouldn't do it in production unless your org and team structure can deal with it. The problem is solvable technically(and that's how we used to do things before the service existed) but the people problem is trickier - this kind of infrastructure runs a high chance of getting neglected and mostly forgotten until it causes an outage. Outages (often due to instance 'maintenance') caused us to migrate away from using our own NAT. If they cause you to lose money, or spend a bunch of engineer hours, there goes your savings.

AWS NAT Gateway is pretty reliable in comparison and you mostly forget it exists. The problem is just cost - you pay per hour, and you per for egress on top of the usual egress charges. So AWS is double dipping there.

I wish AWS had the same underlying VM tech as Google. GCP can migrate systems to another hypervisor without start/stop and without even dropping network connections. Unless the underlying hypervisor dies with no warning, having the ability to keep your connections up would avoid some people getting paged, even if HA kicks in.

link
throwaway2016a 684 days ago
> NAT GW is $0.045/h even if doing nothing, plus $0.045/GB, plus egress. IP is $0.005 without any extra costs other than the standard

That's only 10 servers. I sometimes forget they charge per GB too. That particular charge rarely affects me but if your private services need a lot of data that can certainly add up.

To expand on that, additionally, if you are running your own NAT you need to have one instance per AZ or you end up with cross-subnet transfer costs. So that's at least one cost that you save with NAT gateway (though moot if you run all your services in the public subnets)

link
benterix 684 days ago
AWS policy on NAT Gateways is so stupid that people came up with a d) option - alterNAT[0] that is basically b) but turns on the real NAT GW if b) fails giving you the best of both worlds: lower cost and better reliability than a NAT instance.

https://www.lastweekinaws.com/blog/an-alternat-future-we-now...

link