|
|
|
|
|
|
by throwaway2016a
679 days ago
|
|
|
You could do A but in addition to the security issues now you have to pay for public IPv4s on AWS too so if you have a significant number of services that are private but need internet access it is still cheaper than NAT gateway but just barely. I've done B before for dev environments and it works well. For production there is a large list to make it high availability. Which brings up one of the travesties of NAT Gateway is if you have a dev (or more) and staging and you want it to match prod you're all the sudden stuck with a paying for multiple NAT gateways. |
|
|
Also depends on the volume of traffic we are talking about. NAT GW is $0.045/h even if doing nothing, plus $0.045/GB, plus egress. IP is $0.005 without any extra costs other than the standard egress.
> For production there is a large list to make it high availability.
Yes! Which is why I wouldn't do it in production unless your org and team structure can deal with it. The problem is solvable technically(and that's how we used to do things before the service existed) but the people problem is trickier - this kind of infrastructure runs a high chance of getting neglected and mostly forgotten until it causes an outage. Outages (often due to instance 'maintenance') caused us to migrate away from using our own NAT. If they cause you to lose money, or spend a bunch of engineer hours, there goes your savings.
AWS NAT Gateway is pretty reliable in comparison and you mostly forget it exists. The problem is just cost - you pay per hour, and you per for egress on top of the usual egress charges. So AWS is double dipping there.
I wish AWS had the same underlying VM tech as Google. GCP can migrate systems to another hypervisor without start/stop and without even dropping network connections. Unless the underlying hypervisor dies with no warning, having the ability to keep your connections up would avoid some people getting paged, even if HA kicks in.