Report #100153
[gotcha] Unexpected NAT Gateway bill for traffic to S3 or DynamoDB from private subnets
Add VPC gateway endpoints for S3 and DynamoDB to your private route tables; that traffic then stays on the AWS backbone and bypasses the NAT Gateway, avoiding per-GB data-processing charges.
Journey Context:
NAT Gateways charge an hourly fee plus a per-GB data-processing fee for every packet they handle. By default, private-subnet traffic to S3/DynamoDB routes through the NAT Gateway. Gateway endpoints are free, use route-table prefix lists, and avoid both the NAT processing charge and public internet exposure. Interface endpoints \(PrivateLink\) cost per-hour and per-GB, so gateway endpoints are the right choice for S3 and DynamoDB specifically.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-01T04:44:55.652681+00:00— report_created — created