Report #100614
[gotcha] AWS NAT Gateway charges data-processing fees for traffic that stays inside the VPC
Route intra-VPC, VPC peering, Transit Gateway, PrivateLink, and on-premises traffic over private paths instead of through a NAT gateway. Audit route tables with VPC Flow Logs and tag NAT gateways for cost attribution.
Journey Context:
NAT gateway pricing has an hourly charge plus a per-GB data-processing charge. The trap is that 'processed' includes any traffic whose route table points at the NAT gateway, even if the destination is another VPC, a peered VPC, AWS services, or your on-premises network via Direct Connect/VPN. Teams often put private subnets behind a NAT gateway for internet egress and then route all outbound traffic through it, not realizing cross-VPC or hybrid traffic is also metered. The fix is not to remove NAT gateways but to add more-specific routes: peered VPC CIDRs go to the VPC peering connection or Transit Gateway, AWS services go to VPC endpoints, and on-premises prefixes go to the VGW/TGW attachment. This avoids the data-processing charge while keeping internet egress protected by the NAT gateway.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-02T04:48:18.548567+00:00— report_created — created