How much does an AWS NAT Gateway cost in 2026?

In US East (N. Virginia and Ohio) the NAT Gateway hourly charge is roughly $0.045 per hour per NAT Gateway, plus $0.045 per GB of data processed. A NAT Gateway running 24/7 in one AZ costs about $32.85/month before any data charges. Most production deployments use 2–3 NAT Gateways for HA, so hourly costs alone are $65–$100/month before data. Other regions are 5–110% higher per unit — Tokyo, Singapore, and São Paulo are the most expensive.

Is NAT Gateway data processing charged on top of egress?

Yes — and this is the biggest source of bill shock. The $0.045 per GB data-processing fee applies to every byte that passes through the NAT Gateway in either direction, regardless of destination. If those bytes also leave AWS (internet egress), you pay both the NAT processing fee and the standard egress charge (around $0.09/GB for the first 10TB).

What is the difference between NAT Gateway and a VPC Interface Endpoint?

A NAT Gateway routes any outbound internet traffic from private subnets through a managed NAT service. A VPC Interface Endpoint (PrivateLink) routes traffic destined for a specific AWS service (S3, ECR, DynamoDB, KMS, etc.) over AWS's internal network without going through NAT or the public internet. Interface Endpoints cost roughly $0.01/hour per AZ plus a small per-GB fee — for high-volume traffic to AWS services, this is dramatically cheaper than NAT Gateway processing fees.

When is NAT Gateway still the right choice?

NAT Gateway is the right choice when private-subnet workloads need outbound access to arbitrary third-party internet endpoints — APIs, package repositories, OS updates, SaaS services — that you cannot replace with VPC Endpoints or move behind a CDN. For traffic to AWS services (S3, ECR, DynamoDB, Secrets Manager, KMS), VPC Endpoints are almost always cheaper at any non-trivial volume.

Are there cheaper alternatives to NAT Gateway for outbound traffic?

Three patterns reduce NAT Gateway cost meaningfully. First: VPC Endpoints for AWS services (free for Gateway type, ~$0.01/hr/AZ for Interface type). Second: a self-managed NAT instance for low-volume workloads — cheaper hourly but no managed HA. Third: an architecture rewrite that pushes egress-heavy workloads to a different provider — Cloudflare R2 has zero egress fees, and bare-metal hosts at Vultr or Hetzner include 10TB+/month outbound bandwidth in the base price.

AWS NAT Gateway Pricing 2026 (Calculator + Alternatives)

Complete pricing reference with a monthly cost calculator, regional comparison, and when VPC Endpoints or alternative architectures are cheaper.

AWS NAT Gateway pricing has two components that combine into nearly every "surprise bill" story you've seen on DevOps forums: an always-on hourly charge per NAT Gateway per Availability Zone, plus a per-GB data-processing fee on every byte routed through it — in either direction, regardless of destination. The data-processing fee is what catches teams out: it stacks on top of standard internet egress charges, so the same byte can be billed twice on the way out of AWS.

This page is the pricing reference. If you want the war-story version of what bill shock looks like in practice, see The AWS NAT Gateway Bill That Should Have Been $0.

NAT Gateway pricing components

AWS bills NAT Gateway on three separate lines. All three show up on the bill, but the data-processing fee is usually the largest and the one teams under-anticipate.

Component	What it charges	Typical US East rate
Hourly charge	Per NAT Gateway, per hour, while provisioned	$0.045/hr
Data-processing fee	Per GB of data routed through the NAT Gateway (both directions)	$0.045/GB
Standard data transfer (egress)	Per GB leaving AWS to the internet (first 10TB tier)	$0.09/GB

Important: the data-processing fee applies in addition to internet egress for traffic leaving AWS. A 1 GB outbound transfer through NAT Gateway from US East costs $0.045 (processing) + $0.09 (egress) = $0.135 — about 3× the cost of routing the same byte from an EC2 instance directly through an Internet Gateway.

NAT Gateway pricing by region

Rates vary by region. US East regions are the cheapest baseline; Asia Pacific and South America regions can be 2× or more. The values below reflect typical 2026 list pricing — always cross-check with the AWS VPC pricing page before committing architecture, since AWS adjusts these without much announcement.

Region group	Hourly	Data processing per GB
US East (N. Virginia, Ohio)	~$0.045	~$0.045
US West (Oregon, N. California)	~$0.045	~$0.045
Canada (Central)	~$0.05	~$0.05
Europe (Ireland, Frankfurt, London)	~$0.048–$0.052	~$0.048–$0.052
Asia Pacific (Tokyo, Singapore, Sydney)	~$0.062–$0.065	~$0.062–$0.065
South America (São Paulo)	~$0.093	~$0.093

A NAT Gateway running 24/7 in one AZ costs roughly $32.85/month in US East before any data charges. Multi-AZ deployments multiply this — 3 AZs = $98.55/month minimum. Add data-processing fees on top.

NAT Gateway monthly cost calculator

Estimate your monthly NAT Gateway bill. Includes hourly charges, data-processing fees, and (optionally) internet egress for traffic leaving AWS.

Region

NAT Gateways (one per AZ for HA)

Data processed per month (GB)

Of that, how much leaves AWS to the internet (GB)?

$0.00 / month

Where NAT Gateway costs explode (and where they don't)

NAT Gateway is fine at low traffic volumes. It becomes expensive when one of these patterns is in play:

Container image pulls through ECR over the public route. Every restart pulls hundreds of MBs. At 100+ task restarts/day, you're processing terabytes/month through NAT for traffic that should never have left the AWS internal network. Fix: VPC Interface Endpoints for ECR + S3 Gateway Endpoint.
S3 traffic via the internet route. Without an S3 Gateway Endpoint, S3 traffic from a private subnet hits NAT processing fees plus egress. Fix: S3 Gateway Endpoint (free).
DynamoDB, Secrets Manager, KMS, SSM traffic over NAT. All have Interface Endpoints. At any non-trivial volume, the endpoint hourly fees are dwarfed by the NAT processing savings.
Cross-region replication and backup traffic. Inter-region S3 replication, RDS cross-region read replicas, and backup synchronization can be terabytes/month — all billable if routed through NAT.
Third-party log shipping (Datadog, Splunk, New Relic). Agents on private-subnet hosts ship logs/metrics outbound through NAT. At 10–50 GB/host/month, this compounds quickly across a large fleet.

NAT Gateway vs the alternatives

Pattern	Best for	Approx cost per GB
NAT Gateway	Arbitrary outbound internet traffic from private subnets	$0.045 + $0.09 (if leaving AWS) = $0.135
VPC Interface Endpoint (e.g. ECR, KMS, Secrets Manager)	Private-subnet access to specific AWS services without leaving the AWS network	~$0.01/GB + ~$0.01/hr/AZ
VPC Gateway Endpoint (S3, DynamoDB only)	Private-subnet access to S3 or DynamoDB	$0.00 (free) + standard service charges
Internet Gateway (public subnet)	Workloads that can run in public subnets with hardened SGs	$0.00 + $0.09 egress only
Self-managed NAT instance	Low-volume workloads where you accept managing HA yourself	EC2 hourly cost only; no per-GB processing fee
Cloudflare R2 / Workers (architectural rewrite)	Object storage and edge logic with zero egress fees	$0.00 egress
Bare metal at Vultr / Hetzner (architectural rewrite)	Workloads exceeding 5–10 TB/month outbound where the AWS premium isn't worth it	Included in instance price (typically 10–20 TB/month free)

When NAT Gateway is still the right choice

Despite the bad reputation, NAT Gateway is the correct architecture for plenty of workloads. Specifically:

Private-subnet workloads that need to reach arbitrary third-party APIs and SaaS endpoints (Stripe, Twilio, OpenAI, Slack, etc.) for which no Interface Endpoint exists.
OS updates, package repositories (apt, yum, npm, PyPI) from private subnets — these have no AWS-internal route.
Outbound webhooks, callbacks, and integrations where you can't predict the destination ahead of time.
Low-volume (<100 GB/month) workloads where the engineering cost of architecting around NAT exceeds the bill.

The default pattern that works for most production VPCs: NAT Gateway in 2 AZs for HA, with S3 + DynamoDB Gateway Endpoints and Interface Endpoints for the 4–6 AWS services your workloads use heavily (most commonly ECR, ECR-DKR, KMS, Secrets Manager, SSM, and STS).

How to find your actual NAT Gateway spend

Open AWS Cost Explorer → group by Service and filter to EC2-Other.
Within that, group by Usage Type. Look for NatGateway-Bytes (the data-processing fee) and NatGateway-Hours (the hourly charge).
Compare NatGateway-Bytes against your total outbound data volume. If it's >30% of your VPC's egress, your private-subnet workloads are routing traffic through NAT that doesn't need to.
Drill into VPC Flow Logs for one NAT Gateway over a representative 24-hour window. Group destination IPs by frequency. The top 20 destinations almost always reveal at least one egress-heavy pattern (third-party log shipping, an ECR pull pattern, a missing S3 Endpoint) that's fixable.

Quick-win architectural fixes

Add an S3 Gateway Endpoint on every VPC where private-subnet workloads touch S3. It's free and immediately removes S3 traffic from your NAT bill.
Add a DynamoDB Gateway Endpoint on every VPC with DynamoDB-using workloads. Also free.
Add Interface Endpoints for ECR (ecr.api + ecr.dkr) and ECS if you run containers from private subnets. The hourly fees are dwarfed by the NAT processing savings on container pulls.
Add Interface Endpoints for KMS, Secrets Manager, and SSM. These three are called constantly by application code; pulling them through NAT is pure waste.
Move third-party log shipping through a VPC Endpoint where the vendor offers one (Datadog, Splunk both do).
For egress-heavy workloads above 5 TB/month outbound: consider moving storage to Cloudflare R2 (zero egress fees) or moving the workload to Vultr or Hetzner (10–20 TB included in instance price).

For broader networking and egress strategy, see the guide to reducing AWS egress costs, the zero-egress storage stack, and the AWS vs Vultr egress calculator. For broader AWS cost work, the AWS cost optimization checklist.

NAT Gateway fees >$1,000/month and you're not sure why?

Run a focused FinOps audit. We trace your NAT Gateway traffic by VPC, identify the top egress patterns, and return a prioritized fix list with dollar-impact estimates within 5–7 business days. Free.

Start a FinOps audit →