A Deep Dive into NAT Gateway Alternatives

Few topics in cloud networking raise more debate than the usage (and high cost) of cloud NAT gateways. Some say you should never have to use them, while on the other end of the spectrum, NAT gateway users see the service as a must-have, particularly for larger organizations that require a more stringent security posture for compliance reasons. Some also view the expensive aspects of networking in the cloud as part of the value proposition of outsourcing versus building your own infrastructure (i.e. building your own network can be pretty expensive too).

A debate about AWS networking pricing on reddit

Many dev and network teams deploy workarounds to control NAT gateway costs, which, in the case of one of our customers, came out to $10,000 a day. Workarounds include closely monitoring traffic to ensure that only the traffic that absolutely needs to go through a NAT device for security reasons go through a NAT gateway. By moving some of the traffic to public subnets and using VPC endpoints, companies can limit NAT gateway spend. 

Here are some common alternatives to using cloud NAT gateways:

VPC endpoints with public subnets

NAT gateways are used for services within private subnets that need to connect to the public internet. An easy way to not use a NAT gateway is to instead use public subnets and VPC endpoints, which provide reliable connectivity to cloud services. The downside is that the IP addresses of public subnets are viewable and therefore vulnerable to threat actors, unlike those in a private subnet. CloudZero does a great job of laying out five steps for how to scrutinize your NAT gateway traffic and migrate some of your traffic to VPC endpoints.

NAT instances

In some cases, you can run your own NAT instances, but you’ll have to administer them yourself. So if the cloud service goes down because connectivity breaks, you have to fix it. Part of the value of using a NAT gateway is that it is a managed service that scales itself. Service-Level Agreements are included. If there’s downtime, the cloud is liable for it. People who have considered using NAT instances often don’t want to be the point of failure if there’s downtime.

Security groups

Another alternative to using NAT gateways for private subnets is to use public subnets and apply security groups to hide instances from public view. Like NAT instances, these security groups must be self-managed, and for applications of larger scale, security professionals will point out that IP addresses in security groups are still technically public, even if hidden.

As one of our customers put it [of not managing NAT themselves],
“I get to have weekends again.”

Transit Gateways

AWS has provided its own workaround to help customers control NAT gateway costs. By using dual-stack Virtual Public Clouds (VPCs) and a Transit Gateway to create a single internet exit point, you can isolate all your outbound internet traffic and limit the usage of NAT gateways.

Other NAT devices

There are also a number of homegrown NAT device alternatives on the market, including some colorfully named ones. Technically, NAT can be performed with the right router. Some people use load balancers to perform NAT. 

We help many customers do NAT via our 100G Cloud Router. For customers passing a lot of traffic via NAT gateways, using a 100G Cloud Router configured for NAT gives customers the best of both worlds in terms of having a device that:

1. Performs NAT, keeping traffic from private subnets secure on PacketFabric’s carrier-grade global network

2. Most importantly, customers don’t have to purchase or manage the devices themselves, thereby never being the point of failure.

As one of our customers put it, “I get to have weekends again.”

For more on how to configure NAT on our 100G Cloud Router, hit our Knowledge Base.

Are NAT Gateways Worth The Cost?

The NAT use cases for our customers are varied. There isn’t a one-size-fits-all approach to securing your data in the cloud. For many companies, NAT gateways are worth the cost because they don’t have to manage this network function. Outsourcing infrastructure and networking to a hyperscaler is why they don’t run everything on-prem or build their own data centers. For some companies, they prefer the control of managing their own NAT function, whether that means running NAT instances or using their own purchased NAT devices. 

Need help controlling your NAT gateway costs or redesigning your network to manage NAT more cost-effectively? Talk to one of our sales engineers.