How One Company Saved $310,000 A Month on NAT

Network Address Translation (NAT) is something every network team has to do. In simple terms, NAT provides a solution for mapping many private IPs of servers and other devices to a single public IP address so they can access the internet. The most common use case for NAT would be your home’s local area network. You have multiple devices (your phone, tablet, TV, smart appliances, etc.) on your LAN using private IPs. When those devices access the internet, your home Wi-Fi router translates each device’s private IP to a public one.

For businesses, suppose an application running in a cloud environment is polling API endpoints for status changes. These network requests need to traverse the public internet to get access to the API endpoints. The virtual machine that runs that application inside the cloud needs to have their private IPs translated to a public IP. NAT also enhances the security by keeping the private IPs obfuscated from external networks and is difficult for attackers to target a specific device.  NAT also conserves IP address space by allowing many private IPs to be represented by a single public IP.

Why Can NAT Cost So Much?

The leading cloud service providers (CSPs) encourage companies to purchase NAT gateways, typically a fully managed service, through which network addresses are translated before traffic is pushed out to the internet. The cost structure of a cloud’s NAT gateway makes it quite expensive to egress and ingress large amounts of data. In the case of AWS and Azure, the charge is $0.045 per hour for the device plus $0.045 per gigabyte for NAT traffic processed. 

A $0.045 fee on every gigabyte that leaves a cloud doesn’t sound like much, but when GBs turn into PBs (a petabyte is over a million gigabytes), those nickels can quickly turn into hundreds of thousands of dollars each year. 

In this Medium post from a software engineer at the fintech company Chime, he describes how it relies on third-party vendors to process customer data for fraud prevention, bill processing, and overdraft protection. So that means the data has to go out from their primary cloud provider to their data processing vendors over the internet and back. For security, all those private Virtual Private Cloud (VPC) subnets have to have their IP address translated into a smaller pool of public IP addresses for Chime’s vendors to access that customer data.

Example of AWS NAT Gateway Pricing
Using the AWS Pricing Calculator, one can see that 2 petabytes of data (1PB ingress and 1PB egress) comes out to over $90,000 per month or $1.08 million per year.

How To Avoid Getting NAT-ed Out Of House and Home

There are two network design solutions that can lead to major NAT savings.

One, as the Medium blog post mentions, is to use NAT instances instead of NAT gateways. You manage your NAT instance yourself and only get charged for the traffic going out of the cloud, but not charged for the traffic coming back in. By using NAT instances, Chime was able to slice its NAT costs by over a million dollars per year.

Another workaround is to use a high-bandwidth cloud router with NAT capabilities. One of our customers was spending >$10,000 per day on NAT (~$400,000 per month!). Using a NAT gateway, they pushed high-traffic volumes out of their EC2 instance in AWS.

By eliminating the use of a NAT gateway and passing the traffic through a cloud router, the company was able to save an eye-popping $310,000 a month. Because the cloud router was connected to our cloud partners via hosted cloud connectivity, the egress fees are significantly lower than the fees charged when pushing traffic through a NAT gateway and over the public internet.

The Money-Saving Network Design

Here is how one customer designed their network to NAT with our cloud routers:

Network diagram of a NAT solution.
Network diagram of a NAT solution using our 100G Cloud Router

In this example, rather than pushing data through the AWS NAT Gateway over the public internet, the customer routed their data through redundant AWS Hosted Direct Connect connections to the PacketFabric private network. By utilizing the PacketFabric 100G Cloud Router with Ingress Source NAT configured, the customer was able to translate their AWS private VPC subnets to a public IP and transfer data out to the internet via our Quick Connect internet service. Not only did this reduce the customer’s NAT costs and save them a ton of cash, they were able to spin this up in a matter of minutes over our award-winning NaaS platform.

Spending Too Much on NAT? Reach Out!

Reducing NAT costs has become one of our most common use cases. If you’re interested in learning more about how you can save big on NAT, reach out to us today.