This blog covers how AWS and AViatrix coming teogher reduce AWS NAT Gateway Cost with Improved Security.
NAT Gateway Use-Cases in the Cloud
NAT (Network Address Translation) Gateway in public cloud provides outbound Internet connectivity (also known as Egress connectivity) in a private subnet from within the VPCs (Virtual Private Cloud). NAT Gateway enables users, services, applications and application developers to download software updates, and security patches, connect to code repositories (such as GitHub), access SaaS services, or communicate with any resources on the public Internet.
Most commonly when app team migrate to cloud or deploy new app, they spin up NAT GW service immediately to get this public activated.
Following diagram depicts a typical NAT gateway deployment in AWS.
AWS NAT Gateway Challenges
Although AWS NAT Gateway is a convenient service, it has some design and operational challenges enterprises should know about. These challenges are mainly in the areas of expensive cost, limited visibility and non exisitence security. Lets go over these challenges one by one.
The AWS NAT gateway could be very costly for enterprises requiring a lot of data due to its pricing structure.
Cloud model is a consumption based model where customer pay for data processing charges. And based on the amount of traffic the processes through these services your cloud could be astronomical. it is import to consider how CSP changes for service and data processing changers.
AWS NAT Gatewat pricing structure comprised of the follow comopnenets
- NAT Gwtwats per hour chanrg
- NAT Gatewye per GB change
The pricing structure of AWS NAT gateway includes charges of $0.045 per hour per NAT Gateway, plus $0.045 per GB processed. https://aws.amazon.com/vpc/pricing/
Lets say you have a travel web site with 100 VPC sending three TB each per hour. It means you will say 0.045 . Company will be paying $4 mil per year (ARR) just for the NAT serrivceFor example a customer sending
Besides that, enterprises must be aware of other associated AWS NAT Gateway costs.
For the scope of this blog, we are only looking at the data processing cost.
In summary cost of using AWS NAT GW could be significant if you are using high data processing.
|Other AWS NAT Gateway and Associated Cost||Description|
|Data Processing Cost||NAT Gateway is charged based on the date the service processes. This cost increases as the volume of data processed increases. AWS charges per gigabyte (GB) of data processing.|
|Log Analysis Cost||NAT Gateway logs can be analyzed by 3rd party or AWS native service. In either case, there is a cost associated with it.|
|Log Storage Cost:||NAT GW log storage is critical for compliance and governance as Internet Egress traffic is involved. The retention time for the storage could span from months to multiple years. S3 buckets could be costly.|
|Monitoring Cost:||NAT Gateway is charged based on the date the service processes. This cost increases as the volume of data processed increases. AWS charges per gigabyte (GB) of data processing.|
|Additional Security Services Cost:||AWS NAT GW only provides IP port/protocol-based traffic filtering. For Internet egress traffic, enterprises must deploy additional services such as L4/L7 firewalls, anomaly detection, URL filtering, threat detection, prevention, and micro-segmentation to enhance security posture. |
These services could be very costly and lead to a very complex design.
Overall, the cost of using AWS NAT Gateway can be significant, especially for customers with high data processing volumes.
AWS NAT gateway visibility is limited and provided by the logs and flows which might not be adequate in an enterprise scenario. Moreover these additional logs and storage cost could increase AWS bill.
AWS NAT gateway does not provide any visibility. There could be ways to leverage logs and flow logs that require additional not a good picture travelrsing the NAT gateway.
AWS NAT gateway service mean to provide NAT service and is not meant to be a security service. how ever as enterprise use case are becoming more sophisticated they are looking for more itgheter control to secure traffic coming in and out of their application environment.
One example is policy based FQDN based rules applied.
For instances is not designed rules are based on IP port and protocol. Customer cannot creat a centralized L7 FQDN based NAT rules for secure egress connectivity. There is no option for the rules to be applied and block traffic dynamically without modifying the underlying IP addresses. AWS NAT gateway does not block malicious IP addresses by default. And customers reply on service like AWS GuardDuty for threat detection. AWS GurdDuty will incur additional cost just to alter about a malicious bad actor on the internet.
In additional customer who deploy NAT GW, in majrooty cases, they end up deploying threat detection such as GuardDUty to provide additional security and mimiize complaicne risk.
AWS + Aviatrix Joint NAT Gateway Solution
Aviatrix is leading provider of secure cloud networking software is partnering with AWS to offer NAT Gateway solution as part of their secure egress offering. Aviatrix Secure Egress has built in advance NAT functionality that securely allow access to Internet for business critical applications and workflows.
The Aviatrix NAT Gateways deployed on AWS as EC2 instances provide a highly scalable, visibible secure, and cost-effective solution for customers looking for NAT functionality for their application inside AWS. There is no change of architecture needed and it gets deployed in minutes without changing the architecture. It is no disruptive.
Following picture depicts the deployed Aviatrix Secure solution with NAT capabilities.
With this joint solution, customers can now leverage their instances to perform advanced Network Address Translation (NAT) for their private cloud resources, while also taking advantage of Aviatrix’s embedded security and built-in visibility capabilities, such as
- Distributed Cloud Firewall
- URL filtering
- Threat detection/prevention
- Zero-Trust Centralized Security Policy
- Anomaly detection
- Enhance visibility and troubleshooting options
Since Aviatrix does not charge for data processing, many of Aviatrix customer are benefiting from cost saving or re-invest in new AWS cloud services.
|AWS + Aviatrix Solution Joint Value||Description|
|Data Processing Cost||Joint solution does not charge for data processing cost|
|Log Analysis Cost||There is no separate cost for log analysis|
|Log Storage Cost||There is no separate cost for log analysis|
|Monitoring Cost||There is no separate cost for log analysis|
|Additional Visibility||Aviatrix provides built in visibility via netflow, syslog, etc. without any additional cost|
|Additonal Security||Security is embedded without additional cost|
Aviatrix Cost Savings Examples
According to a recent study, NAT Gateway can be a significant cost driver for AWS customers, accounting for up to 20% of their overall AWS costs. With the Aviatrix NAT Gateway solution, customers can save up to 75% on their NAT Gateway costs, making it a desirable option for businesses of all sizes.
Aviatrix NAT Gateway Visibility Example
Aviatrix NAT Gateway Security Examples
Threat Detection. Same GW can also be firewall
The joint NAT Gateway solution from Aviatrix and AWS offers a low-cost, low-risk, highly available solution for businesses to enhance their cloud network security while reducing IT spending. It provides enahced NAT gateways that can be easily deployed in under an hour without architectural changes. The solution provides deep application-level visibility into internet egress traffic, allowing businesses to control data transfer charges. Based on the customer survey, Aviatrix Secure Egress saves up to 70% versus an AWS NAT gateway. With centralized management, threat prevention, and URL filtering, businesses can improve their network security and lower their TCO.
How to Get Started
Aviaris released a self service tool for customers to see it in action and also migrate their AWS NAT Gateway to Aviatix + AWS NAT Gateway.
Following Terraform code is available for customers to integrate the NAT Gateway upgrade via their CI/CD or DevOps toolset.
TCO Calculator tool