The $100k AWS Routing Trap: S3 + NAT Gateways (and how to fix it with Terraform)

Source: Dev.to

The $100k AWS Routing Trap: S3 + NAT Gateways

Your “secure by default” AWS architecture may be bleeding money, and it’s rarely caused by over‑provisioned EC2 instances. Sudden spikes in cloud spend are usually the result of unintended data‑transfer paths.

The hidden cost of NAT Gateways

• Compute instances are placed in private subnets with no public IPs.
• Outbound traffic is routed through a Managed NAT Gateway to reach the internet.
• When those instances need to pull data from Amazon S3, the traffic is sent to the public S3 endpoint, exits the VPC via the Internet Gateway, and then passes back through the NAT Gateway.

Because S3 is a public service endpoint, the data leaves the AWS backbone and is metered twice. For a pipeline that downloads 10 TB per day, you’re effectively billed for 20 TB of egress.

You end up paying for:

1. NAT Gateway hourly uptime
2. NAT Gateway processing fee – $0.045 per GB
3. Standard internet egress fees

The fix: VPC Gateway Endpoint for S3

Collapse the routing path by creating a VPC Gateway Endpoint for S3. Traffic then stays entirely within the AWS backbone, bypassing the NAT Gateway, and the internal transfer cost drops to $0.00.

Terraform example

resource "aws_vpc_endpoint" "s3" {
  vpc_id            = aws_vpc.main.id
  service_name      = "com.amazonaws.${var.region}.s3"
  vpc_endpoint_type = "Gateway"
}

Why it matters

• Data gravity determines your baseline cost.
• Routing determines the multipliers that can explode that baseline.

Further resources

• Open‑source routing mitigation models: cloud‑egress‑patterns (GitHub)
• Full architectural deep‑dive on cross‑region VPC peering costs: The Physics of Data Egress (Rack2Cloud Control Plane)