AWS NAT Gateway pricing — and how to cut it.

On an AWS NAT Gateway, the data-processing charge is a per-gigabyte fee billed on every byte that passes through the gateway, in addition to a per-hour charge for the gateway itself. The rate is $0.045 per GB (us-east-1, dated 2026-06-14, directional), on top of $0.045 per gateway-hour. It applies to all traffic, inbound-initiated reply or outbound, regardless of destination — so the bill grows with volume and never stops. AWS Network Firewall adds its own separate data-processing charge of $0.065 per GB on top, so filtered egress is metered per GB twice.

An AWS NAT Gateway bills two ways: $0.045 per gateway-hour plus $0.045 per GB of data processed (us-east-1, dated 2026-06-14, directional). A single gateway running all month is roughly $33 in hourly charges before any traffic; add the per-GB data-processing charge and a workload pushing 5 TB/month lands near $258/month — for connectivity only, with no filtering. Most teams run a NAT Gateway per Availability Zone for resilience, which multiplies the hourly line.

It is the $0.045-per-GB fee AWS applies to every gigabyte a NAT Gateway processes, separate from the per-hour gateway fee. It is easy to miss when budgeting because the NAT Gateway looks like cheap plumbing at $0.045/hour — but the per-GB line scales directly with how much your private subnets talk to the internet, and on a busy estate it dwarfs the hourly cost.

Route outbound traffic through a flat-priced network virtual appliance instead of a metered NAT Gateway. Enforza is a single Linux VM in your own AWS network that does secure source-NAT — the same outbound translation a NAT Gateway provides — under a flat per-firewall licence with $0/GB. You pay only the EC2 instance plus the flat Enforza licence, with no per-GB data-processing charge, so the bill stops scaling with egress. Migration is a route-table change: point the route that currently exits via your NAT Gateway at the Enforza instance.

Yes — a NAT instance or a flat-priced managed appliance. A NAT instance (a NAT AMI on an EC2 VM, such as the open-source fck-nat) removes the per-GB data-processing charge but is unmanaged: no filtering, no policy, no fleet management, and it is your job to keep it patched and highly available. Enforza is the managed option: a single VM that does secure NAT and FQDN/SNI-based L7 egress filtering, self-patches, and is managed from one console — at a flat per-firewall price with no per-GB charge.

Yes. AWS Network Firewall bills $0.395 per endpoint-hour per Availability Zone (roughly $288/month per AZ before any traffic) plus a data-processing charge of $0.065 per GB (us-east-1, dated 2026-06-14, directional). Because you still need a NAT Gateway for connectivity, securing egress on AWS means stacking two products — each with its own per-hour fee and its own per-GB data-processing charge, two per-GB meters on the same traffic. Enforza replaces both with one flat-priced appliance at $0/GB.

Enforza is a flat per-firewall licence — £179/month per firewall, dropping to £149 from your sixth — at $0/GB, plus the EC2 instance you run it on. Against an AWS NAT Gateway stacked with Network Firewall (two per-hour fees plus two per-GB data-processing charges, duplicated per Availability Zone), the flat line typically lands 60–80% cheaper at modest egress, and the gap widens as your traffic grows because the Enforza line stays flat while the metered stack climbs. Rates are directional and dated — run your own numbers in the savings calculator.

No. Enforza removes the per-GB data-processing tax and the per-hour managed-firewall and NAT-gateway fees, and replaces them with one flat per-firewall licence. You still pay AWS for the EC2 instance the firewall runs on (typically $100–$200/month at modest egress) and for normal data-transfer-out where it applies. The saving is on the firewall and NAT metering, not on AWS's underlying infrastructure.