GS logog-saravanan blog
Compliance & SecOps

NAT Gateways are Leaking Your Data (and Your Budget)

A technical takedown of the default Public Subnet + NAT Gateway pattern. Why VPC Interface Endpoints are cheaper, more secure, and audit-friendly.

·2 min read·
#AWS#Networking#Security

The default AWS VPC wizard hands you a Public Subnet, a NAT Gateway, and a route to the internet for "egress." It's the most expensive and most leaky default in the cloud.

What the NAT Gateway actually does

It lets every workload in your VPC talk to any IP on the internet. S3, DynamoDB, KMS, Secrets Manager, and Bedrock all live on the internet from your VPC's point of view — so a compromised container can exfiltrate to pastebin.com with the same ease it calls s3.amazonaws.com.

It also costs you twice: $0.045/hour for the gateway plus $0.045 per GB processed. A modestly chatty fleet of containers can rack up $1k+/month in NAT processing alone, most of it traffic to AWS services that didn't need to leave the AWS backbone.

What VPC Interface Endpoints do instead

A PrivateLink endpoint puts a private IP for the AWS service inside your subnet. Traffic to that service never touches the public internet, never traverses the NAT, never hits the egress meter.

Before:                              After:
App ─► NAT ─► Internet ─► S3        App ─► VPCe ─► S3 (private)
        $$$         leaky                   (no egress, no leak)

Pair it with a aws:VpcSourceIp condition in your bucket policy and S3 will refuse requests from anywhere but your VPC.

The audit win

Three questions the auditor will ask:

  1. "How do you prevent a compromised app from exfiltrating to the internet?"
  2. "Can you prove this S3 bucket is only accessible from your network?"
  3. "What's your egress logging?"

With NAT, the answers are "egress filtering, hopefully", "trust IAM", and "VPC Flow Logs, somewhere." With VPC Endpoints + a no-NAT private subnet, the answers are "there is no route to the internet", "the bucket policy proves it", and "every endpoint call is in CloudTrail with the source ENI."

The migration

  1. Add Gateway Endpoints for S3 and DynamoDB (free).
  2. Add Interface Endpoints for the AWS APIs your apps actually use (Secrets Manager, KMS, ECR, Bedrock, etc.).
  3. Update route tables to remove the NAT route from sensitive subnets.
  4. Move workloads that don't need any internet access to no-NAT subnets.
  5. Watch the NAT bill drop. Watch the SOC2 finding close.

The default isn't safe. The default is just the default.

Further reading: VPC Endpoints docs.

More in Compliance & SecOps

Compliance & SecOps·2 min read

The Death of .env Files: Automated Secret Rotation with Terraform

#SecretsManager#Security
Compliance & SecOps·1 min read

Terraform is Your Auditor's Best Friend

#Terraform#IaC
Compliance & SecOps·1 min read

Killing the Bastion Host: Zero-Trust Access for Fintech

#ZeroTrust#AWS