1

I have a django app on AWS using ECS Fargate behind a VPC. A NAT gateway is required with this setup, but most of the costs are from the NAT gateway.

How I can reduce this? My docker image is 600 MB. In cloudwatch there is a graph where I surfed around a bit and generated this much bytes through the NAT gateway. Not sure if this is a normal or a high amount (peak is 124M bytes == 0.124GB). image

If there is any other information that you need please ask in the comments.

1
  • How is a NAT gateway required? Required by AWS, marked required by a tutorial, etc. It's used for outgoing traffic only. Can you put your container / application in a public subnet and use an internet gateway?
    – Tim
    Commented Apr 11 at 22:23

1 Answer 1

0

There is not enough information in your question to know why the NAT gateway is required in your scenario, nor what are the different components of the traffic.

NAT gateway can become a significant contributor to the overall AWS bill. Depending on your use case, you might reduce it in a few different ways, depending on your architecture and requirements:

  1. If security is still a concern but you cannot afford associated NAT gateway costs, you might want to consider placing your instances in a public subnet instead, and enforcing the security through security groups. SGs are stateful, meaning even if you block all ingress traffic, responses to the egress traffic will be allowed back in.
  2. If your traffic travelling through the NAT gateway is heading to resources in different AWS VPC, you might want to consider using VPC peering or transit gateway instead.
  3. If large portions of the traffic are between your application and AWS services which offer support for VPC endpoints, you may want to use this instead.
3
  • Probably a dumb question but if you use a VPC is a NAT gateway required? Or is it only required when resources are behind a private subnet? Commented Apr 12 at 8:01
  • Both private and public subnets are located inside a VPC. You use NAT GW to provide outbound internet connectivity for instances deployed in private subnets. Commented Apr 12 at 8:05
  • So If there is not a security concern I can put everything in a VPC use public subnets and use internet gateway? Commented Apr 12 at 8:19

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .