NAT vs No-NAT

Egress patterns.

Overview

NAT versus no-NAT is the choice of how private workloads reach the internet. NAT gateway is the obvious answer and the expensive one (per-byte plus per-hour). VPC endpoints route AWS-internal traffic without going through NAT. IPv6 direct egress bypasses NAT entirely on dual-stack VPCs. Centralized egress through a firewall replaces NAT for compliance-driven inspection. The discipline is matching the egress pattern to the workload rather than defaulting to NAT for everything.

• NAT gateway. Private subnets reach internet via NAT; simple, but per-byte cost compounds at scale.
• IPv6 direct. v6-direct egress bypasses NAT on dual-stack VPCs; the cost differential is real.
• VPC endpoints. AWS service traffic (S3, DynamoDB, Secrets Manager) stays inside VPC; reduces NAT data-processing cost.
• Egress via firewall plus NAT cost. Centralized egress for inspection where compliance demands; NAT gateway per-byte cost catches teams that route everything through it.

The approach

The practical approach is VPC endpoints first for AWS-internal traffic (S3, DynamoDB, Secrets Manager all have endpoint support), IPv6 where the dual-stack network supports it (v6 egress bypasses NAT), NAT gateway as the default for everything else (the simple case where the cost is acceptable), centralized egress firewall for compliance-driven inspection, and per-VPC egress design documented in the network repo.

• VPC endpoints first. S3, DynamoDB, Secrets Manager all support endpoints; reduces NAT cost on AWS-internal traffic permanently.
• IPv6 where possible. v6-direct egress bypasses NAT on dual-stack VPCs; modern pattern with real cost savings.
• NAT gateway as default. When other patterns do not fit; the simple option for general internet egress.
• Centralized egress firewall plus documented choice. Egress firewall for compliance-driven inspection; per-VPC egress design committed to the network repo.

Why this compounds

Egress pattern discipline compounds across years. Each VPC endpoint deployment removes traffic from NAT permanently; each IPv6-direct path saves NAT bytes durably; the team builds intuition for AWS egress economics that pays off on every new VPC.

• NAT cost. VPC endpoints and IPv6 reduce NAT bytes; the bill tracks actual internet egress rather than internal traffic that should not have hit NAT.
• Security. Centralized egress supports inspection where compliance demands; the firewall sees the traffic NAT would have hidden.
• Operational fit. Right pattern for each VPC; the network shape matches the workload.
• Institutional knowledge. Each design decision teaches AWS networking; the team learns where each pattern earns its place.

NAT vs no-NAT is an infrastructure discipline that pays off across years. Nova AI Ops integrates with networking telemetry, surfaces egress patterns, and supports the team’s networking discipline.