Reduce Your AWS NAT Gateway Costs with alterNAT


3 min read

AWS Managed NAT Gateway is a widely-used service that provides seamless internet access for resources within a private VPC subnet. However, its cost structure has been a pain point for many AWS users, with high fees for both hourly usage and data processing. Moreover, the lack of viable alternatives often forces users to choose between cost and functionality. In this blog post, we will discuss a promising open-source alternative called alterNAT and walk you through its technical implementation.

What is alterNAT?

AlterNAT is an open-source solution that aims to reduce AWS NAT Gateway costs by using NAT instances instead of NAT Gateways, eliminating the data processing charges. It is suitable for users who have large amounts of data per month with NAT Gateway and are looking for cost savings without compromising functionality.

Technical Implementation:

Architecture Overview:

AlterNAT uses NAT instance Auto Scaling Groups, one per availability zone, along with a corresponding standby NAT Gateway. Both components are deployed using the Terraform module located in modules/terraform-aws-alternat.

Integrating alterNAT with Existing VPCs:

If you are using the terraform-aws-vpc Terraform module and wish to switch from its NAT Gateway to alterNAT's NAT Gateway, follow these steps.

  1. Here's a snippet of an existing VPC Terraform code:
module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "~> 3.0"

  name                  =
  cidr                  = ""
  secondary_cidr_blocks = [""]
  azs                   = ["ap-southeast-3a", "ap-southeast-3b"]
  private_subnets       = ["", "", "", ""]
  public_subnets        = ["", ""]
  enable_nat_gateway    = true
  single_nat_gateway    = true
  enable_dns_hostnames  = true

  public_subnet_tags = {
    "${var.eksdata["cluster_name"]}" = "shared"
    ""                               = "1"

  private_subnet_tags = {
    "${var.eksdata["cluster_name"]}" = "shared"
    ""                      = "1"

  tags = {
    GithubRepo = "terraform-aws-eks"
    GithubOrg  = "terraform-aws-modules"
  1. Modifying the NAT involves changing the route table, and downtime is unavoidable, so plan accordingly.

  2. Remove the current NAT Gateway, apply the Terraform code

     enable_nat_gateway    = false
  3. Add alterNAT after applying the above code.

    Don't forget to include cidr_blocks; otherwise, private subnets will be unable to connect to alterNAT.

     locals {
       vpc_az_maps = [
         for index, rt in module.vpc.private_route_table_ids
         : {
           az                 = data.aws_subnet.subnet[index].availability_zone
           route_table_ids    = [rt]
           public_subnet_id   = module.vpc.public_subnets[index]
           private_subnet_ids = [module.vpc.private_subnets[index]]
     data "aws_subnet" "subnet" {
       count = length(module.vpc.private_subnets)
       id    = module.vpc.private_subnets[count.index]
     module "alternat_instances" {
       source = "git::"
       nat_instance_type = "m6g.medium"  
       lambda_package_type = "Zip"
       vpc_id      = module.vpc.vpc_id
       vpc_az_maps = local.vpc_az_maps
     resource "aws_security_group_rule" "allow_all" {
       type              = "ingress"
       protocol          = "-1"
       from_port         = 0
       to_port           = 0
       cidr_blocks       = ["",""]
       security_group_id = module.alternat_instances.nat_instance_security_group_id
  4. Chose the right instance type.

    By comparing data processing costs against the instance type for alterNAT, you can identify the optimal instance type while considering its network bandwidth.


AlterNAT is an excellent alternative for AWS users looking to reduce their NAT Gateway costs without sacrificing functionality. By using NAT instances instead of NAT Gateways, users can save on data processing charges while still maintaining internet access for their resources within a private VPC subnet. However, it's essential to consider the drawbacks and limitations, such as the loss of NAT table state, before implementing alterNAT in your infrastructure.

For more information and a detailed guide on using alterNAT, please refer to the official GitHub repository alterNAT.