Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Need Help Reducing NAT Gateway Costs and Monitoring Lambda Traffic

0

Hello Team,

I hope you’re doing well.

I am currently using a NAT Gateway in my AWS infrastructure to allow internet access for a Lambda function that resides in a private subnet. However, I’ve noticed a significant increase in NAT Gateway charges recently, and I would like to optimize costs.

Here’s a brief overview of my setup:

  • Lambda function is in a private subnet.
  • EC2 and RDS are hosted in public subnets.
  • A NAT Gateway is used to enable the Lambda function to communicate with external services (e.g., Amazon, eBay APIs).

I need assistance with the following:

  1. Cost Optimization What are the best practices to reduce NAT Gateway charges in this setup?

  2. Monitoring Traffic Through NAT Gateway I want to monitor and analyze all the requests going through the NAT Gateway from the Lambda function, such as API calls, HTTPS requests, and any other outbound traffic. This is important because our Lambda interacts with multiple third-party services and marketplaces (e.g., Amazon, eBay, etc.). What tools or services can help me get detailed visibility into this traffic?

I would appreciate any guidance, suggestions, or resources from the community to help me address these two points.

Thank you in advance for your support!

Topics
ServerlessCompute
Tags
MonitoringAWS Lambda
Language
English
asked a year ago382 views
3 Answers
0

Thanks for your Answer

I have already enabled VPC Flow Logs and I’m receiving logs, which include details such as:

  • Source and destination IP addresses
  • Ports
  • Protocols

However, this level of detail is not sufficient for my use case. What I actually need is deeper visibility into the traffic from my Lambda function in the private subnet, specifically:

  • Which external APIs or HTTPS URLs the Lambda function is accessing
  • The frequency and volume of requests to each API/URL
  • Identification of traffic related to specific marketplaces we use (e.g., Amazon, eBay, etc.)

The goal is to understand how much of the NAT Gateway usage is caused by each external API or service, so I can optimize or re-architect accordingly.

Is there a way to capture this level of detail using AWS-native tools (like CloudWatch, X-Ray, or something else), or do I need to implement custom logging within the Lambda function itself?

Any guidance or recommendations would be greatly appreciated.

Thank you!

answered a year ago
  • Gary Mclean EXPERT
    a year ago

    I assume you know what your Lambda function is doing? That would be my starting point to be fair to know what Hosts it needs to target? If you have no VPC Endpoints setup, then apart from accessing your RDS, it will all be going via the NAT gateway. This is my I mentioned moving to non vpc Attached

  • Gary Mclean EXPERT
    a year ago

    I would start with reviewing you function code to understand what target it needs and go from there. You can also enable query logging on the VPC resolver to help https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-query-logs.html

0

Id want to know a little more about your environment as its unclear on your requirements and what the purpose of the EC2s/RDS/Lambda functions are for. What does your lambda function do and why does it need internet access? You dont have to have it VPC attached if you do not with or needs too. If adhering to NIST you need to. If your connecting to Aurora, then you could use the Data APi if possible instead of a SQL connection etc then you wouldnt need a NAT gateway for the function.

Little worried your RDS is in a public Subnet? Best practices dictate resources unless necessary,

EXPERT
answered a year ago
  • Anand
    10 months ago

    Our EC2 instance is hosted in a public subnet and is used to host the application.

    Our RDS instance is located in a public subnet, but public access is disabled and security groups ensure that only necessary resources can connect.

The Lambda functions are serverless and deployed via our pipeline. They require internet access for specific external API calls that are integral to our application’s functionality.

We have attached these Lambda functions to a VPC because they also need to interact with the RDS instance within the subnet.

We understand that Data API is an option, but at this point, we rely on SQL-based connections for more granular control and performance considerations.

    We appreciate your suggestion and will continue evaluating options like the Data API and ensuring adherence to NIST guidelines wherever possible.

    Please let me know if you’d like further details or if there are additional best practices you recommend we consider.

0

To address your concerns about NAT Gateway costs and monitoring Lambda traffic, here are some recommendations:

  1. Cost Optimization for NAT Gateway:

  • Consider using a NAT instance instead of a NAT Gateway. While this requires more management overhead, it can be significantly cheaper, especially if you don't need high availability.

  • If your Lambda function only needs access to specific AWS services, you could use VPC Endpoints instead of a NAT Gateway. This allows private communication with supported AWS services without the need for internet access.

  • If possible, run your Lambda function in the default Amazon-provided VPC instead of your custom VPC. This eliminates the need for a NAT Gateway altogether.

  • If your system can support it, consider switching to IPv6. With IPv6, you can use an Egress-Only Internet Gateway instead of a NAT Gateway, which is more cost-effective.

  1. Monitoring Traffic Through NAT Gateway:

To monitor and analyze requests going through the NAT Gateway from your Lambda function, you can use VPC Flow Logs. This AWS-recommended tool captures detailed network traffic data, including:

  • Source and destination IP addresses
  • Ports
  • Protocols
  • Traffic volume

To set this up:

  1. Enable VPC Flow Logs for your VPC or the specific subnet where your Lambda function resides.
  2. Configure the logs to be sent to CloudWatch Logs or S3 for analysis.
  3. Use CloudWatch Logs Insights or a third-party log analysis tool to query and visualize the data.

This approach will give you visibility into all outbound traffic from your Lambda function, including API calls to Amazon, eBay, and other third-party services.

Remember that while monitoring is important, it's crucial to balance the cost of monitoring with the insights gained. VPC Flow Logs do incur some additional charges, so factor this into your cost optimization strategy.

By implementing these suggestions, you should be able to reduce your NAT Gateway costs while gaining better visibility into your Lambda function's network traffic.
Sources
NAT Gateway TOO expensive | AWS re:Post
Monitoring network traffic in AWS Lambda functions | AWS Compute Blog
How can I know what my NAT Gateway consumption is? | AWS re:Post

answered a year ago
EXPERT
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content