Cost

Delete unused NAT Gateways

A NAT Gateway with no traffic still bills $32/month — find the orphans and replace them with VPC endpoints where possible.

14 min·10 sections·AWS

Last reviewed 27 May 2026

Unused NAT Gateways: the basics

What does an unused NAT Gateway actually look like?

A NAT Gateway is a managed appliance that lets resources in a private subnet reach the public internet without exposing them to inbound traffic. It's billed in two parts: a flat $0.045 per hour just for being provisioned — about $32.40 per gateway per month — plus $0.045 per GB of traffic processed. The hourly charge runs whether the gateway moves a single byte or terabytes; deletion is the only way to stop it.

An "unused" NAT Gateway is one whose CloudWatch BytesOutToDestination and BytesInFromDestination metrics are flat at zero (or near-zero) over a meaningful window — typically 7 days. It's still sitting in a VPC, still attached to an Elastic IP, still on the bill. The usual causes are mundane: a NAT-per-AZ pattern provisioned for redundancy even though only one AZ has subnets that need it, a NAT left behind after the workload migrated to VPC endpoints, or a dev VPC where the workload was decommissioned but the networking plumbing wasn't.

Wastage checks flag these because the signal is unambiguous: a managed service charging $32/month with no traffic flowing through it is by definition not earning its keep. The risk of deletion is also low — provided you confirm nothing is intermittently using it (cron jobs, weekly batch, monthly compliance scans) and that there's a route-table replacement for any subnet that depends on it.

In this lesson you'll learn how to identify NAT Gateways that aren't moving traffic, how to trace which subnets and workloads depend on them, when to replace a NAT with VPC endpoints (and when not to), and the safe-delete sequence that avoids the cross-AZ data-transfer trap. You'll see real CloudWatch metric pulls, route-table inspection, and the cost math for VPC endpoint replacement.

Fun fact

The NAT-per-AZ tax

AWS docs recommend a NAT Gateway per Availability Zone for high availability. Teams dutifully provision three — one in each AZ — and then deploy a workload that only ever has subnets in two of them. The third NAT sits idle for years, billing $32/month for redundancy that nothing is using. A 100-account organisation following the pattern by default is often quietly paying $30k+/year for NAT Gateways no workload ever routes through.

Hunting an unused NAT in action

Marco is doing a quarterly VPC audit for a fintech with 40-odd AWS accounts. His wastage tooling flags a NAT Gateway in the payments-staging VPC, eu-west-1c, with zero traffic for the last 30 days — $32.40/month wasted on the bill, and the resource has been there for 14 months.

Before deletion he wants two things confirmed: (1) the metric really is flat, not just averaged-flat (a weekly batch could be invisible at the hourly granularity) and (2) which subnets, if any, still route through it. Deleting a NAT that subnets still point at will break egress the moment something tries to use the route.

He starts with the CloudWatch metrics, then walks the route tables and security groups to see whether anything is even pointed at the gateway.

Pull 7 days of NAT Gateway traffic at 1-hour resolution to confirm there's no hidden batch pattern.

$ aws cloudwatch get-metric-statistics --namespace AWS/NATGateway --metric-name BytesOutToDestination --dimensions Name=NatGatewayId,Value=nat-0abc123def456 --start-time $(date -u -d '7 days ago' +%FT%TZ) --end-time $(date -u +%FT%TZ) --period 3600 --statistics Sum Maximum

{

"Datapoints": [

{ "Timestamp": "2026-05-08T00:00:00Z", "Sum": 0.0, "Maximum": 0.0, "Unit": "Bytes" },

{ "Timestamp": "2026-05-09T00:00:00Z", "Sum": 0.0, "Maximum": 0.0, "Unit": "Bytes" },

{ "Timestamp": "2026-05-10T00:00:00Z", "Sum": 0.0, "Maximum": 0.0, "Unit": "Bytes" },

{ "Timestamp": "2026-05-11T00:00:00Z", "Sum": 0.0, "Maximum": 0.0, "Unit": "Bytes" }

]

}

# 7 days, zero bytes out — no batch, no cron, no traffic at all.

Flat zeros over 7 days at hourly granularity — a weekly batch would show up here.

Now find every route table pointing 0.0.0.0/0 at this NAT. Anything you see here will break egress the moment you delete the gateway.

$ aws ec2 describe-route-tables --filters Name=route.nat-gateway-id,Values=nat-0abc123def456 --query 'RouteTables[].{RT:RouteTableId, Subnets:Associations[?SubnetId!=null].SubnetId, VPC:VpcId}'

[

{

"RT": "rtb-0deadbeef1234",

"Subnets": ["subnet-0c0ffee567890"],

"VPC": "vpc-0staging123abc"

}

]

# One route table, one subnet still pointing at this NAT.

# Need to re-route or confirm the subnet is empty before deletion.

A single subnet still routes through this NAT — even though no traffic is flowing today, deletion needs a route swap first.

How NAT Gateway billing actually worksdeep dive

A NAT Gateway is a managed Elastic Network Interface backed by AWS-managed infrastructure inside a single Availability Zone. The $0.045/hour provisioning charge is the cost of that ENI being parked and ready — it's billed by AWS the moment the gateway transitions to available, regardless of traffic. The processing charge ($0.045/GB) is on top, applied to every byte going through the gateway in either direction.

The bill compounds in two ways most teams miss. First, every NAT Gateway holds an Elastic IP, and an unattached EIP is itself billable ($0.005/hour ≈ $3.65/month) — though for an attached NAT the EIP charge is folded into the gateway charge. Second, traffic patterns matter: a workload sending lots of small requests to S3 from a private subnet routes through NAT and pays the $0.045/GB processing fee on every byte, when a VPC Gateway Endpoint for S3 would carry the same traffic for free.

Interface VPC Endpoints (the more general kind, used for most other AWS services) cost roughly $0.01/hour per endpoint per AZ — about $7.20/month each — plus $0.01/GB processed. The crossover with NAT is around 150 GB/month for a single endpoint: above that, the endpoint wins. For very high-volume AWS API traffic, replacing NAT with a handful of endpoints can collapse the NAT bill entirely while improving latency and removing internet-routed traffic from your AWS-to-AWS calls.

# Inspect a NAT Gateway's full state, including attached EIP and creation date.
aws ec2 describe-nat-gateways \
  --nat-gateway-ids nat-0abc123def456 \
  --query 'NatGateways[0].{State:State, CreateTime:CreateTime, SubnetId:SubnetId, EIP:NatGatewayAddresses[0].PublicIp, AllocationId:NatGatewayAddresses[0].AllocationId}'

# After deleting the NAT, release the EIP separately or it keeps billing $3.65/mo.
aws ec2 release-address --allocation-id eipalloc-0xxxxxxxxx

What's the impact of leaving unused NAT Gateways running?

The direct cost is $32.40 per gateway per month — modest individually, but multiplied across an org with hundreds of VPCs and a NAT-per-AZ default, it compounds fast. A 100-account fintech defaulting to 3 NATs per VPC and averaging 4 VPCs per account is paying $1,200/account/year just on provisioning charges. A non-trivial fraction of that is moving zero traffic.

The bigger cost is hidden in the used NATs that should have been replaced. Workloads that hammer S3, DynamoDB, or SQS from private subnets route every byte through NAT at $0.045/GB. A single ML pipeline pulling 5 TB/month from S3 through NAT instead of a Gateway Endpoint is paying $225/month in processing — for traffic that should be free. The wastage check fires on the provisioning waste; the architectural review is what catches the processing waste.

There's a sneaky third-order effect too: cross-AZ data transfer. If a team consolidates from three NATs to one to save provisioning costs, traffic from subnets in the other two AZs now crosses AZ boundaries at $0.01/GB each way. For a noisy workload this can swamp the $64/month they saved on the deleted NATs. The math only works if the consolidating NAT serves subnets in its own AZ or if cross-AZ volume is low.

From a security and compliance angle, idle NAT Gateways also expand the attack surface for very little reason — they hold a public IP that's reachable from the internet's eyes (no inbound traffic, but the IP exists). For PCI / SOC 2 environments, idle networking primitives also clutter the architecture diagram you'll have to defend at audit.

How do you safely clean up unused NAT Gateways?

Deleting NAT is cheap; deleting it without checking is the way to take down egress for a workload that runs once a month. Run the four-step loop below for every flagged gateway.

1. Confirm zero traffic over a real window

Pull BytesOutToDestination and BytesInFromDestination at hourly granularity for at least 7 days, ideally 30. Daily averages can hide a weekly batch job; hourly granularity won't. If you see any non-zero hour, drill into VPC Flow Logs to identify the source before doing anything else.

2. Find every subnet routing through it

aws ec2 describe-route-tables --filters Name=route.nat-gateway-id,Values=... shows every route table with a route pointing at this NAT. For each, either confirm the subnet is empty (no ENIs) or re-point the route at a shared NAT in the same AZ or at a VPC endpoint — before deletion, not after. Forgetting this is how you take down a cron job that runs on the first of the month.

3. Consider VPC endpoints instead of a replacement NAT

If the workload that was using this NAT is talking primarily to AWS services, a Gateway Endpoint (S3, DynamoDB — both free) or a handful of Interface Endpoints ($7.20/mo each + $0.01/GB) is almost always cheaper than re-pointing to a shared NAT and paying $0.045/GB processing. Above ~150 GB/month per service the endpoint wins outright on cost, and it also avoids the internet round-trip for AWS-to-AWS calls.

4. Delete, then release the EIP, then watch for 24-48 hours

Run delete-nat-gateway, then release-address on the associated Elastic IP — easy to miss, and an orphaned EIP keeps billing $3.65/month. Watch CloudWatch and any application alerting for 24-48 hours afterwards; if a long-tail dependency surfaces you can recreate quickly. Tag the deletion in your change log so the next quarterly audit doesn't fire the same finding on a recreated gateway.

# 1. Delete the NAT Gateway (returns immediately; full teardown takes minutes).
aws ec2 delete-nat-gateway --nat-gateway-id nat-0abc123def456

# 2. Wait for it to fully delete before releasing the EIP.
aws ec2 wait nat-gateway-deleted --nat-gateway-ids nat-0abc123def456

# 3. Release the Elastic IP, or it keeps billing $3.65/month standalone.
aws ec2 release-address --allocation-id eipalloc-0xxxxxxxxx

# 4. Confirm no route tables still reference the deleted gateway.
aws ec2 describe-route-tables \
  --query 'RouteTables[?Routes[?NatGatewayId==`nat-0abc123def456`]].RouteTableId'

Quick quiz

Question 1 of 5

A wastage check flags a NAT Gateway with zero BytesOutToDestination over the last 7 days. One route table still has a 0.0.0.0/0 route pointing at it, but the subnet has no running ENIs. What's the right next step?

Keep learning

Go deeper into NAT Gateway economics and the VPC endpoint patterns that replace them.

You've completed Delete unused NAT Gateways. You now know the two-part NAT bill, how to confirm a gateway is genuinely idle, when a VPC endpoint is a better replacement than another NAT, and the four-step delete loop — confirm, re-route, delete, release. The next time the wastage tool flags one, you'll have the route-table check and the cross-AZ math ready before you reach for delete-nat-gateway.

Back to the library

Unused NAT Gateways: cost and justification

A flat hourly charge with no usage threshold — deletion is the only lever

A NAT Gateway bills $0.045 per hour the moment it's provisioned — approximately $32.40 per month per gateway — regardless of whether a single byte of traffic passes through it. There is no idle discount, no auto-scaling to zero, and no cost reduction short of deleting the resource. For finance, this is a uniquely clean wastage signal: any gateway with flat-zero CloudWatch traffic metrics is spending real budget on pure overhead.

The question isn't whether to act but how to justify the spend while it remains on the bill. Standard reasons a team might keep an apparently idle NAT include intermittent scheduled workloads (monthly billing runs, quarterly compliance scans) that produce non-zero traffic on cycles longer than the 7-day default monitoring window, or a subnet that is provisioned but not yet deployed to. Each of these is a legitimate, documentable reason — but it should be a recorded decision with an owner, not a default omission.

From a cost-ownership perspective, treating unused NAT Gateways as a tiering question works well: gateways that serve active workloads are a justified networking cost; gateways that serve scheduled or intermittent workloads should be reviewed against a 30-day window and explicitly approved; gateways with no identifiable workload should be deleted. That creates an auditable disposition for every flagged resource rather than a blanket "ignore the small items" posture.

This lesson is for the finance partner who sees NAT Gateway line items on the bill and wants to understand which ones represent legitimate networking spend versus idle overhead. It covers how to model $32.40/month per gateway against a 30-day traffic window, how to frame each gateway as a justified-spend, under-review, or delete decision, and the governance inputs — traffic window, workload owner, scheduled-use exceptions — that make that disposition auditable. No CLI commands required.

Fun fact

The NAT-per-AZ tax

How the finance partner frames the idle NAT review

Dana is reviewing the monthly wastage report with the platform team. The tooling has flagged nine NAT Gateways across six accounts — collectively $291 per month in provisioning charges with no traffic on any of them for the last 30 days. Dana's first question is not "can we delete all nine" but "do any of these have a workload that runs on a cycle longer than 30 days?"

The team tags three of the nine as serving monthly batch jobs — the traffic window just missed the run. Dana asks for confirmation using a 45-day lookback and notes them as pending-review with an owner and a review date in the next billing cycle. The other six show no traffic in 45 days across any metric and have no active subnets or ENIs pointing at them; Dana agrees those are clear-cut deletions with no business justification for the spend.

The outcome Dana records for the finance pack: six gateways deleted ($194/month recovered), three under active review with documented owners and a 30-day decision deadline. Each flagged resource now has a disposition rather than a silent line item — and the three pending cases are on a calendar, not left to drift.

Why idle NAT Gateways are a budget and governance problem

The direct cost model is clean: $32.40 per gateway per month in provisioning charges, recurring, with no usage floor. A single idle gateway is a modest line; an estate of 40-odd accounts provisioned with 3 NAT Gateways per VPC by default — with several VPCs per account and a fraction of those NATs serving no active workload — aggregates quickly. The provisioning waste is typically in the range of tens of thousands of dollars per year for mid-sized organisations, and it tends to be persistent because nobody has a specific budget owner for idle networking primitives.

The second financial exposure is the replacement-architecture gap. Active NAT Gateways serving heavy AWS-API traffic (S3, DynamoDB, SQS) carry a $0.045/GB processing charge on every byte. A workload pulling several terabytes per month from S3 through NAT may be paying hundreds of dollars per month in processing fees that a free Gateway Endpoint would eliminate entirely. The wastage flag targets idle gateways; the architectural review is what surfaces overpriced active ones.

For compliance and audit, idle network infrastructure creates a less-obvious cost: unexplained public IP addresses on the architecture diagram. PCI-DSS and SOC 2 reviewers ask about every internet-reachable component. Idle NAT Gateways with no workload attached are the kind of item that triggers an audit finding not because they're dangerous but because they can't be explained — adding clean-up time and scope-creep risk to an audit that could otherwise be tight.

What finance owns in the NAT Gateway cleanup process

Finance doesn't run the CLI commands, but it owns the framing that makes each gateway a deliberate spend decision rather than an unchecked line item. Four inputs that make the process work.

1. Set the traffic window at 30 days, not 7

The default 7-day flagging window misses monthly batch jobs, quarterly compliance scans, and end-of-period reconciliation runs. Insist the review cadence uses a 30-day lookback — and for flagged gateways near a known monthly cycle, ask for a 45-day window before approving deletion. A gateway deleted two weeks before a month-end batch breaks a workload in the most visible possible way.

2. Require a named owner and disposition for every finding

Every flagged gateway should have a record: the account, the VPC, an owner team, and a disposition — delete, approved-exception (with reason and review date), or pending-review (with a deadline). This converts idle networking spend from a silent accumulation to an auditable register. The delta month-over-month is a clean budget variance line, not a mystery.

3. Track VPC endpoint savings alongside NAT deletions

When the team chooses to replace a NAT with a VPC endpoint rather than just deleting it, capture the processing-fee saving too. S3 and DynamoDB Gateway Endpoints are free; the avoided $0.045/GB on a data-heavy workload can dwarf the $32 provisioning saving. Report both numbers so the cleanup program's total value is visible, not just the headline deletion count.

4. Watch for the cross-AZ consolidation trap

A common mistake is consolidating three idle NATs down to one to save the provisioning charge, without checking whether the surviving NAT now serves subnets in other AZs. Cross-AZ data transfer costs $0.01/GB each way; for a high-volume workload this can swamp the $64/month saved on the deleted gateways within weeks. Finance should ask: what is the cross-AZ data volume for any workload being re-routed, and does the consolidation math still hold?

Quick quiz

Question 1 of 5

A wastage review flags eight NAT Gateways across four accounts, all showing zero traffic for 30 days — a combined $259/month. Two are in accounts known to run month-end batch jobs. As the finance partner, what is the right response?

Keep learning

Go deeper into NAT Gateway economics and the VPC endpoint patterns that replace them.

You've finished the finance partner's view of unused NAT Gateways. You know the $32.40/month provisioning charge is a fixed cost with no usage floor, why a 30-day traffic window matters more than the default 7-day flag, and the four inputs — realistic traffic windows, named owners, disposition records, and cross-AZ consolidation checks — that turn a recurring wastage alert into a managed, auditable spend line. Next time the wastage report surfaces idle gateways, you'll have the right questions ready before the team reaches for delete.

Back to the library

Unused NAT Gateways: the bottom line

Paying a fixed monthly fee for networking infrastructure no workload is using

A NAT Gateway costs roughly $32 per month whether or not any traffic flows through it. An unused one is straightforwardly a fixed cost with no return — the networking equivalent of paying rent on an empty office. The wastage check identifies gateways where CloudWatch metrics show no traffic for a meaningful period.

At a single-gateway level the number is small. At scale — large organisations commonly have hundreds of VPCs, each provisioned with multiple NAT Gateways by default — it compounds. The leadership question is whether the estate has a policy for reviewing and disposing of idle networking infrastructure, or whether these charges accumulate unexamined. The fix itself is simple; the governance question is whether it happens systematically.

A short read for the executive who wants to understand what the wastage flag means and whether there is a systematic policy behind how the team responds. You'll get the plain-English version of why an idle NAT costs money, why the per-item amount understates the aggregate exposure, and what a well-governed response looks like: a disposition decision per gateway, a recorded reason for any exception, and a process that prevents new idle gateways from accumulating silently.

Fun fact

The NAT-per-AZ tax

What systematic NAT Gateway cleanup looks like at scale

At one company the quarterly infrastructure audit kept surfacing the same pattern: dozens of NAT Gateways flagged as idle, a mixed response from teams, and no central record of what had been reviewed or why anything was left running. The aggregate charge was modest per line item but over $15,000 per year when totalled across the estate.

The change wasn't technical — it was a process. Each flagged gateway had to have a named owner, a 30-day window for a disposition decision (delete, approved-exception, or under-active-review), and a recorded reason. Exceptions were visible in the finance dashboard, not buried in a suppressed-findings list that nobody read.

Within two quarters the idle NAT charge dropped by over 80%. More importantly, new idle gateways stopped accumulating — because the review process created enough friction that teams started deprovisioning NAT infrastructure when they decommissioned workloads, rather than leaving the plumbing running and assuming it was small enough to ignore.

What the idle NAT estate is really costing

The cost is real but easy to underestimate from the top. At $32 per gateway, any individual item looks trivial. The pattern becomes significant when the number is multiplied by default provisioning practices (three NATs per VPC, several VPCs per account, dozens of accounts) and by the fact that nobody reviews them unless prompted. Organisations commonly discover five-figure annual charges on NAT Gateway provisioning that a systematic quarterly review would have caught and cleared.

There is also a risk and compliance dimension. Idle NAT Gateways hold public IP addresses that appear on security audit scopes. For any organisation under PCI-DSS, SOC 2, or similar frameworks, unexplained public endpoints add audit surface and explanation burden — a cost that doesn't show on the infrastructure bill but consumes team time. The leadership question is whether there is a standing process for reviewing and clearing idle network infrastructure, or whether the bill and the audit scope both grow by default.

The governance move on idle NAT Gateways

The leadership goal isn't to get to zero idle gateways this quarter — it's to have a standing process so idle gateways don't accumulate undetected and every exception is a recorded decision.

1. Require disposition decisions, not just deletion counts

A wastage sweep that just deletes everything on the flag list can break monthly batch jobs and scheduled workloads. The right ask is a documented decision per gateway: delete, approved-exception, or under-review with a deadline. That's the signal that the team is managing the estate deliberately rather than reacting to alerts.

2. Ask for the aggregate, not the per-item number

At the quarterly review, the relevant number is the total idle NAT provisioning charge across the estate and the trend — not individual $32 items. If the aggregate is falling and the review register is clean, the process is working. If the aggregate is flat or growing, the process isn't reaching the right teams.

3. Close the decommission gap

Most idle NAT Gateways exist because workloads were decommissioned without cleaning up the network layer. The durable fix is ensuring the decommission checklist for any workload includes network infrastructure teardown — NAT Gateways, Elastic IPs, route-table entries. That prevents the accumulation rather than requiring periodic sweep-and-clean.

Quick quiz

Question 1 of 5

The quarterly infrastructure review shows idle NAT Gateway charges have held flat at roughly $1,200/month for three consecutive quarters despite a recurring wastage sweep. What does this signal?

Keep learning

Go deeper into NAT Gateway economics and the VPC endpoint patterns that replace them.

That's the lesson. Two takeaways: idle NAT Gateway charges are individually small but aggregate significantly at scale, and the persistent ones usually signal a decommission process that doesn't clean up network infrastructure. The leadership question isn't the per-gateway cost — it's whether the estate has a standing process that gives every flagged gateway a disposition decision and closes the gap that lets new idle gateways accumulate in the first place.

Back to the library

Part of the learning path Trim your network spend

Delete unused NAT Gateways

Unused NAT Gateways: the basics

The NAT-per-AZ tax

Hunting an unused NAT in action

How NAT Gateway billing actually worksdeep dive

What's the impact of leaving unused NAT Gateways running?

How do you safely clean up unused NAT Gateways?

1. Confirm zero traffic over a real window

2. Find every subnet routing through it

3. Consider VPC endpoints instead of a replacement NAT

4. Delete, then release the EIP, then watch for 24-48 hours

Quick quiz

Keep learning

Unused NAT Gateways: cost and justification

The NAT-per-AZ tax

How the finance partner frames the idle NAT review

Why idle NAT Gateways are a budget and governance problem

What finance owns in the NAT Gateway cleanup process

1. Set the traffic window at 30 days, not 7

2. Require a named owner and disposition for every finding

3. Track VPC endpoint savings alongside NAT deletions

4. Watch for the cross-AZ consolidation trap

Quick quiz

Keep learning

Unused NAT Gateways: the bottom line

The NAT-per-AZ tax

What systematic NAT Gateway cleanup looks like at scale

What the idle NAT estate is really costing

The governance move on idle NAT Gateways

1. Require disposition decisions, not just deletion counts

2. Ask for the aggregate, not the per-item number

3. Close the decommission gap

Quick quiz

Keep learning

Related cost lessons