The $100k AWS Routing Trap: S3 + NAT Gateways (and how to fix it with Terraform)

The $100k AWS Routing Trap: S3 + NAT Gateways Your "secure by default" AWS architecture is probably bleeding money, and it has nothing to do with over-provisioned EC2 instances. Sudden increases in cloud spend are rarely caused by compute—they occur because of unintended data transfer paths. The Trap: "Secure by Default" Routing Engineers place their compute instances in private subnets with no public IPs. To grant them access to the outside world, they route outbound traffic through a Managed NAT Gateway. It is secure. It is standard. And it is a financial landmine. When that private instance needs to pull data from Amazon S3, the setup backfires. Because S3 is a public service endpoint, the traffic from your private subnet is routed out to the Internet Gateway through the NAT Gateway. The Math: The Double-Metering Penalty The data leaves the AWS backbone and gets metered twice. If you are downloading 10 TB a day for a data pipeline, it resul