CASE 49 · MARROW · 2024
The NAT gateway bill that nobody had been looking at.
An adtech platform’s monthly network charges had quietly grown to $34k — most of it NAT Gateway egress for traffic that should never have been leaving the VPC. We mapped the egress flows, added VPC Endpoints for the AWS-bound traffic, and used PrivateLink for the third-party flows.
Adtech platform
COST
2024
RESULTS
What changed, by the numbers.
NETWORK BILL
−71%
NAT DATA-PROCESSED
−84%
ENDPOINTS DEPLOYED
23
LATENCY
−9%
HOW IT WENT
VPC Flow Logs gave us the truth: 84% of NAT egress was traffic to AWS service endpoints (S3, DynamoDB, KMS, Secrets Manager). The team had thought this was already going through VPC endpoints, but the endpoints had been provisioned in only one of three VPCs.
We deployed Gateway Endpoints for S3 and DynamoDB across all VPCs (cost: zero), and Interface Endpoints for the remaining AWS services. Six high-traffic third-party APIs got PrivateLink connections. The NAT Gateways stayed for the residual internet egress, but the data processed dropped 84%.
Network bill fell to $10k a month. The Partner API calls got 9% faster because PrivateLink routes through the AWS backbone. The team built a Config rule to alert on any new VPC without the standard endpoint set.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.