From Managed NAT to Self-managed NAT: Embracing a FinOps Mindset for Effective Cloud Cost Management

Effective cloud cost management can be achieved by implementing a self-managed NAT

written by
Shay El Gold
published on
July 17, 2024
topic
Application Security

At Kodem, our Engineering teams are breaking new ground in application security, development, and infrastructure. This article outlines a best practice our DevOps team developed to optimize our cloud infrastructure costs. In this post, we will explore the significant cost savings achievable by transitioning from managed NAT instances to self-managed NAT instances.

What is NAT?

NAT, or Network Address Translation, is a method used in networking to allow devices with private IP addresses to access the internet. Private IP addresses are typically used within a local network and are not routable on the public internet. NAT enables these devices to connect to external networks, including the Internet, by translating their private IP addresses to public IP addresses.

cloud cost management.
Figure 1. Here is how traffic flows via NAT

What are the benefits of moving to a self-managed instance?

The answer is simple… to reduce cloud costs.

Organizations of all sizes, from startups to large enterprises, consume tens to thousands of gigabytes or even terabytes of data monthly. While incoming traffic from the internet to the cloud is free for both Google Cloud provider (GCP)  and Amazon Web Services (AWS), using cloud-managed NAT incurs fees for incoming traffic.

AWS NAT Gateway: $0.045 Per GB
GCP Cloud NAT: $0.045 Per GB

Consider a SaaS product that queries third-party tools and pulls Docker images, with a monthly traffic volume of 50TB. The cloud bill for routing this traffic through managed NAT would be 50 * 1024 * $0.045 = $2,304.

Some businesses continue to utilize managed NAT due to its advantageous features, including automatic scaling, regular security updates, and built-in monitoring capabilities.

The Alternative: Self-Managed NAT Instance

We can avoid this cloud cost by using a self-managed instance with both public and private IPs in the same network as the VMs. If we create our own NAT instance and route some or all of the traffic through it, we can significantly reduce costs from $0.045 per GB to $0.00 per GB for inbound traffic, and only pay for the instance costs.

For AWS users, there’s a popular open-source Terraform module called fck-nat that handles NAT instance management. The cloud cost savings process focuses on GCP implementation.

Five Easy Steps to Set Up a Self-Managed NAT Instance in GCP

1. Create the NAT instance:

  1. Service account (for fine-grained access)
  2. Public IP (better to allocate it before the instance, for having fixed IP)
  3. The instance will use the two components above. When powered on, it will install the software required for forwarding traffic between the VM and the internet.
    Note: The instance type determines the maximum traffic it can pass through, so make sure to choose accordingly.

Note: To make the instance forward traffic from a clean Linux machine, we are using iptables and its successor nftables, which are used to forward the traffic.

2. Creating a routing rule with a tiny delay and optional firewall rule

3. Create a test instance and conduct testing before releasing it to a wider group of instances

runtime powered application security platform

4. Log in to the test instance to validate connectivity to the internet

You can validate connectivity to the internet and run performance tests, such as iperf, to assess maximum performance between the VM and the NAT instance.

Once your system is ready to go live, you can update the tag in the routing from step three to the tag you want to use. This will allow you to enjoy cloud cost-reduction benefits.

Effective Cloud Cost Management will Reduce Costs

We’ve demonstrated that cloud costs can be significantly reduced when inbound traffic reaches a monthly volume of 20TB. The cloud cost drops from $921 (20 * 1024 * $0.045) to the cost of running the NAT instance.

Recommendations for Production-Grade Implementation

The above scenario introduces an effective cloud cost management solution, that has been proven to be operational. By implementing the following enhancements, we can ensure a more robust and production-ready environment.

Monitoring; Implement comprehensive monitoring, or even something minimal such as installing nginx and monitoring web server availability.

Network throughput: Choose an instance type that can handle your current traffic with room for growth, as each GCP instance has maximum network throughput limits.

High availability: Plan for highly available deployment methods or at least automatic rollback to Cloud NAT (e.g., auto-triggered upon failure in monitoring using Cloud Run).

Metrics and Logs: Implement full visibility for troubleshooting errors and performance analysis.

As cloud infrastructure continues to evolve, the balance between managed services and self-managed solutions remains crucial for effective cloud cost management. By implementing a self-managed NAT instance, you’re not just saving money — you’re taking a step towards a more efficient, tailored cloud architecture that can adapt to your organization’s unique needs.

Blog written by

Shay El Gold

Principal DevOps Engineer

A Primer on Runtime Intelligence

See how Kodem's cutting-edge sensor technology revolutionizes application monitoring at the kernel level.

5.1k
Applications covered
1.1m
False positives eliminated
4.8k
Triage hours reduced

Platform Overview Video

Watch our short platform overview video to see how Kodem discovers real security risks in your code at runtime.

5.1k
Applications covered
1.1m
False positives eliminated
4.8k
Triage hours reduced