AWS NAT Gateway start stop

[alexis974]

AWS NAT Gateway start stop

Description

NAT Gateway is probably the resource type the most deployed in an AWS infrastructure. That is not surprising since it is mandatory for service in private subnets to have internet access.

At the time of writing, NAT Gateway alone (without data processing charge) cost 0.05$/hour in the eu-west-3 (Paris) region. That's around 36.50$ per month, or 438.00$ per year ! For small businesses this can represent a substantial part of the AWS bill.

Furthermore, we often split the environment (dev, staging, prod, …) into different VPC we increase the number of NAT gateway required.
For example, if we have the following 3 environments:

• Dev: 1 NAT gateway
• Prod: 1 NAT gateway per AZ with 2 AZ
• Staging (iso prod): 1 NAT gateway per AZ with 2 AZ
  We therefore have 5 NG, for a total of 182.5$ per month, or 2190$ per year !

However, dev and staging do not need to be up all the time, only during business (let's say from 8am to 8pm) hours when the environment is used. We therefore pay for 20 022 hours of NAT gateway (or around 1000$ ) that is not used ! Almost half the price !

Solution

We could implement a lambda that will:

• Scan VPC of an account based on tags (for example start-stop:enable)
• Remove all NAT gateway in route tables, and add a tags to indicate that a NAT gateway was there (for example nat-gateway:disabled)
• Delete the corresponding NAT gateway.

If possible, the implementation should conserve the EIP assigned to the NAT gateway.
If possible, if the terragrunt layer that manages VPC is run, it should simply recreate the missing NAT gateway.

Warning: Check that a terraform apply does not override the newly added tags. Otherwise, we would need to manage a state store in an s3 buket for example