S4 NAT
Cost-optimized NAT for Amazon VPC
S4 NAT gives the private subnets in your Amazon VPC cost-optimized internet egress (source NAT) on a standard EC2 instance: a flat hourly software fee plus the EC2 instance you pick — with NO per-GB data-processing charge, so your cost is predictable and decoupled from egress volume. Ships as an Amazon Linux 2023 AMI with active/standby high availability (typically under 10 seconds), built-in NAT64 for IPv6-only subnets, and an optional XDP fast path. Deploy in minutes with the included CloudFormation templates.
S4 NAT gives the private subnets in your Amazon VPC cost-optimized internet egress, built on a standard EC2 instance. It performs source NAT (MASQUERADE) so private subnets can reach the internet, and you pay only a flat hourly software fee plus the price of the instance you choose — there is no per-GB data-processing charge, so cost is predictable and decoupled from egress volume. Bandwidth scales with the instance type. HA is built in: deploy the active/standby template and the standby heartbeats the active; on failure it rewrites the route table(s) via ec2:ReplaceRoute and moves a shared Elastic IP, typically in under ten seconds.
The problem
AWS NAT Gateway adds a $0.045/GB data-processing charge to every byte your private subnets send through it, on top of the hourly rate. That fee scales linearly with egress volume, so for high-throughput workloads it dominates the bill at 10 TB/month and can reach thousands of dollars at 50 TB/month, making spend hard to predict. Your cost tracks how much you transfer, not the work the NAT actually does.
How it works
- 1
Deploy with CloudFormation
One CloudFormation template (single or HA) creates the NAT instance, its ENI with source/dest check disabled, a least-privilege IAM role, and a VPC-scoped security group.
- 2
Point the private route at it
The stack rewrites your private subnets' 0.0.0.0/0 route to the NAT instance's ENI, where natd source-NATs the traffic with nftables MASQUERADE.
- 3
Standby heartbeats, then takes over
In an HA pair the standby health-checks the active over a UDP heartbeat and, on failure, rewrites the route tables to its own ENI (ec2:ReplaceRoute) and moves the shared Elastic IP, typically in under 10 seconds.
Highlights
No per-GB data-processing fee: you pay only a flat hourly software fee plus the EC2 instance you choose, so your NAT bill is predictable and decoupled from egress volume.
High availability built in: an active/standby pair across AZs fails over by rewriting the route table(s) and moving a shared Elastic IP, typically in under 10 seconds — validated over 60 consecutive drills with 0 failures.
Batteries included, no lock-in: built-in NAT64 (RFC 6146) for IPv6-only subnets, an optional XDP fast path, and CloudFormation templates (single + HA) — all on a standard Amazon Linux 2023 AMI in your own VPC.
What's included
- Amazon Linux 2023 AMI, Graviton arm64 by default (x86_64 variant available)
- nftables MASQUERADE data plane (Linux IPv4 forwarding, source/dest check disabled on the ENI, $0/GB data processing)
- Active/standby HA across two AZs (route rewrite via ec2:ReplaceRoute plus a shared Elastic IP that re-associates to the survivor, keeping the egress public IP constant)
- NAT64 (RFC 6146) — a built-in tayga translator lets IPv6-only subnets reach the IPv4 internet (validated on real EC2)
- Optional XDP fast path (kernel nftables is the supported v1 data plane; XDP is an opt-in acceleration path)
- CloudFormation templates — one-click single instance (cfn-single.yaml) and HA pair (cfn-ha.yaml)
- CloudWatch metrics under the S4/NAT namespace (throughput, conntrack utilization, failover, heartbeat) plus a bundled alarm and dashboard
Use cases
High-egress private subnets where the per-GB NAT charge dominates the bill
Teams that want predictable, flat NAT cost decoupled from traffic volume
IPv6-only subnets that still need to reach the IPv4 internet (NAT64)
Replacing a managed NAT Gateway for outbound internet access from private subnets
FAQ
Is it actually cheaper than a managed NAT Gateway?
It removes the $0.045/GB data-processing charge entirely ($0/GB), leaving a flat hourly software fee plus the EC2 instance you choose. Because the appliance cost is flat, savings grow with volume — in the illustrative worksheet a solo instance breaks even around 1 TB/month of NAT traffic and saves roughly 84% at 10 TB/month. Honestly, the break-even depends on your traffic, instance size, and uptime, and cross-AZ and internet egress transfer still bill as usual.
Is failover seamless?
Failover is fast, not hitless. The standby rewrites the route tables and moves the Elastic IP typically in under 10 seconds (mean about 4s; 100 of 100 drills succeeded with zero failures). In-flight connections reset on takeover; clients reconnect and new connections succeed immediately. Hitless egress failover is not deliverable with an instance NAT on AWS, so we do not claim it.
How much bandwidth does it handle?
Bandwidth is bound to the EC2 instance type you pick, not a fixed managed ceiling. We measured about 4.78 Gbps through the NAT on a c6in.large with iperf3; larger network-optimized instances scale higher. Size the instance for the throughput you need.
Does it support IPv6-only subnets?
Yes. Built-in NAT64 (RFC 6146) uses a bundled tayga translator to convert traffic from IPv6-only clients to the IPv4 internet. It was validated on real EC2, reaching an external IPv4 host with 0% packet loss.
Is it secure, and how do I deploy it?
S4 NAT runs entirely inside your own VPC, so no traffic leaves your account. The NAT ENI has source/dest check disabled and is granted a least-privilege IAM role and a VPC-scoped security group. You deploy it with the bundled CloudFormation templates: cfn-single.yaml for a single instance, or cfn-ha.yaml for an active/standby HA pair.
Pricing model
Hourly software fee + EC2 (t4g / c6g class, Arm or x86). No per-GB data-processing fee. Metered per instance type, annual option available.
Other S4 products
S4 — Squished S3
Transparent GPU S3-compression gateway
S4 Logs
Archive CloudWatch Logs to zstd S3
S4 Metrics
Govern CloudWatch metric cardinality