1The Principle of Least Privilege in Networking
A common anti-pattern in cloud deployments is launching application servers and databases in public subnets simply to make SSH access or software updates easier. This exposes critical infrastructure to automated internet port scanners and brute-force attacks. The gold standard of cloud architecture mandates that only load balancers, bastion hosts (jump boxes), or NAT Gateways reside in public subnets. All business logic, microservices, and data stores must be strictly isolated within private subnets.
2Understanding NAT Gateway Cost & Architecture
While NAT Gateways provide elegant outbound internet access for private subnets, architects must be aware of their FinOps implications. AWS charges an hourly rate for each NAT Gateway provisioned, plus a data processing fee per gigabyte transferred. In high-throughput environments, data processing costs can accumulate rapidly. Architects should utilize VPC Gateway Endpoints for Amazon S3 and DynamoDB to route traffic directly over the internal AWS network, bypassing the NAT Gateway entirely and eliminating data transfer fees for AWS service calls.
