Cost Optimization and Cleanup

Billable Resources Created in This Lab

The following resources generate AWS charges and must be deleted when you are finished.

NAT Gateways are the primary cost driver. Each NAT Gateway costs approximately $0.045 per hour plus $0.045 per GB of data processed (us-east-1 pricing, subject to change). Two NAT Gateways running for 2 hours costs approximately $0.18 in gateway hours, plus any data transfer charges from the connectivity test. For this lab, total NAT Gateway cost is under $0.25.

Elastic IPs associated with NAT Gateways are free while attached to a running NAT Gateway. Once the NAT Gateway is deleted, release the Elastic IPs — an unattached Elastic IP costs $0.005 per hour.

VPC Flow Logs to CloudWatch Logs generate ingestion costs ($0.50 per GB ingested in us-east-1). For a short lab with minimal traffic, this will be a few cents at most. However, in production with high-traffic VPCs, flow log costs can be significant — filter to “Reject” only if you want to reduce costs while retaining security visibility.

Resources with no direct cost: VPC itself, subnets, route tables, internet gateway, security groups, NACLs. These are free.

EC2 instances launched for testing: t3.micro costs approximately $0.0104 per hour. Stop or terminate test instances when validation is complete.

Cost Trade-off: One vs Two NAT Gateways

Using a single NAT Gateway in one AZ and routing all private subnets through it saves approximately $32/month per NAT Gateway ($0.045 × 730 hours). In a non-production environment or a lab, this is a reasonable trade-off. In production, the risk is that an AZ failure or a NAT Gateway failure (rare but possible) cuts off outbound internet access for all private subnets simultaneously, potentially taking down your application. The cost of that outage almost always exceeds the monthly savings.

Teardown Instructions

Execute the following steps in order. Order matters — some resources cannot be deleted while others are attached.

1. Terminate any test EC2 instances.
2. Delete both NAT Gateways: VPC > NAT Gateways > select each > Actions > Delete. Wait for state to show “Deleted” (1–2 minutes).
3. Release the two Elastic IPs: VPC > Elastic IPs > select each > Actions > Release Elastic IP address.
4. Detach and delete the Internet Gateway: VPC > Internet Gateways > select lab-igw > Actions > Detach from VPC, then Actions > Delete internet gateway.
5. Delete all four route tables (you cannot delete route tables that are associated with subnets — you must first disassociate, or delete the subnets first). Navigate to each route table, go to Subnet associations > Edit > deselect all, then delete the route table.
6. Delete all six subnets.
7. Delete the VPC.
8. Disable and delete VPC Flow Log log group in CloudWatch Logs if created.

What you should see after cleanup: No NAT Gateways exist (or all show “Deleted”). No unattached Elastic IPs exist in the region. The VPC lab-vpc no longer appears in the VPC list.

Cleanup Validation — I confirmed all billable resources are removed:

0 of 8 completed

Both NAT Gateways deletedBoth Elastic IPs releasedInternet Gateway detached and deletedAll four custom route tables deletedAll six subnets deletedVPC lab-vpc deletedCloudWatch Logs flow log group deletedNo test EC2 instances remain running