Terminate unnecessary NAT Gateway costs by detecting services that should use VPC endpoints.
termiNATor is a CLI tool that analyzes your AWS NAT Gateway traffic to identify cost optimization opportunities. It detects when your applications are routing traffic to AWS services (like S3 and DynamoDB) through NAT Gateways instead of using free VPC Gateway Endpoints, helping you eliminate unnecessary data processing charges.
- Quick Scan: Instant analysis of your VPC configuration to detect missing VPC endpoints
- Deep Dive Scan: Real-time traffic analysis using VPC Flow Logs to identify actual service usage patterns
- Cost Estimation: Calculate potential monthly and annual savings with clear disclaimers
- Traffic Classification: Automatically identifies S3, DynamoDB, and other AWS service traffic
- Detailed Reporting: Comprehensive analysis with actionable recommendations
- Multi-Region Support: Works across all AWS regions with regional pricing
NAT Gateways charge $0.045 per GB for data processing. If your applications access S3 or DynamoDB through a NAT Gateway, you're paying for traffic that could be completely free using Gateway VPC Endpoints.
Example Savings:
- 100 GB/month to S3 through NAT Gateway: $4.50/month → $0/month with VPC Endpoint
- 1 TB/month to DynamoDB through NAT Gateway: $45/month → $0/month with VPC Endpoint
# Install
git clone https://github.com/doitintl/terminator.git
cd terminator
go build -o terminat
# Configure AWS credentials
export AWS_PROFILE=your-profile
export AWS_REGION=us-east-1
# Run quick scan (instant, no resources created)
./terminat scan quick --region us-east-1
# Run deep dive scan (analyzes actual traffic, ~10 minutes)
./terminat scan deep --region us-east-1 --duration 5📖 Complete Usage Guide - Detailed instructions for production use
🧪 E2E Testing Guide - Run automated tests with sample infrastructure
go install github.com/doitintl/terminator@latestOr build from source:
git clone https://github.com/doitintl/terminator.git
cd terminator
go build -o terminatConfigure AWS credentials using one of these methods:
# AWS CLI configuration
aws configure
# Environment variables
export AWS_ACCESS_KEY_ID="your-access-key"
export AWS_SECRET_ACCESS_KEY="your-secret-key"
export AWS_REGION="us-east-1"
# AWS Profile
export AWS_PROFILE="your-profile"For Quick Scan, you need read-only permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeNatGateways",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeRouteTables",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs"
],
"Resource": "*"
}
]
}For Deep Dive Scan, additional permissions are required:
# Run the setup script to create the IAM role
./scripts/setup-flowlogs-role.shThis creates a role with permissions for:
- Creating and deleting VPC Flow Logs
- Creating and querying CloudWatch Logs
- Getting caller identity (for account ID)
Instantly analyze your VPC configuration:
terminat scan quick --region us-east-1This will:
- Discover all NAT Gateways in the region
- Check for existing VPC endpoints
- Identify missing S3 and DynamoDB endpoints
- Provide immediate recommendations
Analyze actual traffic patterns:
terminat scan deep --region us-east-1 --duration 5This will:
- Create temporary VPC Flow Logs for your NAT Gateway
- Wait 5 minutes for Flow Logs to initialize
- Collect traffic data for 5 minutes (configurable: 5-60 minutes)
- Classify traffic by destination service (S3, DynamoDB, other)
- Calculate cost estimates and potential savings
- Clean up Flow Logs (log data retained for review)
Total time: Collection duration + 5 minutes (startup delay)
Example output:
Traffic Analysis:
Total: 1,234 records, 45.67 GB
S3: 890 records, 32.10 GB (70.3%)
DynamoDB: 234 records, 8.45 GB (18.5%)
Other: 110 records, 5.12 GB (11.2%)
Cost Savings Estimate:
Current Monthly NAT Gateway Cost: $61.45
Potential Savings with VPC Endpoints: $54.74/month ($656.88/year)
⚠️ IMPORTANT: This is an ESTIMATE based on the traffic sample collected.
# Quick scan
terminat scan quick --region <region>
# Deep dive scan
terminat scan deep --region <region> --duration <minutes>
# Scan specific NAT Gateway
terminat scan deep --region us-east-1 --nat-id nat-1234567890abcdef0After a Deep Dive scan, Flow Logs data is retained for your review. Clean it up when done:
# List log groups
aws logs describe-log-groups --log-group-name-prefix "/aws/vpc/flowlogs/terminator"
# Delete log group
terminat cleanup --region us-east-1 --log-group "/aws/vpc/flowlogs/terminator-1234567890"- S3 Traffic: Requests to Amazon S3 (object storage)
- DynamoDB Traffic: Requests to Amazon DynamoDB (NoSQL database)
- Other Traffic: All other destinations (EC2, RDS, internet, etc.)
NAT Gateway Pricing:
- Data processing: $0.045 per GB (most regions)
- Hourly charge: $0.045 per hour (not included in estimates)
VPC Gateway Endpoints:
- S3 Gateway Endpoint: FREE (no hourly or data charges)
- DynamoDB Gateway Endpoint: FREE (no hourly or data charges)
Important Notes:
- Cost estimates are based on the traffic sample collected during the scan
- Actual costs may vary based on traffic patterns, time of day, and workload changes
- Estimates extrapolate sample data to monthly projections
- Only data processing costs are calculated (hourly NAT Gateway charges not included)
terminator/
├── cmd/ # CLI commands (scan, cleanup)
├── internal/
│ ├── core/ # Core business logic (scanner)
│ ├── aws/ # AWS service clients (EC2, CloudWatch)
│ ├── analysis/ # Traffic analysis and cost calculation
│ └── report/ # Report generation (future)
├── pkg/ # Public APIs and types
├── ui/ # Terminal UI components
└── scripts/ # Setup and utility scripts
- Discovers NAT Gateways in your VPC
- Checks route tables for traffic routing through NAT
- Identifies missing VPC endpoints for S3 and DynamoDB
- Provides recommendations
- Discovery: Finds NAT Gateways and their network interfaces
- Flow Logs Creation: Creates temporary VPC Flow Logs on the NAT Gateway ENI
- Startup Delay: Waits 5 minutes for Flow Logs to begin delivering data
- Collection: Captures network traffic for the specified duration
- Analysis:
- Downloads AWS IP ranges for S3 and DynamoDB
- Classifies each flow by destination IP
- Calculates data volumes per service
- Cost Calculation:
- Applies regional NAT Gateway pricing
- Extrapolates sample to monthly projections
- Calculates potential savings with VPC endpoints
- Cleanup: Deletes Flow Logs configuration (retains log data for review)
- Run during peak hours: Collect traffic samples during typical workload periods for accurate estimates
- Longer collection periods: Use 15-30 minute collection windows for more representative samples
- Multiple scans: Run scans at different times of day to understand traffic patterns
- Review log data: Use CloudWatch Logs Insights to analyze detailed traffic patterns
- Test VPC endpoints: Create endpoints in a test environment first to validate connectivity
- Verify you're scanning the correct region
- Check that NAT Gateways exist in your VPC
- Ensure your IAM permissions include
ec2:DescribeNatGateways
- Run
./scripts/setup-flowlogs-role.shto create the required IAM role - Verify the role ARN in the error message
- Check CloudWatch Logs permissions
- Flow Logs require 5-10 minutes to start delivering data
- Ensure applications are actively using the NAT Gateway during collection
- Check CloudWatch Logs console for Flow Logs data
- Remember these are ESTIMATES based on traffic samples
- Verify the collection period was representative of typical usage
- Consider running multiple scans at different times
- Check if traffic patterns vary significantly throughout the day
Contributions are welcome! Please feel free to submit a Pull Request.
Apache License 2.0
For issues and questions:
- GitHub Issues: https://github.com/doitintl/terminator/issues
- Documentation: https://github.com/doitintl/terminator/wiki
- Support for Interface VPC Endpoints cost analysis
- Historical cost analysis from CloudWatch metrics
- Automated VPC endpoint creation
- Multi-account scanning
- JSON/CSV export for reporting
- Integration with AWS Cost Explorer
Made with ❤️ by DoiT International