In the rush to migrate workloads to the cloud, organizations adopted cloud-native NAT Gateways as their go-to solution for secure outbound internet access. These services promise to simplify managing internet connectivity while keeping private resources secure. However, this apparent simplicity masks critical vulnerabilities that leave organizations open to attack.
While NAT Gateways enable outbound connectivity without exposing servers to direct inbound traffic, they fail today's security requirements. The reality is that cloud-native NAT Gateways:
Provide minimal visibility
Offer virtually no security controls
Come with substantial hidden costs that can spiral out of control
This blog explores the dangers of cloud-native NAT gateways and how you can build a layered security strategy that closes these gaps.
1. The Visibility Problem: Flying Blind in Your Own Infrastructure
The most glaring deficiency of cloud-native NAT Gateways is their near-complete lack of visibility into network traffic.
Traditional NAT Gateways operate as simple translation devices, converting private IP addresses to public ones without inspecting or logging the actual content of communications.
This creates enormous blind spots in your security posture.
When attackers gain access to your environment—whether through compromised credentials, unpatched vulnerabilities, or social engineering—they immediately begin reconnaissance and lateral movement.
Modern ransomware groups like Play, as highlighted in recent CISA advisories, move quietly through cloud environments, exploiting these exact visibility gaps. They establish command-and-control channels, exfiltrate sensitive data, and prepare for their final encryption payload, all while your NAT Gateway dutifully processes their traffic without raising any alarms.
While some cloud providers offer basic logging capabilities to help catch this kind of activity, those capabilities need significant additional infrastructure to be useful. You need to:
Configure flow logs
Set up log aggregation systems
Build custom dashboards
Establish alerting mechanisms
Even then, you're limited to basic connection metadata—source and destination IP addresses, ports, and data volumes. This information tells you virtually nothing about the actual content or intent of the communications.
Consider a real-world scenario:
An attacker has compromised a database server and is slowly exfiltrating customer records to an external storage service.
Your NAT Gateway sees HTTPS connections to what looks like a legitimate cloud service. Without deep packet inspection, protocol analysis, or behavioral monitoring, this data theft looks like normal business traffic.
By the time you discover the breach through other means, terabytes of sensitive data may have already been stolen.
2. The Security Illusion: Beyond Basic Network Address Translation
The security limitations of cloud-native NAT Gateways become clear when you study them against modern attack patterns. While these gateways do prevent direct inbound connections to private resources, they provide no protection against outbound threats—which represent the majority of modern cyberattacks.
Today's cybercriminals don't need to break down your front door when they can simply walk out through it. After gaining initial access through techniques like credential stuffing, phishing, or exploiting public-facing services, attackers focus on establishing persistent access and data exfiltration. NAT Gateways not only fail to prevent these activities but actually make them easier by providing reliable outbound connectivity.
How Attackers Get Past NAT Gateways
Modern ransomware operations follow a predictable pattern:
Establish command-and-control communications
Conduct internal reconnaissance
Move laterally to high-value systems
Exfiltrate data for double extortion
Deploy encryption payloads.
Each of these phases relies heavily on outbound network communications that pass freely through NAT Gateways.
The Play ransomware group, for example, uses tools like AnyDesk for remote access, Mimikatz for credential theft, and Cobalt Strike for command-and-control communications. All of these tools rely on outbound connections that look legitimate to a basic NAT Gateway. Without application-layer inspection, domain reputation filtering, or behavioral analysis, these malicious communications are indistinguishable from normal business traffic.
NAT Gateways also provide no protection against insider threats or compromised legitimate applications. When an authorized user or application begins behaving maliciously, the NAT Gateway has no way to detect or prevent unauthorized data transfer. The gateway's job is just to enable connectivity, not to evaluate whether that connectivity is appropriate or secure.
3. The Cost Trap: Death by a Thousand Data Processing Fees
The financial impact of cloud-native NAT Gateways extends beyond their obvious hourly instance fees. The real cost comes from data processing charges that can quickly spiral out of control, especially in data-intensive environments. Cloud providers typically charge for NAT Gateway usage in two ways:
A fixed hourly fee for the gateway instance itself
A per-gigabyte fee for data processing
While the hourly fees are predictable and relatively modest, the data processing fees can escalate. For organizations with significant outbound traffic—whether for legitimate business purposes, backup operations, or unfortunately, data exfiltration—these costs add up quickly.
Consider the mathematics: if your organization processes 10TB of outbound traffic monthly through a NAT Gateway, at typical cloud provider rates of $0.045 per GB processed, you're looking at $450 monthly just in data processing fees per gateway. Scale this across multiple regions, availability zones, or accounts, and the costs multiply rapidly. For large enterprises, NAT Gateway data processing fees can easily reach tens of thousands of dollars monthly.
The Cost of Security Incidents
These costs become particularly painful during security incidents. When attackers exfiltrate large volumes of data, your NAT Gateway data processing charges spike dramatically. Essentially, you're paying your cloud provider to facilitate the theft of your own data.
Organizations have reported NAT Gateway bills increasing by 300-500% during major security incidents, adding financial injury to the operational and reputational damage of the breach itself.
The hidden nature of these costs makes them especially dangerous for budget planning. Unlike compute or storage costs that scale predictably with business growth, NAT Gateway data processing fees can spike unexpectedly due to legitimate traffic patterns, misconfigured applications, or malicious activity. This unpredictability makes it difficult to budget accurately and can lead to significant cost overruns.
Modern Attack Patterns: How Criminals Exploit NAT Gateway Limitations
Understanding how modern cybercriminals operate reveals why NAT Gateways don’t offer enough protection for today's threat landscape. Contemporary attacks use subtlety, persistence, and focus on data theft instead of service disruption.
The initial compromise often goes through well-known vectors: exposed Remote Desktop Protocol (RDP) services, unpatched vulnerabilities in public-facing applications, or successful phishing campaigns. Once inside, attackers immediately focus on establishing persistent access and avoiding detection. They:
Deploy remote access tools
Escalate privileges using stolen credentials
Begin mapping the internal network architecture.
Lateral Movement: How Attackers Move Through and Between Systems
The lateral movement phase is where NAT Gateway limitations become most apparent. Attackers use legitimate network protocols and applications to move between systems, making their activities almost impossible to distinguish from normal operations without deep visibility. They might use Windows Management Instrumentation (WMI) for remote command execution, PowerShell for administrative tasks, or legitimate remote access tools for persistent connectivity.
Data exfiltration represents the ultimate goal for most modern attacks. Rather than deploying destructive payloads immediately, attackers spend weeks or months quietly copying sensitive information to external systems. They often use legitimate cloud storage services, encrypted communication channels, or compromised third-party services to make detection even more difficult.
The double extortion model has made data theft the primary objective rather than a secondary consideration. Attackers steal sensitive information first, then deploy ransomware to encrypt systems. This approach gives them leverage even if organizations can restore from backups, as they can still threaten to publish or sell the stolen data.
Throughout this entire attack lifecycle, NAT Gateways provide no meaningful protection.
They facilitate the command-and-control communications necessary for coordination, enable the data exfiltration that makes attacks profitable, and even support the infrastructure used to deliver ransomware payloads.
Complementing NAT Gateways with Layered Security
The limitations of cloud-native NAT Gateways highlight the need for more comprehensive security solutions. Organizations need visibility into outbound traffic, control over application-layer communications, and protection against data exfiltration.
Here are three places to start:
Pursue Visibility and Control
Effective cloud security requires solutions that can:
Inspect traffic at the application layer
Apply policy controls based on user and workload identity
Provide comprehensive logging and monitoring capabilities
This means implementing next-generation firewalls, secure web gateways, or comprehensive cloud security platforms that go far beyond basic network address translation.
2. Implement Zero Trust Principles
Zero-trust security principles must be applied to outbound traffic as rigorously as they are to inbound communications. This includes authenticating and authorizing every connection, encrypting all communications, and monitoring continuously for suspicious behavior.
3. Prioritize Cost Predictability
The financial aspect cannot be ignored, either. Organizations need solutions that provide predictable costs while delivering superior security outcomes. This often means moving away from consumption-based pricing models that create perverse incentives where security incidents directly increase costs.
Final Notes: Time for a Strategic Rethink
Cloud-native NAT Gateways represent yesterday's solution to today's security challenges. While they serve a basic connectivity function, they fundamentally lack the visibility, security controls, and cost predictability that modern organizations require.
To secure your network, you need comprehensive security solutions that match the sophistication of today's threats. This means investing in tools that provide deep visibility, granular control, and cost-effective protection against the attack patterns that actually threaten modern cloud environments.
Secure every outbound packet before it leaves your cloud—and slash runaway NAT Gateway costs while you’re at it.
Learn more about how to secure your network by taking a free security assessment.
Check out our Total Cost of Ownership (TCO) calculator to see how much you could save with Aviatrix.
Explore how Aviatrix leverages the Unified Kill Chain to stop attacks.
