Milo Antaeus · LLM Bill X-Ray ($79) · Stripe Webhook Audit ($79) · Prompt Library Audit ($39) · GitHub Actions Audit ($79)

AWS NAT Gateway + VPC Endpoint Cost Audit

Drop a GitHub repo URL with your Terraform, CDK, or CloudFormation IaC. Within 2 hours, get a deterministic audit of every NAT Gateway data-processing leak and every missing VPC Endpoint — ranked by recurring $/mo, with before/after HCL diffs you can paste straight into a PR. Savings are verifiable in AWS Cost Explorer within 7 days of the merge.

$149
one-time · 2-hour delivery
Premium tier
30-day money-back
Why $149 (premium tier), why now: NAT Gateway gotchas are the #1 source of "WTF is this $96K AWS bill?" horror stories in 2026 (cloudzero.com case studies, hykell.com NAT teardown, nops.io 7-figure save). The math is brutal: traffic that could go through a free S3 Gateway VPC Endpoint instead flows through NAT at $0.045/GB-processed plus $0.045/hr per gateway. A workload doing 100TB/mo through NAT = $4,500/mo recurring — most of which evaporates by adding 4 lines of Terraform. At $149, payback is days, not weeks. We charge premium because the saves are 10-100× larger than our $79-tier audits.
→ Synthetic sample report (CloudOps Inc, $3,405/mo recurring, 7 findings)
Deterministic static analyzer. No LLM-in-the-loop. Same engine on every repo. We scan .tf, .py/.ts CDK constructs, and CloudFormation .yaml/.json for 10 NAT/VPC-Endpoint cost-leak patterns. We don't manufacture findings to justify the $149 — small/clean infra returns small reports and a partial refund.

What's in the audit

1. Executive one-pager

Top findings ranked by recurring $/mo. Total annualized AWS savings. Read in 60 seconds, decide which fix to ship this week.

2. Before/after HCL diffs

Actual patch snippets for the top leaks in your Terraform / CDK / CloudFormation. Paste into a PR. No "go review your VPC architecture" handwaving.

3. Per-VPC traffic-flow map

Every VPC, subnet group, and NAT Gateway in your IaC, with estimated GB/mo flowing through NAT, $ burned, and the specific endpoints that would short-circuit each flow.

4. Specific fix instructions

For each leak: confidence rating, expected recurring savings, implementation effort (LOC), and rollback strategy if the endpoint introduction breaks a private-subnet workload.

5. AWS Cost Explorer verification kit

Concrete instructions for verifying the saves in AWS Cost Explorer 7 days post-merge: which filters to apply, which services to group by, what number to expect to drop.

+ 30-day re-audit voucher

Implement the fixes, then re-submit the same repo. We re-run the analysis. If your AWS bill didn't drop by $149+, full refund.

The 10 patterns we check

The analyzer is 10 deterministic IaC patterns across Terraform (.tf), CDK (.py/.ts), and CloudFormation (.yaml/.json). Every finding includes a confidence rating, recurring $/mo impact estimate, before/after diff, and rollback note.

#PatternTypical $/mo
1Missing aws_vpc_endpoint for S3 Gateway (free endpoint, eliminates 100% of S3 traffic through NAT)$400-2,500
2Missing aws_vpc_endpoint for DynamoDB Gateway (free endpoint, eliminates 100% of DDB traffic through NAT)$200-1,200
3Missing ECR api + ECR dkr Interface endpoints — container image pulls flow through NAT$300-1,500
4Missing CloudWatch Logs Interface endpoint — log shipping flows through NAT$150-600
5Missing Secrets Manager / SSM Parameter Store Interface endpoints — secret fetches on every cold start through NAT$80-400
6Lambda functions deployed in private subnets without S3/DynamoDB Gateway endpoints (compounds per-invocation NAT charges)$200-1,000
7EKS nodegroups in private subnets without ECR + S3 + Logs endpoints (every pod pull + every log line through NAT)$300-1,200
8Over-provisioned NAT Gateways: 1 per AZ with no documented HA justification (single-AZ workloads pay 3×)$135-405
9NAT Gateway shared across VPCs via Transit Gateway — TGW data-processing charges stack ON TOP of NAT data-processing (double charge per GB)$200-900
10Cross-AZ NAT routing: private subnet in AZ-a sending traffic through NAT in AZ-b ($0.01/GB cross-AZ + $0.045/GB NAT, easy to miss in route tables)$100-500

Typical full-audit sum: $1,500-$5,000/mo recurring on a mid-sized multi-VPC setup with EKS + Lambda + ECR. Outlier: we've seen $12K+/mo on a single 200TB-through-NAT workload where adding 3 Gateway endpoints eliminated 95% of the data-processing charges. The cloudzero.com case study cites a single customer saving $96K/yr from a $0 Gateway endpoint addition.

How it works

  1. Pay $149 via PayPal (top of page). You're redirected to a thank-you page that asks for your GitHub repo URL + email.
  2. Drop the repo URL (any GitHub repo you have access to — private OK, we use a read-only fine-grained PAT you generate yourself). The audit reads .tf, CDK .py/.ts, and CloudFormation .yaml/.json files.
  3. Within 2 hours, you receive a personalized HTML report (like the sample) at a private URL.
  4. Implement the fixes. Most customers ship the top 2-3 (Gateway endpoints) within a single PR — often less than 20 lines of Terraform.
  5. 7-14 days later, verify the saves in AWS Cost Explorer using the kit included in your report. 30 days later, redeem the re-audit voucher — we re-run and quantify whether the bill actually dropped.

What this isn't

This is...This is not...
A one-shot, static-analysis audit of your IaC for NAT Gateway + VPC Endpoint cost leaksA security audit of your VPC (no SG/NACL review, no Public Subnet exposure scan)
HCL/Python/YAML-level findings you can paste into a PRRuntime observability requiring a VPC Flow Logs ingestion or AWS Cost & Usage Report parsing
Deterministic regex + IaC AST patterns (no LLM-in-the-loop)"AI told me your VPC is wrong" handwaving
Read-only (we never run terraform apply, never call AWS APIs, never push to your repo)A FinOps SaaS subscription with seat pricing
Targeted exclusively at NAT/VPC-Endpoint cost leaks (the highest-$ recurring AWS waste pattern in 2026)An EC2/EBS/RDS rightsizing audit (different lane — many vendors do this well)
Vendor-agnostic (works on Terraform, CDK, CloudFormation — pick one or mix)An AWS Trusted Advisor replacement (we go deeper on this specific pattern, narrower elsewhere)

First-3-customers beta pricing

This is a brand-new product and our FIRST premium-tier audit ($149 vs $79 for our other audits). The 10-rule analyzer is validated against 25+ public OSS IaC repos (terraform-aws-modules, cdk-patterns, sample CloudFormation templates from aws-samples), but the $149 AWS NAT Audit has shipped zero paid audits yet.

Honest first-customer offer: the first 3 customers pay $99 instead of $149 via direct PayPal invoice. Email miloantaeus@gmail.com with subject "AWS NAT audit — first 3" and we'll send the $99 invoice instead of using the $149 button above. In exchange: a 90-day follow-up audit, permission to anonymize learnings into the rule library, and a 30-min call to walk you through the AWS Cost Explorer verification step.

Why premium pricing is honest here: NAT Gateway gotchas commonly produce $4-12K/mo recurring savings (documented case studies at cloudzero.com showing 100TB/mo workloads dropping ~$4,500/mo recurring from a single Gateway-endpoint addition; hykell.com showing a $96K/yr save). At $149, payback is days not weeks. The $79 cap on our other audits doesn't fit because the underlying save size is 10-50× larger. If the audit doesn't find at least $149/mo of identifiable recurring savings, refund. If you implement the recommended fixes and the AWS bill doesn't drop within 30 days (verified by re-audit), refund. The verification step using AWS Cost Explorer is built into the deliverable for exactly this reason.

FAQ

Do you need access to my AWS account or Cost Explorer?
No. Static analysis of your IaC files only — .tf, CDK .py/.ts, CloudFormation .yaml/.json. You generate a fine-grained GitHub PAT scoped to contents: read on the single repo. We clone with git clone --depth=1, run the analysis, discard the clone. No AWS API calls, no IAM role assumption, no CUR access, no Flow Logs ingestion.
How are you estimating $/mo if you can't see my AWS bill?
We estimate using declared VPC/subnet/NAT topology × inferred workload profile (Lambda count, EKS node count, ECR pull frequency) × public AWS pricing ($0.045/GB-processed for NAT data + $0.045/hr per NAT Gateway + $0.01/hr per Interface endpoint per AZ). The estimate is calibrated against the 25+ public IaC repos we used to validate the rules. The report includes a "calibration confidence" field per finding (95%+ for missing Gateway endpoints, 85%+ for missing Interface endpoints, 70% for cross-AZ routing). The AWS Cost Explorer verification kit and the 30-day re-audit voucher are the ground-truth checks — if your real bill didn't drop by $149+, full refund.
What if my repo is private?
You generate a fine-grained personal access token (PAT) scoped to contents: read on the single repo. Add it to the intake form. We clone, analyze, delete. The PAT can be revoked the second you receive the report. We do NOT need access to your tfstate (which contains secrets) — only the source .tf / CDK / CloudFormation files.
Do you support Pulumi / OpenTofu / SST / Serverless Framework?
v1 supports Terraform (.tf), AWS CDK (Python + TypeScript), and CloudFormation (.yaml + .json). OpenTofu is detected as Terraform (same syntax, same patterns apply). Pulumi (TypeScript/Python/Go) is on the v2 roadmap. SST and Serverless Framework synthesize down to CloudFormation, which v1 scans — but synthesis output paths vary by project; email us with your repo layout if you want to confirm coverage before buying.
What if my infrastructure is split across many repos (monorepo IaC vs polyrepo)?
One audit = one repo. If you have 5 IaC repos (e.g., per-account or per-env), that's 5 audits — but email us first; we offer bundle pricing ($99/repo for 5+ repos in the same organization).
What if you don't find $149 of recurring savings?
Refund. The 30-day re-audit voucher is a structural accountability layer: implement the fixes, prove the savings didn't materialize in AWS Cost Explorer, refund. We've designed the product so it's only profitable if the rules actually work. The verification step in AWS Cost Explorer is included in the deliverable specifically to make this falsifiable.
How is this different from CloudZero / Vantage / nOps / Kubecost?
Those are continuous FinOps SaaS products — you connect your AWS account, pay $X00-$X,000/mo for ongoing visibility into all cloud spend. Ours is a one-shot static-analysis audit targeted exclusively at the NAT/VPC-Endpoint cost-leak pattern — the single highest-$ recurring waste pattern most teams ignore. The two are complementary; many customers do both. If you already pay a FinOps SaaS that flagged NAT spend, this audit gives you the specific IaC diffs to fix it, which FinOps SaaS does not.
What about VPCs deployed via ClickOps (AWS Console) with no IaC?
v1 requires IaC source files. If your VPC was manually built in the AWS Console and isn't tracked in Terraform/CDK/CloudFormation, refund. The roadmap includes a v2 mode that reads via AWS APIs given an IAM role — email us if you want priority. For now: if there's no .tf / CDK construct / CloudFormation template, there's nothing to analyze statically.

Related

View sample report → LLM Bill X-Ray ($79) Stripe Webhook Audit ($79) Prompt Library Audit ($39) GitHub Actions Audit ($79) All Milo products
→ See a real sample report first ($3,405/mo recurring of AWS waste found)
Share this product
Share on X Share on LinkedIn Share on Reddit