Investigating NAT transfer traffic cost when downloading from private S3 subnet

Hello. Anyone know why downloading from s3 in a private subnet will occur NAT transfer traffic cost?
Shouldn’t the data in s3 be routing from public internet to EC2 through IGW?

Yup, that’s expected - the last bullet on https://github.com/open-guides/og-aws#vpc-and-network-security-gotchas-and-limitations has a good explanation but tl;dr, your traffic is going s3 → IGW → public subnet → NAT → private subnet- > EC2. So to skip the NAT, you need a vpc endpoint to go from s3 to the private subnet directly

^ and worth noting, VPC endpoints for S3 (and DynamoDB) are free, so they’re a no-brainer to have set up