Hello. Anyone know why downloading from s3 in a private subnet will occur NAT transfer traffic cost?
Shouldn’t the data in s3 be routing from public internet to EC2 through IGW?
Yup, that’s expected - the last bullet on https://github.com/open-guides/og-aws#vpc-and-network-security-gotchas-and-limitations has a good explanation but tl;dr, your traffic is going s3 → IGW → public subnet → NAT → private subnet- > EC2. So to skip the NAT, you need a vpc endpoint to go from s3 to the private subnet directly
^ and worth noting, VPC endpoints for S3 (and DynamoDB) are free, so they’re a no-brainer to have set up