We got a substantial increase in AWS cost this month which we can track down to ec2-other / EU-NatGateway-Bytes. Our best guess is that this is due to a fargate task that got into trouble and generated a lot of cloudwatch messages. What's unclear is why cloudwatch messages should go through the NAT gateway. That seems unnecessary. An alternative could be efs access but there the same applies: why using NAT.
Afaik this is really a rather 'vanilla' ecs task, pulling the docker image from ecr
Any tips where to look for a possible misconfiguration ?
Tx!!
Peter
Resources in private VPC subnets have to go through the NAT Gateway to access anything outside the VPC. AWS CloudWatch Logs happens to exist outside the VPC.
If you want to avoid this, then you need to create VPC Interface Gateway for CloudWatch Logs, to provide a private connection between your VPC and CloudWatch Logs.