Alternative to AWS Lambda + NAT gateway

Question

Quickly introducing my scenario: I have a VPC that contains an API Gateway that redirects its calls to my Lambda functions and then they access both an RDS instance and external API calls (internet access).

How it's structured

Due to the fact that the functions need to access the RDS, I've put both RDS and Lambdas in the same VPC, properly securing the RDS without public accessibility. Now, because the Lambdas are in a VPC, they need a NAT Gateway to access the internet (almost all of those functions need to call third parties APIs), and this is where I'm facing an enormous problem.

The problem

I have a small project to serve a few users (ranging from 10 to 200 users) and with the serverless setup that I've created, I'm expecting costs to be from $3.00 to $10.00 each month. That's the cost without a single NAT Gateway. Now, and if we add the price of a Gateway, which is $0.045 per hour - and I'm not even taking into consideration the $0.045 per GB of data transferred -, that's >$30 per month. It would be dumb of me to not create another to be Multi-AZ and mitigate possible availability zone failure - so >$60.00 for 2 NAT Gateways.

This is not only impractical for me, but wouldn't it also invalidate the point of the whole serverless structure that normally follows an on-demand approach?

How to solve this?

One of my alternatives is to move the Lambdas out of the VPC (meaning no VPC) and accessing the RDS through some mechanism without making it publicly accessible - and here is where I'm also failing, how would one securely access the RDS in the scenario where Lambdas functions are outside the RDS VPC?

In the worst case scenario - I know it's bad to expose my RDS to the public - but how big of a vulnerability is exposing it?

Keep in mind that I'm not blaming AWS prices, this is solely focused on finding alternatives to the NAT Gateway one - I appreciate suggestions to solve this case. Also, I'm sorry if I made a totally wrong assumption, I'm new to the AWS ecosystem.

Answer 1

A public RDS instance solves your cost problem, but I'd strongly recommend you avoid doing this as it means anyone can discover and attempt to authenticate to it.

Lambdas

• Because your lambdas need to talk to the internet as well as to your VPC, they must live in a VPC.
• Lambdas also cannot be deployed into a publc subnet, so they must live in a private subnet
• Because they need to talk to the internet, your private subnet needs a NAT

Luckily, using the AWS managed NAT Gateways aren't your only option for attaching a NAT to your private subnet, you can also opt to run your own NAT instance.

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html

While this is no longer recommended (NAT Gateways are managed, so are preferred), AWS still offer NAT instance AMIs that you can use that do the same job. You should be able to run a t2.nano NAT instance in each of your private subnets (in different AZs to get HA) for about $5 each.

This will save you $50 / month, and will mean you can have your RDS instance live in the private subnet and not need to expose it publicly. The only downside is now you have to manage your NAT instances yourself (patching, etc).