https://brtkwr.com/tags/cost/Recent content in Cost on brtkwr.comHugoenFri, 15 May 2026 05:26:23 +0000https://brtkwr.com/posts/2026-05-15-avoiding-cloud-nat-cost-for-artifact-registry-image-pulls/Fri, 15 May 2026 05:26:23 +0000https://brtkwr.com/posts/2026-05-15-avoiding-cloud-nat-cost-for-artifact-registry-image-pulls/<h2 id="tldr"> TL;DR <a class="heading-link" href="#tldr"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>A private GKE cluster&rsquo;s outbound traffic to <code>*.googleapis.com</code> and <code>*.pkg.dev</code> flows through Cloud NAT by default and pays $0.0385/GB data processing on every byte, in both directions. The GCP UI says &ldquo;Private Google Access is in effect&rdquo; for the subnet, which makes it sound like that traffic already bypasses NAT. It does not. To bypass NAT for Google API traffic, I added a private Cloud DNS zone resolving the Google API hostnames to the <code>restricted.googleapis.com</code> VIP range (<code>199.36.153.4/30</code>) and a VPC route sending that /30 via the default internet gateway. After that, the traffic stays on Google&rsquo;s backbone and skips the NAT gateway.</p>