Quickly introducing my scenario: I have a VPC that contains an API Gateway that redirects its calls to my Lambda functions and then they access both an RDS instance and external API calls (internet access).
How it's structured
Due to the fact that the functions need to access the RDS, I've put both RDS and Lambdas in the same VPC, properly securing the RDS without public accessibility. Now, because the Lambdas are in a VPC, they need a NAT Gateway to access the internet (almost all of those functions need to call third parties APIs), and this is where I'm facing an enormous problem.
The problem
I have a small project to serve a few users (ranging from 10 to 200 users) and with the serverless setup that I've created, I'm expecting costs to be from $3.00 to $10.00 each month. That's the cost without a single NAT Gateway. Now, and if we add the price of a Gateway, which is $0.045 per hour - and I'm not even taking into consideration the $0.045 per GB of data transferred -, that's >$30 per month. It would be dumb of me to not create another to be Multi-AZ and mitigate possible availability zone failure - so >$60.00 for 2 NAT Gateways.
This is not only impractical for me, but wouldn't it also invalidate the point of the whole serverless structure that normally follows an on-demand approach?
How to solve this?
One of my alternatives is to move the Lambdas out of the VPC (meaning no VPC) and accessing the RDS through some mechanism without making it publicly accessible - and here is where I'm also failing, how would one securely access the RDS in the scenario where Lambdas functions are outside the RDS VPC?
In the worst case scenario - I know it's bad to expose my RDS to the public - but how big of a vulnerability is exposing it?
Keep in mind that I'm not blaming AWS prices, this is solely focused on finding alternatives to the NAT Gateway one - I appreciate suggestions to solve this case. Also, I'm sorry if I made a totally wrong assumption, I'm new to the AWS ecosystem.