NAT is no longer free: the hidden bill behind IPv4

For years, the phrase worked as a definitive argument: “NAT is free.” If IPv4 kept functioning, if networks could hide hundreds or thousands of devices behind a single public address, and if migrating to IPv6 required changing addressing, firewalls, monitoring, applications, and procedures, the decision seemed straightforward. Not migrating was cheaper.

That calculation was reasonable for a long time. The problem is that the premise has changed. NAT hasn’t suddenly become expensive because a standard says so; rather, the scarcity of IPv4 has turned into a cost everything that once seemed invisible: public addresses, CGNAT equipment, logging, support, operations, legal compliance, and network complexity.

An IPv4 address is no longer just an administrative resource requested from a regional registry. It’s an asset with a price. RIPE NCC exhausted its available pool in November 2019 for Europe, the Middle East, and parts of Central Asia, and ARIN had depleted its in North America in September 2015. Since then, those needing more IPv4 must reuse, transfer, rent, buy, or hide more users behind NAT.

The public IP now comes with a line item

AWS made visible what many operators already knew. Starting February 1, 2024, they charge $0.005 per hour for each public IPv4 address, whether associated with a service or idle. The number seems small but adds up to $43.80 per year per address. In environments with dozens, hundreds, or thousands of public IPs, it’s no longer rounding.

This fee doesn’t pay for compute, storage, or traffic—it pays for the address. It’s scarcity converted into a cloud consumption unit. AWS didn’t invent the problem but translated it into a metric that any infrastructure manager can understand: each public IPv4 has a recurring cost.

The secondary market tells the same story from another angle. Market reports estimate the purchase price of IPv4 in 2026 between $18 and $45 per IP, depending on block size and region, and rental prices between $0.30 and $0.50 per IP per month. Other transaction analyses from the first half of 2025 suggest average prices close to $31 per address.

Visible IPv4 CostExample
Public IPv4 in AWS$0.005/hour
Annual cost per IPv4 in AWS$43.80/year
IPv4 purchase in secondary market$18-45 per IP in 2026, depending on block
IPv4 rental$0.30–$0.50 per IP/month
Average price in H1 2025 operations$31.15 per IP, according to IPv4 Center

What was once part of the background now appears on the bill. And when an address begins to be charged as a scarce resource, the argument that NAT is free loses the simplest part of its defense.

CGNAT: the box that exists because addresses are scarce

The second bill is less visible. When an operator cannot provide a direct public IPv4 to each customer, they often resort to Carrier-Grade NAT (CGNAT). In practice, many subscribers share one or several public addresses, and the operator translates their connections using ports.

This requires specialized equipment, processing capacity, memory for session tables, redundancy, licenses, support, power, cooling, rack space, monitoring, and staff skilled in sizing and debugging the platform. CGNAT isn’t an abstract feature—it’s a critical part of the traffic path.

The IETF documented common requirements for CGNAT precisely because these platforms must behave carefully with port management, sessions, timers, and reuse of mappings. When a device translates millions of sessions, details such as when a port can be reused and how state is preserved aren’t trivial: they affect applications, traceability, and stability.

The market already reflects this layer of expenditure. DataIntelo valued the global Carrier-Grade NAT market at $3.8 billion in 2025 and projected $9.1 billion for 2034. It’s an estimate, not an accounting of all operators worldwide, but it helps contextualize something that for years was described as a “temporary solution.”

Hidden CGNAT CostWhy it exists
Appliances or virtualized capacityTranslate traffic for many subscribers
RedundancyAvoid outages affecting thousands of users
Licenses and supportMaintain high-performance platforms
Energy and rack spaceOperate additional hardware
MonitoringDetect port exhaustion and degradations
NOC operationsResolve issues that wouldn’t exist with direct IP

The key point is uncomfortable: this equipment exists only because there aren’t enough public IPv4 addresses or because the operator chooses to conserve them. In a network with direct assignment, some of this complexity vanishes.

Logging is another bill—and it can be huge

CGNAT breaks a simple relationship: a public IP no longer identifies a subscriber. When hundreds, thousands, or tens of thousands of users share an address, any abuse investigation, fraud detection, or legal request requires more than just an IP and an hour. It needs the public IP, public port, private IP, private port, and timestamp.

The IETF already indicated in CGN-related work that operators might need to identify a subscriber based on external IP, port, and timestamp to respond to abuses or legal demands. RFC 7422 clearly states that many CGN solutions require active logging of dynamic translations, and that some deterministic techniques aim to reduce this log volume.

This isn’t like saving a DHCP lease—it’s recording large-scale session translations. In large networks, retaining and querying this data involves collectors, IPFIX or NetFlow export, storage, compression, access policies, auditing, and correlation tools. It also entails responsibility: these logs are sensitive, must be protected, and need to be available when required.

Thus, NAT consumes not only hardware but also compliance. And that cost is rarely mentally assigned to the decision not to deploy IPv6 fully.

IPv6 isn’t free, but it changes the equation

Moving to IPv6 also has costs. No serious person should deny it. Addressing, firewalls, load balancers, monitoring, DNS, VPNs, security rules, legacy applications, observability tools, and training all need revising. In companies with many years of technical debt, dual-stack implementations can become lengthy projects.

But the point is no longer comparing “expensive IPv6” against “free IPv4.” That comparison is dead. The real comparison is between the cost of deploying and operating IPv6 versus the cumulative cost of extended IPv4 usage with NAT, CGNAT, purchased or rented addresses, troubleshooting, and massive logging.

Global adoption has also stopped being marginal. Google continuously measures the percentage of users accessing its services via IPv6, and as of June 2026, that figure was about 49%. APNIC highlighted in April 2026 the milestone of 50% IPv6 use on Google, indicating IPv6 is no longer future technology but part of normal internet traffic.

This doesn’t mean IPv4 will disappear tomorrow. It will persist for years. The real transition is dual-stack, with islands, translation, compatibility, and many exceptions. But each passing year changes the question: it’s no longer whether IPv6 is ready but how many artificial layers are maintained to delay it.

What cloud providers, ISPs, and companies should consider

In cloud, the review begins with inventorying public IPv4 addresses: forgotten Elastic IPs, load balancers with unnecessary public addresses, under-sized NAT Gateways, exposed services that could run with IPv6 for outbound or internal traffic. AWS’s billing revelation prompted many organizations to discover they had more public IPv4 addresses than they thought.

For operators, the question is more structural. How much CAPEX is allocated to CGNAT platforms? What operational costs are driven by logging? How many customer incidents stem from port exhaustion, online gaming, VPNs, video calls, remote work, or services intolerant of CGNAT? How much is invested in maintaining a scarcity that IPv6 could resolve at its source?

In companies, the issue often lies in the mix. Many already have IPv6 implemented for user access, mobile, or providers, but don’t monitor it properly. Their firewalls, SIEM, rules, CMDB, and dashboards still think in IPv4. This blindness can be as dangerous as lacking adoption altogether: part of the traffic already runs on IPv6 even if operations only see IPv4.

The phrase “NAT is free” survived because costs were spread out—some in cloud, some in network, some in compliance, some in support, and some in lost operational time. When combined, the conclusion changes.

NAT was a brilliant solution to buy time. But it cannot be an eternal excuse for avoiding a full accounting. IPv6 doesn’t eliminate all network problems but attacks the root of one of the most expensive: artificial scarcity of public addresses.

The bill already exists—it’s just spread across too many lines for anyone to call it by its name.

Frequently Asked Questions

Is NAT really free?
No. NAT may not have a direct license fee in all cases, but it incurs costs in IPv4 addresses, CGNAT appliances, operation, support, logging, compliance, and troubleshooting.

Why does AWS charge for public IPv4?
Because since February 2024, AWS bills $0.005 per hour for each public IPv4 address, whether in use or idle, to reflect the cost and scarcity of this resource.

What is CGNAT?
Carrier-Grade NAT is a technique used by operators to have many customers share public IPv4 addresses via port translation and session management.

Why does CGNAT require more logging?
Because a shared public IP no longer uniquely identifies a subscriber. To reconstruct a connection, you need to correlate public IP, port, private IP, private port, and time.

Does IPv6 eliminate the need for NAT?
IPv6 allows assigning unique addresses at large scale and reduces the structural need for NAT. Firewalls, segmentation, and security policies still apply, but the artificial scarcity issue diminishes.

References: LinkedIn and IPv4 Exhaustion

Scroll to Top