A cloud gateway is a managed entry and exit point that connects users, applications and on-premises systems to cloud services. It sits at the edge of a cloud environment, controls the traffic moving in and out, enforces security policy and translates between protocols so systems that speak different formats can still exchange data.

This guide covers the cloud-computing concept. It is not the UniFi Cloud Gateway, the office router hardware sold under that name. A cloud gateway in this sense is a specialized network gateway built for cloud traffic.

Key takeaways:

• A cloud gateway is the controlled doorway between your environment and the cloud.

• It handles connectivity, access control, traffic routing and protocol translation in one layer.

• Common types include storage, security, API and network gateways such as NAT, internet and transit gateways.

• Most cloud gateways bill by the hour and by the gigabyte, so they quietly add to your cloud bill.

What is a cloud gateway?

A cloud gateway is the point every request passes through on its way between an internal network and cloud resources. Where a plain router forwards packets, a gateway does more. It authenticates the caller, applies rules, can encrypt or inspect the payload and reshapes data when the two sides use different formats.

A simple way to picture it: a router waves traffic through toward the right address, while a gateway is a staffed checkpoint. It stops each request, checks it against the rules and only then lets it continue.

Providers deliver cloud gateways in two ways. Each major platform, whether AWS or Azure, ships its own managed versions. A cloud-native gateway runs as a managed service inside the provider, scales on demand and needs no hardware. An appliance gateway runs on a device or virtual machine at your site and links back to the cloud, which suits hybrid setups that keep some systems on premises.

Because all traffic funnels through it, a cloud gateway is the natural place to set security policy and to meter usage. That single chokepoint is what makes it useful and also what makes it a cost to watch. Inside a provider it usually lives at the edge of a virtual private cloud.

How a cloud gateway works

A cloud gateway processes traffic in a short sequence:

1. It receives an inbound or outbound request.

2. It checks identity and permissions against an access policy.

3. It applies controls such as firewall rules, encryption, rate limits or logging.

4. It translates protocol or data format when the source and destination differ.

5. It forwards the request to the target service and records the transaction.

In a public cloud, the gateway runs as a managed service that scales with traffic, so it grows from a handful of requests to millions without manual tuning. In a hybrid setup, the appliance version runs near your own systems and keeps a secure link back to the provider. Either way the gateway stays in the path of the traffic, which is what lets it enforce one consistent policy across every connection.

Inbound traffic from the public internet hits the gateway first, so threats can be filtered before they reach an application. Outbound traffic leaves through the gateway too, which is how it tracks data volume and applies egress rules. Every transaction it logs becomes useful later for security review and cost analysis.

Types of cloud gateways

The label cloud gateway covers several specialized gateways. Most environments run more than one.

For storage, the mechanics of caching and protocol conversion are covered in our guide to the cloud storage gateway. Security gateways pair closely with identity and access management, since both decide who reaches what. For APIs, usage and billing differ by provider, as shown in our breakdown of API gateway pricing.

Security gateways draw the most attention because they carry the heaviest load. A cloud security gateway, sometimes sold as a secure web gateway or cloud access security broker, inspects user traffic to the cloud, blocks malware and stops sensitive data from leaving without permission. 

Encryption and access control sit here too, which is why terms like cloud encryption gateway and cloud access gateway all point at this same layer. Storage and API gateways are narrower by design, each tuned to one kind of traffic, while network gateways move packets between the cloud and everything outside it. At the edge, this overlaps with a content delivery network, which caches and routes traffic closer to users.

Cloud gateway vs router, VPN and API gateway

These terms overlap, which is why people confuse them. The table separates them.

In short, a router moves packets, a VPN secures a connection and a cloud gateway is the broader control layer that can include both functions.

When you need a cloud gateway

A cloud gateway earns its place whenever traffic crosses a boundary. A few common cases:

• Hybrid connectivity: A gateway links on-premises systems to the cloud, which is the backbone of most hybrid cloud setups.

• Multi-cloud routing: A transit gateway connects many networks and clouds through one hub instead of a tangle of point-to-point links.

• Secure access: A security gateway controls how staff and apps reach cloud services, filtering traffic before it lands.

• API exposure: An API gateway puts a single managed front door ahead of backend services, so clients never touch them directly.

• Egress control: Because outbound traffic flows through it, a gateway is where you measure and cap the data leaving your cloud.

What cloud gateways cost

Cloud gateways rarely appear as a single line on a bill, yet they charge in two ways at once: a fixed hourly rate for the gateway and a variable rate for every gigabyte they process. Those small per-unit numbers add up across busy workloads.

On AWS, a NAT gateway runs about $0.045 per hour plus $0.045 for every gigabyte processed in US East. A transit gateway adds $0.05 per attachment per hour and $0.02 per gigabyte on top of standard transfer charges. 

An internet gateway carries no hourly fee, but the data leaving through it is billed as egress, the same outbound transfer explained in our guide to ingress and egress.

The trap is the per-gigabyte charge. Picture a service that pushes 10 TB through a NAT gateway in a month. At about 10,000 GB and $0.045 per gigabyte, that is roughly $450 in data processing alone, before the hourly charge and before the cost of the bytes leaving the cloud. 

A resource that looked cheap on paper turns into a real monthly cost and the same pattern shapes AWS data transfer costs across the rest of your bill.

Because the gateway sees all of that traffic, it is also the best place to measure it. Treating gateway data processing as a tracked FinOps metric and watching it with anomaly detection, keeps these charges from drifting.

Why cloud gateways matter

A cloud gateway gives a team one controlled place to secure traffic, connect networks and see what is moving. The payoff shows up on two fronts. On security, the gateway is a single point to enforce encryption, identity checks and threat filtering, so policy does not drift across dozens of services. On cost, it is the one point that sees every gigabyte, which makes it the right place to attribute spend back to the team or product that drove it, the basis of any chargeback or showback model.

Map your gateways, know what each one charges per gigabyte and review the traffic flowing through them with the right cloud cost optimization tools. Pair that with a clear cloud cost management process and you get a cloud footprint that is both safer and cheaper.

FAQs

What does a cloud gateway do?

A cloud gateway connects users, apps and on-premises systems to cloud services. It routes traffic in and out, checks identity, enforces security policy and translates protocols so different systems can exchange data through one controlled point.

Is a cloud gateway the same as a router?

No. A router forwards packets between networks. A cloud gateway does that and more: it authenticates traffic, applies security rules, translates protocols and logs usage. A router moves data, while a gateway controls and transforms it.

What are the main types of cloud gateways?

The main types are storage gateways, security gateways, API gateways and network gateways such as NAT, internet and transit gateways. Most cloud environments run several at once, each handling a different kind of traffic.

Is a cloud gateway the same as the UniFi Cloud Gateway?

No. The UniFi Cloud Gateway is office router hardware. In cloud computing, a cloud gateway is a service or appliance that connects a network to cloud resources and manages the traffic between them.

Do cloud gateways cost money?

Usually yes. Most charge an hourly rate plus a per-gigabyte data processing fee, so heavy traffic raises the bill. Network gateways like NAT and transit gateways are common sources of these charges.

What is the difference between a cloud gateway and an API gateway?

An API gateway is one type of cloud gateway. It focuses only on managing and securing API calls between clients and backend services. A cloud gateway is the broader category that also covers storage, security and network traffic.