AWS Firewall Pricing

Have Questions? Want to see Valtix in action?

Either way, this article is for you. Read on to learn about AWS Firewall pricing, and at the end, we’ll give you a calculator to see exactly how much AWS Firewall might cost you.

AWS Firewall Overview

Before we get to pricing, here is a basic overview of AWS Firewall and the importance of cloud network security. 

While all of that is true, there are caveats to discuss. Primarily, AWS Firewall lacks built-in TLS Decryption. From the AWS Firewall FAQ, “AWS Network Firewall does not currently support deep packet inspection for encrypted traffic.” 

Unfortunately, this limitation greatly impacts the types of security functionality AWS Network Firewall can deliver. For example, while they claim Intrusion Prevention (IPS), nearly all web (HTTPS) and cloud traffic are encrypted, and any IPS based policy application traffic without TLS decryption will provide marginal results at best. 

To decrypt traffic, users must chain AWS Network Firewall with Network Load Balancer (NLB). Chaining adds additional overhead, latency, implementation complexity, and as it relates to this article, cloud cost.

What’s the Difference Between AWS Network Firewall and AWS WAF (Web Application Firewall)?

While there could be some overlapping use cases of threat detection, AWS Network Firewall and WAF are two different services that provide two different layers of protection. 

AWS WAF

A WAF is critical for the detection of HTTP-based threats and attacks on web applications such as SQL injection. A WAF typically protects the “web application” against vulnerability exploits including against vulnerable libraries (e.g. Log4J, Spring) embedded in the web apps themselves. AWS WAF is no exception and provides this critical layer of defense.

AWS Network Firewall

The AWS Network Firewall on the other hand provides more general protection at L3-7 and can be used in conjunction with a WAF or independently. A network firewall is also typically used to segment the environment, prevent inbound attacks, and monitor outbound traffic, similar to AWS Security Groups, but with a significantly enhanced granularity of control, better manageability, and much, much better ability to inspect traffic for active prevention – thus the importance of TLS decryption pointed out before.

Comparing AWS Firewall and AWS WAF 

Net net, you need both AWS WAF and AWS Network Firewall if you want to protect web applications. AWS WAF pricing is separate and won’t be covered in this article. 

As we’ll discuss, Valtix enables you to collapse these two critical security functions into a single-pass of traffic inspection and policy management. Collapsing these functions is critical for incident response, ensuring compliance with security policy, and enabling higher levels of security without degrading app performance significantly.

Both a WAF and a Network Firewall are part of reference architectures for every major cloud provider including the AWS Cloud Security Reference Architecture (SRA).

Key Features of AWS Firewall

It’s important to understand key features of Cloud Firewalls, and NGFW approaches when considering AWS Firewall pricing. Cloud architects and security engineers should consider the types of applications, industry, and organizational tolerance when defining security policy. 

In other words, don’t define security policy based on the limitations of the technology. Define security policy based on the business needs and alignment to the attack lifecycle. 

With that said, what AWS Firewall currently provides:

• Layer-4 Firewall providing policy-based blocking (ingress, egress) via IP, Port, and Protocol
• Terraform Provider
• IPS (but no TLS decryption out of the box)
• FQDN Filtering

What AWS firewalls lacks:

• WAF
• Tag-based policy
• TLS Decryption
• Antivirus
• URL Filtering
• DLP
• More

Deployment Models

For architectural considerations, there are multiple deployment models for AWS Network Firewall. Deployment considerations have a significant impact on overall pricing since it impacts how many AWS Firewall Endpoints you must deploy. 

Centralized deployment provides the lowest cost option, but sacrifices on granularity of security control as enforcement is not as close to the applications. Distributed deployment options provide for enhanced security, particularly for east-west traffic, but might be more expensive due to many more firewall endpoints / gateways to deploy and manage.

How AWS Network Firewall is Priced

In terms of pricing, AWS Firewall has two metrics: 

Network Firewall Endpoint

AWS Network Firewall Endpoints are created in each of the VPCs in each Availability Zone with which you’d like to protect (distributed) or within a shared security VPC along with a transit gateway (TGW) architecture. Currently priced at $0.395 per hour

Network Firewall Traffic Processing

Associated with all traffic (ingress, egress, east-west) that traverses the Network Firewall Endpoint each billing period. This cost will depend highly on the application type, usage, security architecture, and even to a significant degree how the application was written. Currently priced at $0.065 per gigabyte.

Wait, that’s not all; there’s more to discuss regarding pricing for AWS Firewall. 

• AWS Firewall Manager – Required to centrally manage AWS Firewall deployments that span VPCs and accounts. Currently priced at $100 per policy per region.
• AWS WAF – We could have a whole article just on this. We’ve already discussed WAF and why you need one. Good luck with figuring out how much you’ll be spending in a typical enterprise on this essential security architecture component. Currently priced at $5 per Web ACL, #1 per Rule, and $0.60 per 1 million requests.
• Logging & Storage – You need someplace to store all of that log data and believe me it’s not free with AWS. Costs will vary greatly here.

Examples

For these examples, we’ll look at various scenarios: Small, Medium, and Large. Traffic is calculated for each app as a function of Firewall Endpoint Hours. We estimate that typical applications will drive $3.472GBs of traffic per gateway hour. Your app might be different.

How Does Valtix AWS Firewall Compare?

Looking for a better approach that covers more advanced security scenarios and also doesn’t lock you into just AWS? There are lots of resources to learn more about Valtix multi-cloud security platform and also use Free Tier.

• No Charges for Traffic – Valtix doesn’t charge you for traffic which creates more predictable and controllable pricing. AWS can get very expensive – especially at scale.
• More Advanced Security – Valtix has out-of-the-box TLS Decryption that is optimized for vCPUs in the cloud. This enables you to inspect traffic and apply proactive prevention of threats for ingress, egress, and east-west.
• Multi-Cloud – Valtix provides a best-in-class security solution for the security of cloud networks. With Valtix you can gain a level of consistency and flexibility to address requirements quickly without slowing down the business.
• Consolidate Services – Valtix provides a WAF and also the ability to flag threats based on DNS log and VPC flow. That allows you to consolidate security functions and gain end-to-end visibility for the detection of threats and incident response. 

Read more about Valtix for AWS and compare Valtix to AWS Network Security.

Compare Cloud Firewall Pricing Models (AWS, Azure, PAN)

Use the tool to compare Valtix and AWS Firewall pricing:

Valtix Cloud Firewall

Valtix delivers cloud network security through a cloud-native firewall solution for AWS, Azure, GCP (Google), and OCI that enables a mean time to secure in 30 seconds.