Article
AWS Firewall Pricing
Recommended
Have Questions? Want to see Valtix in action?
AWS Firewall Pricing: The Definitive Guide
AWS pricing can be complex for organizations to understand. And pricing for AWS Network Firewall is no exception.
For many new to AWS Network Firewall, you might be asking, “Where do I begin?”, “How much will it cost me?”, “And is it really worth it?”
For those of you with AWS Network Firewall already deployed, you might be asking, “How much am I even spending on it?” It’s not like AWS always makes it easy to break down your monthly cloud charges after all.
You might also ask, “Should I consider a third-party solution with perhaps better cloud firewall pricing that runs in AWS, and most importantly, more feature-rich, multi-cloud support?”
Either way, this article is for you. Read on to learn about AWS Firewall pricing, and at the end, we’ll give you a calculator to see exactly how much AWS Firewall might cost you.
AWS Firewall Overview
Before we get to pricing, here is a basic overview of AWS Firewall and the importance of cloud network security.
Defining AWS Network Firewalls
What is the AWS Network Firewall?
AWS Network Firewall (aka. AWS Firewall) was released in November 2020. It is marketed as a high-availability, managed network firewall service for your virtual private cloud (VPC). AWS also claims that “It enables you to easily deploy and manage stateful inspection, intrusion prevention and detection, and web filtering to protect your virtual networks on AWS. Network Firewall automatically scales with your traffic, ensuring high availability with no additional customer investment in security infrastructure.”
While all of that is true, there are caveats to discuss. Primarily, AWS Firewall lacks built-in TLS Decryption. From the AWS Firewall FAQ, “AWS Network Firewall does not currently support deep packet inspection for encrypted traffic.”
Unfortunately, this limitation greatly impacts the types of security functionality AWS Network Firewall can deliver. For example, while they claim Intrusion Prevention (IPS), nearly all web (HTTPS) and cloud traffic are encrypted, and any IPS based policy application traffic without TLS decryption will provide marginal results at best.
To decrypt traffic, users must chain AWS Network Firewall with Network Load Balancer (NLB). Chaining adds additional overhead, latency, implementation complexity, and as it relates to this article, cloud cost.
What’s the Difference Between AWS Network Firewall and AWS WAF (Web Application Firewall)?
While there could be some overlapping use cases of threat detection, AWS Network Firewall and WAF are two different services that provide two different layers of protection.
AWS WAF
A WAF is critical for the detection of HTTP-based threats and attacks on web applications such as SQL injection. A WAF typically protects the “web application” against vulnerability exploits including against vulnerable libraries (e.g. Log4J, Spring) embedded in the web apps themselves. AWS WAF is no exception and provides this critical layer of defense.
AWS Network Firewall
The AWS Network Firewall on the other hand provides more general protection at L3-7 and can be used in conjunction with a WAF or independently. A network firewall is also typically used to segment the environment, prevent inbound attacks, and monitor outbound traffic, similar to AWS Security Groups, but with a significantly enhanced granularity of control, better manageability, and much, much better ability to inspect traffic for active prevention – thus the importance of TLS decryption pointed out before.
Comparing AWS Firewall and AWS WAF
Net net, you need both AWS WAF and AWS Network Firewall if you want to protect web applications. AWS WAF pricing is separate and won’t be covered in this article.
As we’ll discuss, Valtix enables you to collapse these two critical security functions into a single-pass of traffic inspection and policy management. Collapsing these functions is critical for incident response, ensuring compliance with security policy, and enabling higher levels of security without degrading app performance significantly.
Both a WAF and a Network Firewall are part of reference architectures for every major cloud provider including the AWS Cloud Security Reference Architecture (SRA).
Key Features of AWS Firewall
It’s important to understand key features of Cloud Firewalls, and NGFW approaches when considering AWS Firewall pricing. Cloud architects and security engineers should consider the types of applications, industry, and organizational tolerance when defining security policy.
In other words, don’t define security policy based on the limitations of the technology. Define security policy based on the business needs and alignment to the attack lifecycle.
With that said, what AWS Firewall currently provides:
- Layer-4 Firewall providing policy-based blocking (ingress, egress) via IP, Port, and Protocol
- Terraform Provider
- IPS (but no TLS decryption out of the box)
- FQDN Filtering
What AWS firewalls lacks:
- WAF
- Tag-based policy
- TLS Decryption
- Antivirus
- URL Filtering
- DLP
- More
Deployment Models
For architectural considerations, there are multiple deployment models for AWS Network Firewall. Deployment considerations have a significant impact on overall pricing since it impacts how many AWS Firewall Endpoints you must deploy.
Centralized deployment provides the lowest cost option, but sacrifices on granularity of security control as enforcement is not as close to the applications. Distributed deployment options provide for enhanced security, particularly for east-west traffic, but might be more expensive due to many more firewall endpoints / gateways to deploy and manage.
How AWS Network Firewall is Priced
In terms of pricing, AWS Firewall has two metrics:
Network Firewall Endpoint
AWS Network Firewall Endpoints are created in each of the VPCs in each Availability Zone with which you’d like to protect (distributed) or within a shared security VPC along with a transit gateway (TGW) architecture. Currently priced at $0.395 per hour
Network Firewall Traffic Processing
Associated with all traffic (ingress, egress, east-west) that traverses the Network Firewall Endpoint each billing period. This cost will depend highly on the application type, usage, security architecture, and even to a significant degree how the application was written. Currently priced at $0.065 per gigabyte.
Wait, that’s not all; there’s more to discuss regarding pricing for AWS Firewall.
- AWS Firewall Manager – Required to centrally manage AWS Firewall deployments that span VPCs and accounts. Currently priced at $100 per policy per region.
- AWS WAF – We could have a whole article just on this. We’ve already discussed WAF and why you need one. Good luck with figuring out how much you’ll be spending in a typical enterprise on this essential security architecture component. Currently priced at $5 per Web ACL, #1 per Rule, and $0.60 per 1 million requests.
- Logging & Storage – You need someplace to store all of that log data and believe me it’s not free with AWS. Costs will vary greatly here.
Examples
For these examples, we’ll look at various scenarios: Small, Medium, and Large. Traffic is calculated for each app as a function of Firewall Endpoint Hours. We estimate that typical applications will drive $3.472GBs of traffic per gateway hour. Your app might be different.
Small | Medium | Large | |
Firewall Endpoints | 2 Firewall Endpoints | 10 Firewall Endpoints | 100 Firewall Endpoints |
GBs of Traffic (Assumes 3.472GBs per hour) |
5K GBs | 25K GBs | 250K GBs |
Firewall Endpoint Cost
(at $0.395 per hour) |
$569 | $2,844 | $28,440 |
Traffic Cost | $325 | $1,625 | $16,250 |
Total Monthly | $894 | $4,469 | $44,690 |
How Does Valtix AWS Firewall Compare?
Looking for a better approach that covers more advanced security scenarios and also doesn’t lock you into just AWS? There are lots of resources to learn more about Valtix multi-cloud security platform and also use Free Tier.
- No Charges for Traffic – Valtix doesn’t charge you for traffic which creates more predictable and controllable pricing. AWS can get very expensive – especially at scale.
- More Advanced Security – Valtix has out-of-the-box TLS Decryption that is optimized for vCPUs in the cloud. This enables you to inspect traffic and apply proactive prevention of threats for ingress, egress, and east-west.
- Multi-Cloud – Valtix provides a best-in-class security solution for the security of cloud networks. With Valtix you can gain a level of consistency and flexibility to address requirements quickly without slowing down the business.
- Consolidate Services – Valtix provides a WAF and also the ability to flag threats based on DNS log and VPC flow. That allows you to consolidate security functions and gain end-to-end visibility for the detection of threats and incident response.
Read more about Valtix for AWS and compare Valtix to AWS Network Security.
Compare Cloud Firewall Pricing Models (AWS, Azure, PAN)
Use the tool to compare Valtix and AWS Firewall pricing:
Complete Form to Proceed to Your Results
By submitting this form you agree to our Terms of Use and acknowledge our Privacy Policy.
Valtix Pricing Comparison
Selections: Gateway Instances () | Gateway Hours () | Traffic ( GBs)Pricing
- Gateway / Hour
- Traffic / Gigabyte
Monthly Costs
- Gateways
- Traffic
- Total Monthly Cost
Pricing
- Gateway / Hour
- Traffic / Gigabyte
Estimated Monthly Costs
- Gateways
- Traffic
- Total Monthly Cost
Learn More about how Valtix compares to the AWS Network Firewall
Additional Considerations: AWS Firewall pricing doesn't include:
- AWS Firewall Manager
- AWS WAF
- Log Storage
- Multi-Cloud Support
- Network Monitoring
Learn More about how Valtix compares to the Azure Firewall Standard
Additional Considerations: Azure Firewall Standard pricing doesn't include:
- Azure WAF
- Log Storage
- Multi-Cloud Support
- Multi-Account Segmentation
Learn More about how Valtix compares to the Azure Firewall Premium
Additional Considerations: Azure Firewall Premium pricing doesn't include:
- Azure WAF
- Log Storage
- Multi-Cloud Support
- Multi-Account Segmentation
Learn More about how Valtix compares to the PAN Cloud NGFW
Additional Considerations: PAN Cloud NGFW pricing doesn't include:
- WAF
- Multi-Cloud Support
- AWS Firewall Manager
The default is 3.472 GB per gateway hour.
Valtix Cloud Firewall
Valtix delivers cloud network security through a cloud-native firewall solution for AWS, Azure, GCP (Google), and OCI that enables a mean time to secure in 30 seconds.