Pricing summary/tiers

With AWS Network Firewall, you pay an hourly rate for each firewall endpoint per region and availability zone. You also pay for the amount of traffic processed by your firewall endpoint, billed by the gigabyte per region and availability zone. Data processing charges apply for each gigabyte processed through the firewall endpoint regardless of the traffic's source or destination.

Advanced inspection

You pay an additional hourly rate per region and availability zone for advanced inspection when you use the TLS inspection feature. There are no additional data processing charges for advanced inspection traffic beyond the standard Network Firewall traffic processing charges. 

Advanced threat protection

You pay an additional charge for the amount of traffic processed by your firewall endpoint when active threat defence managed rule groups are enabled in your firewall policy. This traffic is billed per gigabyte per region and availability zone.

Multiple firewall endpoints

If you associate a firewall with multiple Amazon Virtual Private Clouds (VPCs), you pay the standard hourly rate per region and availability zone for the primary firewall endpoint in the inspection VPC. You pay a separate, reduced hourly rate per region and availability zone for each secondary endpoint associated with that firewall in the same region and availability zone. NAT gateway discounts apply to traffic processed through both primary and secondary endpoints when configured in the same networking path. You also pay for the amount of traffic processed by your firewall, billed by the gigabyte per region and availability zone.

NAT gateway discount

If you create a NAT gateway and place it next to your AWS Network Firewall in a service chain within your AWS account, standard NAT gateway per-hour and data processing usage charges are waived. This waiver is applied on a one-to-one basis with the standard Network Firewall Endpoint per-hour usage, secondary VPC endpoints per-hour usage and standard Network Firewall Traffic Processing usage through both primary and secondary endpoint. To receive this benefit, your NAT Gateway and Network Firewall must be in the same region, and the NAT Gateway must be configured in the same networking path as your Network Firewall endpoint. 

Pricing table

Managed rule groups from AWS Partners through AWS Marketplace

When you subscribe to a managed rule group provided by an AWS Marketplace partner, you will be charged additional fees based on the price set by the seller. These charges are in addition to the AWS Network Firewall fees described earlier.

Example 1 – Network Firewall with NAT gateway pricing

In this example, you have created a network firewall and a NAT gateway. You also have an Amazon EC2 instance with traffic routed to the Internet through the network firewall and NAT gateway. Your EC2 instance sends a 1 GB file to one of your S3 buckets. The EC2 instance, network firewall, NAT gateway and S3 bucket are in the European Sovereign Region (Germany), and the network firewall, NAT gateway, and EC2 instance are in the same availability zone.
The following charges apply:

  • Network Firewall Endpoint Hourly Charges: €0.922 for each hour your firewall endpoint is provisioned
  • Network Firewall Data Processing Charges: €0.056 for 1 GB of data processed by the firewall
  • NAT Gateway Hourly Charges: No charge for each hour your firewall endpoint is provisioned
  • NAT Gateway Data Processing Charges: No charge per gigabyte of NAT gateway processing for each gigabyte processed by your firewall
  • EC2 Data Transfer Charges: Standard EC2 data transfer charges apply. Because your EC2 instance and S3 bucket are in the same region, there is no charge for data transfer between them. There is also no charge for data transfer between your NAT gateway and EC2 instance since the traffic stays in the same availability zone using private IP addresses. If your NAT gateway and EC2 instance were in different availability zones, EC2 data transfer charges would apply. See the Data Transfer section of the EC2 Pricing page for more details.

Total charges are therefore €0.056 for 1 GB of data processed by your firewall when using NAT gateway plus €0.922 for each hour your firewall is provisioned.

Note: To avoid NAT gateway data processing charges, you can create a gateway VPC endpoint and route traffic to and from S3 through the VPC endpoint instead of going through a NAT gateway. There are no data processing or hourly charges for using gateway VPC endpoints. For details on how to use VPC endpoints, see VPC Endpoints Documentation. 

Example 2 – Network Firewall with NAT gateway pricing

In this example, you have created two network firewalls in two availability zones (AZ) of the European Sovereign Region (Germany). The firewall processes a total of 5,000 GB of outbound traffic per month. You are connecting to the Internet from a private subnet and decide to also use two NAT gateways in each AZ.

Your total usage for AWS Network Firewall:

  • 1,440 hrs of usage (720 hrs in a month × 2 network firewall endpoints)
  • 5,000 GB of outbound traffic processed

Your total monthly charges would be €1,602.68 per month.

Because each firewall is deployed in a separate AZ for high availability, you don’t pay cross-AZ charges.

  • Total endpoint hourly charges: €1,327.68 = (€0.922 × 2 AZ × 720 hours per month)
  • Total data processing charges: €280.00 = (€0.056/GB × 5,000 GB processed)
  • For the NAT gateway, you would receive 1,440 hours of NAT gateway and 5,000 GB of NAT gateway GB processed at no additional cost in this same month.

Example 3 – Network Firewall with advanced inspection pricing

In this example, you have created a network firewall in the European Sovereign Region (Germany), have enabled advanced inspection by enabling TLS inspection in your firewall policy, and have 5,000 GB of traffic per month.
Charges:

  • Network Firewall endpoint hourly charges: €0.922 for each hour your firewall endpoint is provisioned
  • Network Firewall data processing charges: €0.056 for 1 GB of data processed by the firewall

Your total monthly charges would be €1,177.56 per month.

  • Total endpoint charges: €898.56 = (€0.922 × 1 AZ × 720 hours per month) + (€0.326 × 1 AZ × 720 hours per month)
  • Total data processing charges: €280.00 = (€0.056/GB × 5,000 GB processed)

Example 4 – Network Firewall with advanced inspection and NAT gateway pricing

In this example, you have created a network firewall and a NAT gateway in the European Sovereign Region (Germany). The firewall processes a total of 5,000 GB of traffic per month. 2,500 GB of traffic is processed with advanced inspection. The NAT gateway processes a total of 5,000 GB of traffic per month.
Network Firewall charges:

  • Standard firewall endpoint hours: €663.84 = (€0.922 × 720 hours per month)
  • Standard firewall traffic processing: €280.00 = (€0.056/GB × 5,000 GB processed)
  • Advanced inspection endpoint hours: €234.72 = (€0.326 × 720 hours per month)
  • Total Network Firewall charges: €1,178.56/month

NAT Gateway charges:

  • Total bundle discount applied (NAT gateway hours + traffic processing)
  • Total NAT gateway charges: €0

Your total monthly charges would be €1,178.56 per month.

Example 5 – Network Firewall with secondary endpoints

In this example, you have created a network firewall in the European Sovereign Region (Germany) and associated 10 secondary VPC endpoints with the primary inspection network firewall in the same availability zone (AZ). Additionally, your firewall processes a total of 5,000 GB of traffic per month.
Charges:

  • Network Firewall endpoint hourly charges: €0.922 for each hour your primary firewall endpoint is provisioned per AZ
  • Network Firewall secondary endpoint hourly charges: €0.369 per secondary endpoint per hour per AZ
  • Network Firewall data processing charges: €0.056 for 1 GB of data processed by the firewall per AZ. There are no additional data processing charges for secondary endpoints associated with the firewall.

Your total monthly charges would be €3,600.64 per month.

  • Total endpoint charges: €3,320.64 = (€0.922 × 1 primary endpoint × 1 AZ × 720 hours per month) + (€0.369 × 10 secondary endpoints × 1 AZ × 720 hours per month)
  • Total data processing charges: €280.00 = (€0.056/GB × 5,000 GB processed)

Example 6 – Network Firewall with secondary endpoints and NAT gateway pricing

In this example, you have created a network firewall with 10 secondary VPC endpoints and a NAT gateway in the European Sovereign Region (Germany) and availability zone. Additionally, your firewall processes a total of 5,000 GB of traffic per month. Your NAT gateway processes 6,000 GB of total traffic per month.
Charges:

  • Network Firewall endpoint hourly charges: €0.922 for each hour your primary firewall endpoint is provisioned per AZ
  • Network Firewall secondary endpoint hourly charges: €0.369 per secondary endpoint per hour per AZ
  • Network Firewall data processing charges: €0.056 for 1 GB of data processed by the firewall per AZ. There are no additional data processing charges for secondary endpoints associated with the firewall.
  • NAT gateway hourly charges: No charge for each hour your primary or secondary firewall endpoints are provisioned in the same region based on Network Firewall Endpoint hourly usage.
  • NAT gateway data processing charges: No charge per gigabyte of NAT gateway processing for each gigabyte traffic processed by your firewall (primary or secondary endpoints) in the same region, based on Network Firewall traffic processing, up to 5,000 GB.

Your total monthly charges would be €3,641.64 per month.

  • Total firewall endpoint charges: €3,320.64 = (€0.922 × 1 primary endpoint × 1 AZ × 720 hours per month) + (€0.369 × 10 secondary endpoints × 1 AZ × 720 hours per month)
  • Total firewall data processing charges: €280.00 = (€0.056/GB × 5,000 GB processed)
  • Total NAT gateway hourly charges: €0.00 (savings based on primary endpoint usage)
  • Total NAT gateway data processing charges: €41.00 = (€0.041/GB × 1,000 GB processed). Savings of €205.00 based on firewall traffic processing

Example 7 – Network Firewall with advanced threat protection pricing

In this example, you have created a network firewall in the European Sovereign Region (Germany), and have enabled active threat protection by using active threat defence managed rule groups in your firewall policy, and have 5,000 GB of traffic per month.
Charges:

  • Network Firewall endpoint hourly charges: €0.922 for each hour your firewall endpoint is provisioned
  • Network Firewall data processing charges: €0.056 for 1 GB of data processed by the firewall
  • Network Firewall advanced threat protection processing charges: €0.004 for 1 GB of data processed by the firewall

Your total monthly charges would be €963.84 per month.

  • Total endpoint charges: €663.84 = (€0.922 × 1 AZ × 720 hours per month)
  • Total data processing charges: €280.00 = (€0.056/GB × 5,000 GB processed)
  • Total threat protection charges: €20.00 = (€0.004/GB × 5,000 GB processed)

Example 8 – Network Firewall with advanced inspection and advanced threat protection pricing

In this example, you have created a network firewall in the European Sovereign Region (Germany), have enabled active threat protection by using active threat defence managed rule groups in your firewall policy, have enabled advanced inspection by enabling TLS inspection in your firewall policy, and have 5,000 GB of traffic per month.

  • Charges:
  • Network Firewall endpoint hourly charges: €0.922 for each hour your firewall endpoint is provisioned
  • Network Firewall advanced inspection endpoint hourly charges: €0.326 for each hour your firewall endpoint is provisioned
  • Network Firewall advanced threat protection data processing charges: €0.004 for 1 GB of data processed by the firewall

Your total monthly charges would be €1,198.56 per month.

  • Total endpoint charges: €898.56 = (€0.922 × 1 AZ × 720 hours per month) + (€0.326 × 1 AZ × 720 hours per month)
  • Total data processing charges: €300.00 = (€0.056/GB × 5,000 GB processed) + (€0.004/GB × 5,000 GB processed)