Sold by: Barracuda Networks
Deployed on AWS
Free Trial
The Barracuda CloudGen WAF provides proven application security and data loss prevention for your applications on AWS. The Barracuda CloudGen WAF has achieved AWS Security competency certification and is available via metered usage-based billing.
4.5
Overview
The Barracuda CloudGen WAF detects all inbound web traffic and blocks SQL injections, cross-site scripting, malware uploads, volumetric & application DDoS, or any other attacks against your web applications. It also inspects the HTTP responses from the configured back-end servers for data loss prevention (DLP). The integrated access control engine enables administrators to create granular access control policies for Authentication, Authorization & Accounting (AAA), which gives organizations strong authentication and user control. The onboard L4/L7 load balancing capabilities enable organizations to quickly add back-end servers to scale deployments as they grow. Its application acceleration capabilities, including SSL offloading, caching, compression, and connection pooling, ensure faster application delivery of web application content. The Barracuda CloudGen WAF also supports autoscaling and bootstrapping.
NOTE: Only AMIs with version 10.x or higher version support the Elastic Network Adapters (ENA).
Highlights
- Detects and blocks SQL injections, cross-site scripting, malware uploads, volumetric & application DDoS, or any other attacks against your application. Authentication and access control gives organizations strong authentication and user control.
- Scans outbound traffic to detect sensitive data, and can either mask or block the information from being leaked out.
- Application acceleration capabilities, including caching, compression, and connection pooling for faster application delivery of web application content.
Details
Sold by
Categories
Delivery method
Delivery option
64-bit (x86) Amazon Machine Image (AMI)
Autoscaling Cluster Deployment using AWS CFT
Latest version
Operating system
OtherLinux 2.4.9
Deployed on AWS
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Buyer guide
Gain valuable insights from real users who purchased this product, powered by PeerSpot.
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Free trial
Try this product free for 30 days according to the free trial terms set by the vendor. Usage-based pricing is in effect for usage beyond the free trial terms. Your free trial gets automatically converted to a paid subscription when the trial ends, but may be canceled any time before that.
Pricing is based on actual usage, with charges varying according to how much you consume. Subscriptions have no end date and may be canceled any time. Alternatively, you can pay upfront for a contract, which typically covers your anticipated usage for the contract duration. Any usage beyond contract will incur additional usage-based costs.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Cost/hour |
|---|---|
t2.large Recommended | $1.318 |
m5.large | $1.318 |
m4.large | $1.318 |
t2.xlarge | $1.758 |
t3.xlarge | $1.758 |
c5.large | $1.318 |
c5.xlarge | $1.758 |
c4.large | $1.318 |
m3.medium | $1.038 |
c5.2xlarge | $2.996 |
Vendor refund policy
Terminate the instance at any time to stop incurring charges.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
64-bit (x86) Amazon Machine Image (AMI)
Amazon Machine Image (AMI)
An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.
Version release notes
Additional details
Usage instructions
- By default, the Barracuda Web Application Firewall web interface listens on HTTP/8000 and HTTPS/8443 ports so make sure these ports are added in the Inbound Rule of the security group which is associated with the Barracuda Web Application Firewall VM.
- Allow a few minutes before taking any further actions in the EC2 Portal after deploying the Barracuda Web Application Firewall. During this time the Barracuda Web Application Firewall is getting provisioned and licensed.
- Access the Barracuda Web Application Firewall using the associated Public IP/Public DNS with port 8000 over HTTP (i.e. http://<public IP>:8000)
- You will see the blue loading screen for some time and eventually you will be presented with the End User License Agreement (EULA).
- Click 'Accept' button and you will be redirected to the login page.
- Log in as 'admin' to begin configurations. Your initial password is the EC2 instance ID and can be changed later from Basic > Administration page.
For Deployment Guide and other instructions visit the Barracuda campus at https://campus.barracuda.com/product/webapplicationfirewall/article/WAF/AWS/
Support
Vendor support
Support Hours: Basic Support Hours: 8:00 AM - 5:00 PM PST, Monday through Friday.
Email and Phone Support offered 24x7 without any phone trees. You will actually speak to a live person. Please have your AWS Account ID available when you contact Barracuda Support; it is required for the support technican to assist you.
Support Phone Numbers: North America - 408 342 5300 Europe - +44 (0) 1256 300 102 Australia - +612 8019 7254 China - +86 400 720 8200 Japan - +81 3 5436 6236 India - +91 804 904 8600 Germany, Austria, Switzerland - +43 (0) 508 100 800
Support Website: https://www.barracuda.com/support
Support Email: support@barracuda.com
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Updated weekly
By Barracuda Networks
By Check Point Software Technologies
By Juniper Networks
Top
100
In Network Infrastructure, Security
Top
10
In Log Analysis, Network Infrastructure
Top
10
In Migration
Sentiment is AI generated from actual customer reviews on AWS and G2
Functionality
Ease of use
Customer service
Cost effectiveness
Positive reviews
Mixed reviews
Negative reviews
AI generated from product descriptions
Web Application Attack Prevention
Detects and blocks SQL injections, cross-site scripting, malware uploads, volumetric and application DDoS attacks against web applications.
Data Loss Prevention
Inspects HTTP responses from back-end servers to detect sensitive data and can mask or block information from being leaked.
Authentication and Access Control
Integrated access control engine enables creation of granular Authentication, Authorization, and Accounting (AAA) policies for strong user authentication and control.
Load Balancing
Onboard Layer 4 and Layer 7 load balancing capabilities enable scaling of deployments by adding back-end servers.
Application Acceleration
Application acceleration features including SSL offloading, caching, compression, and connection pooling for faster web application content delivery.
Advanced Threat Prevention Capabilities
Includes firewall, Data Loss Prevention (DLP), Intrusion Prevention System (IPS), application control, IPsec VPN, URL filtering, antivirus, and anti-bot features for multi-layered network security.
Traffic Inspection and Control
Inspects and controls encrypted data flows between on-premises networks and AWS VPCs, including North-South traffic entering and exiting private subnets and East-West traffic between VPCs.
Infrastructure-as-Code Integration
Integrates with infrastructure-as-code tools including Terraform and Ansible for policy automation, with dynamic security policy adaptation based on real-time cloud metadata.
AWS Service Integration
Supports integration with Gateway Load Balancer, AWS Security Hub, VPC Ingress Routing, AWS Traffic Mirroring, AWS Transit Gateway, AWS Outposts, and Amazon Macie.
Centralized Security Management
Provides unified, centralized management through Check Point Security Management Server with consistent policy, logging, and reporting across AWS, hybrid, and on-premises environments.
Intrusion Detection and Prevention
Intrusion detection and prevention (IPS) capabilities for threat detection and mitigation
Application Security and Visibility
Application visibility and control through AppSecure with L4-L7 security services
VPN and Secure Connectivity
IPsec and full mesh VPN termination services for secure connectivity across on-premises data centers, campuses, branches, and geographically dispersed VPCs
Cloud-Native Integration
Integration with AWS services including Elastic Load Balancer, Auto-Scaling Groups, CloudWatch, Security Hub, Key Management Service, and Gateway Load Balancer (GWLB) with L3 gateway and L4 load balancer capabilities
Advanced Routing and Network Services
Cloud-grade routing capabilities with NAT, firewall, and network address translation services
Standard contract
No
No
No
Customer reviews
Samir Paul
Cloud WAF has protected critical web apps and APIs and delivers fast bot and DDoS defense
Reviewed on May 29, 2026
Review from a verified AWS customer
What is our primary use case?
My main use case for Barracuda WAF-as-a-Service is protecting web applications running on HTTP and HTTPS sockets from OWASP Top 10 attacks, malicious bots, account takeover attempts, and L3 to L7 DDoS attacks.
Barracuda WAF-as-a-Service is a cloud-delivered web application firewall designed to protect web applications and APIs from threats such as OWASP Top 10 attacks, malicious bots, account takeover attempts, and L3 to L7 DDoS attacks. It is positioned as a fast to deploy and manage WAF service with pre-built templates, centralized policy control, API protection, and automation support through REST APIs. Barracuda WAF-as-a-Service is a cloud WAF that helps protect websites and APIs quickly without the overhead of deploying and managing traditional web appliances.
What is most valuable?
Barracuda WAF-as-a-Service offers several best features including a cloud-delivered WAF for web apps and APIs, fast setup via deployment wizard and templates, protection against OWASP Top 10 and zero-day style web threats, API security for REST, JSON, and GraphQL APIs including discovery and exposure of shadow APIs, bot protection, unmetered L3 and L7 DDoS protection, automation support, and compliance visibility and reporting.
I find API security, web app and API security, and bot protection to be the most valuable day-to-day features of Barracuda WAF-as-a-Service. Using Barracuda is very easy and fast due to the fast deployment wizard, allowing deployment based on wizards or templates. Onboarding applications is very easy with a turnaround time of only one or two days. API security covers all API types, starting with REST, JSON, and GraphQL APIs. Bot protection includes malicious learning backend for malicious bots, credential stuffing, brute force, and account takeover defense.
Barracuda WAF-as-a-Service has impacted my organization positively with fast deployment and simple onboarding. One of the strongest points is the speed of deployment, which features a three-step deployment wizard, pre-built templates, and quick onboarding, making it suitable for teams that want protection fast without complex infrastructure setup. For example, if a business wants to protect a customer portal or public website quickly, Barracuda can be onboarded in a minute using pre-defined templates instead of spending days tuning an appliance.
Another strength is strong API and application protection. Barracuda WAF-as-a-Service protects both traditional web applications and modern APIs, including REST, JSON, and GraphQL, and it supports API discovery to identify exposed shadow and zombie APIs. Bot and account takeover protection is included along with DDoS protection which adds application level DDoS that protects L3 to L7 type of DDoS threats like HTTP flood. There is a good balance of simplicity and control.
I notice faster time to detection because since the onboarding uses a wizard and template, the organization can reduce deployment effort by 30 to 50% faster deployment effort for standard web app onboarding. There is lower operational overhead since the solution is delivered as a service, allowing customers to avoid appliance lifecycle management and benefit from automated updates and managed service characteristics. From an ROI and impact perspective, there is a 20 to 35% reduction in day-to-day administrative effort. Additionally, there is reduced business impact from downtime because built-in L3 to L7 DDoS protection and application layer security can reduce outage risk and service disruption for customer-facing applications.
What needs improvement?
Regarding improvements for Barracuda WAF-as-a-Service, the UI and user experience can feel dated. While the interface is functional and centralized, some third-party reviews indicate that the UI can feel outdated, and enhancements are required to provide an executive look that can be aligned with modern and intuitive next-generation competitors.
The licensing and cost structure perspective may need clear planning. Barracuda service is customizable but external references note that licensing and cost planning can become complex.
Advanced analytics and executive reporting could be better. The platform provides visibility and compliance reporting but organizations looking for a very polished executive dashboard, deep attack visualization, or broader cloud-native security context may find it more focused on WAF operation.
Barracuda WAF-as-a-Service is best suited for app and API protection and is not a full CNAPP platform. It is strong for application layer protection but is not positioned as a full CNAPP covering posture management. Modernizing the UI further, simplifying packaging and licensing clarity, enhancing the executive reporting and risk dashboard, and expanding broader cloud-native integration would be beneficial improvements.
For how long have I used the solution?
I have been using Barracuda WAF-as-a-Service for almost eight years.
What do I think about the stability of the solution?
I do not see any latency with Barracuda WAF-as-a-Service. It is a software as a service, so the provider maintains all the infrastructure and it is very scalable, so I do not see any challenge.
Barracuda WAF-as-a-Service is extremely accurate in detection and reporting, and I find very few false positives. When deploying this solution, you have to take care of a few things very cautiously, especially understanding how the application works and defining the policy carefully. Otherwise, it could bring false positive alert fatigue. Alert fatigue depends on who is implementing the solution. If experienced and expert people with Barracuda implement the solution, you will get less alert fatigue.
What do I think about the scalability of the solution?
Barracuda WAF-as-a-Service can handle increases in traffic or new applications easily since this particular solution is built for that specific purpose.
How are customer service and support?
Barracuda WAF-as-a-Service provides good support and the support team is very cooperative and helpful.
Which solution did I use previously and why did I switch?
I purchased Barracuda WAF-as-a-Service via a partner and not through the AWS Marketplace .
How was the initial setup?
Barracuda WAF-as-a-Service is a cloud-delivered web application firewall designed to protect web applications and APIs from threats such as OWASP Top 10 attacks, malicious bots, account takeover attempts, and L3 to L7 DDoS attacks. It is positioned as a fast to deploy and manage WAF service with pre-built templates, centralized policy control, API protection, and automation support through REST APIs. Barracuda WAF-as-a-Service is a cloud WAF that helps protect websites and APIs quickly without the overhead of deploying and managing traditional web appliances.
What about the implementation team?
I maintain all the governance and security for Barracuda WAF-as-a-Service as per the standard. Each organization has certain compliance requirements that they need to adhere to, and these are already in place with Barracuda. I fully agree with the policy mapping that is shown when designing the WAF policy and it is very much in line with compliance strategy.
What was our ROI?
Since the solution is delivered as a service, customers avoid appliance lifecycle management and benefit from automated updates and managed service characteristics. From an ROI and impact perspective, there is a 20 to 35% reduction in day-to-day administrative effort. Additionally, built-in L3 to L7 DDoS protection and application layer security can reduce outage risk and service disruption for customer-facing applications.
What's my experience with pricing, setup cost, and licensing?
The licensing and cost structure perspective may need clear planning. Barracuda service is customizable but external references note that licensing and cost planning can become complex.
Which other solutions did I evaluate?
If organizations have any public-facing application, they should use WAF-as-a-Service and Barracuda is a good choice, but there are other choices as well. When choosing any solution, you have to check other aspects such as the people aspect, people, process, and technology. These three have to be consolidated. If any organization needs suggestions, they could reach out to me for help in choosing the right solution.
What other advice do I have?
Barracuda WAF-as-a-Service is best suited for app and API protection and is not a full CNAPP platform. It is strong for application layer protection but is not positioned as a full CNAPP covering posture management. Modernizing the UI further, simplifying packaging and licensing clarity, enhancing the executive reporting and risk dashboard, and expanding broader cloud-native integration would be beneficial. I would rate my overall experience with this solution as an eight.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Paul M.
Enterprise-Level Firewall at a Great Value, with Unmatched Barracuda Support
Reviewed on May 13, 2026
Review provided by G2
What do you like best about the product?
It is an enterprise level firewall at less than an enterprise cost. I would put them next to Cisco or Juniper any day. They are functional, reliable, quick, and the support from Barracuda is second to NONE.
What do you dislike about the product?
Nothing. I mean they could cost less, but you get what you pay for at the end of the day and when you are protecting a company from people doing things they shouldn't have to do, cost starts to become not as relevant.
What problems is the product solving and how is that benefiting you?
It is securing internet access for our whole agency. We use small firewalls at small facilities to build VPN tunnels back to the main facility. The original problem it solved was an inherent ACL in a Cisco ASA that I needed around for a specific purpose and Cisco was unwilling to do anything to make it work. Barracuda, I could do it out of the box... and that was the old X series firewalls. The cloudgens are light years ahead of them when they stopped making the X's.
Tej D.
Impressive Automation and Easy Cloud Integration with Deep Threat Protection
Reviewed on Mar 20, 2026
Review provided by G2
What do you like best about the product?
Its automation feature is very impressive. Integration in the cloud is very easy. Central management system with deep threat protection.
What do you dislike about the product?
All the things are nice features are also good, but it is costly. and the learning curve is steep.
What problems is the product solving and how is that benefiting you?
Cybersecurity. Packet tracing and log monitoring. Threat detection.
Phakedi Mphela
Advanced threat analytics have strengthened compliance efforts but licensing and SIEM need work
Reviewed on Mar 16, 2026
Review provided by PeerSpot
What is our primary use case?
I deal with Barracuda WAF-as-a-Service and usually recommend it for private and government companies.
What is most valuable?
The automatic security updates are excellent. These updates help our customers transition smoothly between interface versions. We started with an old Barracuda interface, implemented everything there, and then moved to the new interface, which is very good and helpful.
Barracuda WAF-as-a-Service 's real-time attack detection feature has improved our customers' threat response strategies significantly.
I have found value in the actionable analytics provided. Our customers have seen benefits such as access to a lot of data and the ability to analyze real-time threats through the actionable analytics.
What needs improvement?
I assess the impact of Barracuda WAF-as-a-Service on compliance efforts regarding security events as good in terms of compliance, although there are a few issues. There is one issue regarding local data storage, as they do not have that capability, and we are storing the data in another foreign country, which is against the law. Data is supposed to be within the South African border.
In my opinion, the main direction for improvement should be around the licensing part, as it should not be quite complex. The price of their licensing model is a bit steep. However, for other features such as web application threat detection and data compliance, they are very good, especially for application trafficking and caching. The pricing and SIEM integration sometimes create challenges, and we need to get professional help with those areas.
For the next release, Barracuda WAF-as-a-Service should include advanced APIs and perhaps AI-driven detections. They can improve the integration with SIEM and SOAR .
For how long have I used the solution?
I have been working with Barracuda WAF-as-a-Service for quite a few years.
Which other solutions did I evaluate?
There are competitors to Barracuda WAF-as-a-Service. Depending on a client's requirement, I would recommend it, but there are competitors such as F5 and Cloudflare , and it depends on what the client wants. Sometimes, clients might want a firewall and choose something like Fortinet or Cisco secure firewall.
What other advice do I have?
The price of their licensing model is a bit steep, but for other features such as web application threat detection and data compliance, they are very good, especially for application trafficking and caching. I am happy with it; it is just that the pricing and SIEM integration sometimes create challenges, and we need to get professional help with those areas.
Implementing Barracuda WAF-as-a-Service is quite complex, and you need to have substantial knowledge in this area. I rate Barracuda WAF-as-a-Service an overall score of six.
Verified User
Dependable Network Protection with Great Support
Reviewed on Feb 10, 2026
Review provided by G2
What do you like best about the product?
I find Barracuda CloudGen Firewall valuable for monitoring and controlling our network traffic. The technical support is always top notch and available, which really helps us. The initial setup was very easy, making it straightforward right from the start.
What do you dislike about the product?
I think an improvement could have to do with having some sort of log review by AI to determine if there are issues with the firewalls that are not being seen with the monitor.
What problems is the product solving and how is that benefiting you?
Barracuda CloudGen Firewall provides a single portal for firewall protection information and supports the monitoring and controlling of our network traffic.