Pricing summary / tiers
With AWS Network Firewall, you pay an hourly rate for each firewall endpoint. You also pay for the amount of traffic, billed by the gigabyte, processed by your firewall endpoint. Data processing charges apply for each Gigabyte processed through the firewall endpoint regardless of the traffic's source or destination. You also incur standard AWS data transfer charges for all data transferred via the AWS Network Firewall.
NAT Gateway Pricing
If you choose to create a NAT gateway in your VPC along with Network Firewall, standard NAT gateway processing and per-hour usage charges are waived on a one-to-one basis with the processing per GB and usage hours charged for your firewall.
|Network Firewall Endpoint||$0.395/hr|
|Network Firewall Traffic Processing||$0.065/GB|
|NAT gateway Pricing||Use one hour & one GB of NAT gateway at no additional cost for every hour & GB charged for Network Firewall endpoints.|
Example 1 - Network Firewall with NAT Gateway Pricing
In this example, you have created a network firewall and a NAT gateway, and you have an Amazon EC2 instance with traffic routed to the Internet through the network firewall and NAT gateway. Your EC2 instance sends a 1 GB file to one of your S3 buckets. The EC2 instance, network firewall, NAT gateway, and S3 bucket are in the same region (US East (N. Virginia)), and the network firewall, NAT gateway, and EC2 instance are in the same availability zone. The following charges apply:
- Network Firewall Endpoint Hourly Charges: $0.395 for each hour your firewall endpoint is provisioned.
- Network Firewall Data Processing Charges: $0.065 for 1 GB of data processed by the firewall.
- NAT Gateway Hourly Charges: No charge for each hour your firewall endpoint is provisioned.
- NAT Gateway Data Processing Charges: No charge per gigabyte of NAT gateway processing for each gigabyte processed by your firewall.
- EC2 Data Transfer Charges: Standard EC2 data transfer charges apply. But because your EC2 instance and S3 bucket are in the same region, there is no charge for data transfer between EC2 and S3. There is also no charge for data transfer between your NAT gateway and EC2 instance since the traffic stays in the same availability zone using private IP addresses. If your NAT gateway and EC2 instance were in different availability zones, EC2 data transfer charges would apply. See the Data Transfer section of the EC2 Pricing page for more details.
Total charges are therefore $0.065 for 1 GB of data processed by your firewall when using NAT gateway plus $0.395 for each hour your firewall is provisioned. There are no data transfer charges in this example. However, if you send the same file to a non-AWS Internet location, EC2 data transfer charges will apply to data transferred out from EC2 to the Internet.
Note: To avoid NAT gateway data processing charges, you can create a gateway VPC endpoint and route traffic to and from S3 through the VPC endpoint instead of going through a NAT gateway. There are no data processing or hourly charges for using gateway VPC endpoints. For details on how to use VPC endpoints, see VPC Endpoints Documentation.
Example 2 - Network Firewall with NAT Gateway Pricing
In this example, you have 2 network firewalls in two AZs and have 5,000 GB of outbound traffic per month (30 days). If you are connecting to the Internet from a private subnet, you may decide to also use 2 NAT gateways in each AZ.
Your total usage for AWS Network Firewall is
- 1,440 hrs of usage (720 hrs in a month * 2 network firewall endpoints)
- 5,000 GB of outbound traffic processed
Because each firewall is entirely zonally isolated for high availability, you pay no cross-AZ charges. Therefore, the charges would be $568.80 = ($0.395 * 1,440 hrs) plus $325 = ($0.065/GB * 5,000 GB processed). The Total Monthly Charge would be $893.80 per month.
For the NAT gateway, you would therefore receive 1,440 hours of NAT gateway and 5,000 GB of NAT gateway GB processed at no additional cost in this same month.