Pricing summary / tiers
With AWS Network Firewall, you pay an hourly rate for each firewall endpoint. You also pay for the amount of traffic, billed by the gigabyte, processed by your firewall endpoint.
NAT Gateway Pricing
If you choose to create a NAT gateway in your VPC along with Network Firewall, standard NAT gateway processing and per-hour usage charges are waived on a one-to-one basis with the processing per GB and usage hours charged for your firewall.
|Network Firewall Endpoint||$0.395/hr|
|Network Firewall Traffic Processing||$0.065/GB|
|NAT Gateway Pricing||Use one hour and one GB of NAT Gateway at no additional cost for every hour and GB charged for Network Firewall.|
Network Firewall with NAT Gateway Pricing Example
Let’s assume you create a network firewall and a NAT gateway, and you have an EC2 instance with traffic routed to the Internet through the firewall and NAT gateway. Your EC2 instance sends a 1GB file to one of your S3 buckets. The EC2 instance, firewall, NAT gateway, and S3 bucket are in the same region (US East (N. Virginia)), and the firewall, NAT gateway, and EC2 instance are in the same availability zone. The following charges apply:
- Network Firewall Endpoint Hourly Charges: $0.395 for each hour your firewall is provisioned.
- Network Firewall Data Processing Charges: $0.065 for 1 GB of data processed by the firewall.
- NAT Gateway Hourly Charges: No charge for each hour your firewall is provisioned.
- NAT Gateway Data Processing Charges: No charge per gigabyte of NAT gateway processing for each gigabyte processed by your firewall.
- EC2 Data Transfer Charges: Standard EC2 data transfer charges apply. But because your EC2 instance and S3 bucket are in the same region, there is no charge for data transfer between EC2 and S3. There is also no charge for data transfer between your NAT gateway and EC2 instance since the traffic stays in the same availability zone using private IP addresses. If your NAT gateway and EC2 instance were in different availability zones, EC2 data transfer charges would apply. See the Data Transfer section of the EC2 Pricing page for more details.
Total charges are therefore $0.065 for 1 GB of data processed by your firewall when using NAT Gateway plus $0.395 for each hour your firewall is provisioned. There are no data transfer charges in this example. However, if you send the same file to a non-AWS Internet location, EC2 data transfer charges will apply to data transferred out from EC2 to the Internet.
Note: To avoid NAT Gateway data processing charges, you can create a gateway VPC endpoint and route traffic to and from S3 through the VPC endpoint instead of going through a NAT gateway. There are no data processing or hourly charges for using gateway VPC endpoints. For details on how to use VPC endpoints, see VPC Endpoints Documentation.