AWS Network Firewall pricing — and how to cut it.
AWS Network Firewall bills $0.395 per endpoint-hour per Availability Zone — around $288/month before any traffic — plus a $0.065-per-GB data-processing charge on every byte it inspects. And it does not connect you to the internet, so you still pay for a NAT Gateway underneath. Here is what it really costs, why secure egress meters you per gigabyte twice, and how a flat-priced firewall NVA cuts the bill by up to 60–80% with no per-GB tax.
How AWS Network Firewall pricing works
AWS Network Firewall is billed two ways. The per-endpoint-hour fee is the fixed line — and it is charged per Availability Zone. The per-GB data-processing charge is the part that grows with your traffic, quietly, forever.
Rates VERIFIED us-east-1, re-confirmed live 2026-07-04 against AWS's published Network Firewall pricing — directional and subject to change. AWS Network Firewall inspects traffic; it does not provide outbound connectivity, so a NAT Gateway is still required underneath.
A worked example — one Availability Zone
One firewall endpoint, 730 hours, 5 TB of inspected egress in a month — firewall only, before the NAT Gateway:
- Endpoint-hours ($0.395 × 730)
- $288
- Data-processing charge ($0.065 × 5,000 GB)
- $325
- Monthly total — firewall only, one AZ
- ~$613
Illustrative, directional. Add the NAT Gateway you still need ($0.045/hr + $0.045/GB) and one AZ of secure egress is roughly $871/month — then multiply by every AZ you run.
Securing egress on AWS meters you per gigabyte — twice
AWS Network Firewall filters, but it does not connect. To reach the internet your subnets still route through a NAT Gateway — a second product, with its own per-hour fee AND its own data-processing charge on the same traffic.
- Per endpoint-hour
- $0.395 / AZ
- Data processing
- $0.065 / GB
- Per hour
- $0.045
- Data processing
- $0.045 / GB
Two products. Two per-hour fees — the firewall one duplicated per Availability Zone. Two separate data-processing charges on the same gigabytes on top.
- Per hour
- $0
- Data processing
- $0 / GB
Flat per-firewall licence — £179/mo (£149 from your sixth), plus the EC2 instance you provision. No per-AZ endpoint fee, no per-GB tax.
AWS Network Firewall $0.065/GB and AWS NAT Gateway $0.045/GB are two separate per-GB data-processing charges on the same traffic when you stack them for filtered egress. Rates VERIFIED us-east-1, dated 2026-07-04 — directional and subject to change. Savings of 60–80% are typical at modest egress; the gap widens as traffic grows.
Same firewall capability — and more — at a flat price
Enforza is the drop-in replacement for the cloud-native firewall: the egress, ingress and east-west control most organisations actually need, on one appliance, without the per-GB tax or the per-AZ double-bubble.
Enforza is deliberately the right-scoped tool — not a six-figure enterprise platform you would half-fill. It covers roughly 98% of what most organisations actually run a firewall for, at a fraction of the cost. Its single-pass packet classification and verdict engine classifies each flow once, in microseconds (p99 ~49.5 µs, verified), then enforces in-kernel at line rate — and its control plane is outbound-only, so there is no inbound management port to expose.
Switch from the metered stack in three steps
You do not re-architect. You re-route. The Enforza appliance sits in your network and takes over both filtering and outbound translation.
-
Launch the Enforza firewall
A single Linux VM in your own AWS network — deploy it one-click from the AWS Marketplace, now live, or from your own AMI. It self-registers; you claim it in the console.
-
Point the route at it
Change the route that currently exits via your NAT Gateway so it exits via the Enforza instance instead. Secure source-NAT and L7 filtering are on the same box — the workloads keep their path out.
-
Retire the metered stack
Decommission both AWS Network Firewall and the NAT Gateway. Both per-GB data-processing charges and the per-AZ endpoint fee stop. Your egress policy carries over as identity-aware L7 rules.
AWS Network Firewall cost — common questions
How much does AWS Network Firewall cost?
AWS Network Firewall bills two ways: $0.395 per firewall-endpoint-hour, per Availability Zone — roughly $288/month per AZ before a single byte — plus a data-processing charge of $0.065 per GB on all traffic it inspects (us-east-1, dated 2026-07-04, directional). A workload pushing 5 TB/month through one endpoint lands near $613/month for the firewall alone, and most teams run an endpoint per AZ for resilience, which multiplies the hourly line.
What is the AWS Network Firewall data-processing charge?
It is the $0.065-per-GB fee AWS applies to every gigabyte the firewall endpoint inspects, separate from the per-hour endpoint fee. It is easy to miss when budgeting because the endpoint fee is the visible line — but the per-GB charge scales directly with how much traffic you inspect, and on a busy estate it can rival or exceed the hourly cost. TLS/advanced inspection and active threat defence are billed on top again.
Does AWS Network Firewall replace a NAT Gateway?
No. AWS Network Firewall inspects and filters traffic; it does not provide outbound connectivity. To reach the internet your private subnets still route through a NAT Gateway, which bills its own $0.045 per gateway-hour plus its own $0.045 per GB data-processing charge. So securing egress on AWS means stacking two products — two per-hour fees and two separate per-GB meters on the same traffic. At 5 TB/month in one AZ that stack is roughly $871/month, before you add a second AZ.
Why is my AWS Network Firewall bill so high?
Two reasons usually. First, the per-endpoint-hour fee is charged per Availability Zone, so a two- or three-AZ deployment multiplies the fixed cost before any traffic. Second, the $0.065-per-GB data-processing charge is levied on every inspected byte and never stops scaling — as egress grows, the per-GB line grows with it. Add the NAT Gateway you still need underneath (its own per-hour and per-GB charges) and the same gigabytes are metered twice.
How do I reduce AWS Network Firewall cost?
Replace the metered stack with a flat-priced firewall NVA. Enforza is a single Linux VM in your own AWS network that does the same egress, ingress and east-west control — identity-aware L7 (SNI/FQDN) filtering, secure source-NAT and threat hardening — under a flat per-firewall licence at $0/GB. You pay only the EC2 instance plus the flat Enforza licence, with no per-endpoint-hour fee and no per-GB data-processing charge, so the bill stops scaling with your traffic. Migration is a route-table change.
Is there a cheaper alternative to AWS Network Firewall?
Yes. Enforza covers the roughly 98% of firewalling most organisations actually use — egress, ingress and east-west control, identity-aware L7/FQDN filtering without breaking TLS, secure NAT and compliance — as one flat-priced appliance, with no per-GB tax and no per-AZ endpoint fee. It is not a six-figure enterprise platform and does not try to be; it is the drop-in replacement for the cloud-native firewall at up to 60–80% less. See the full side-by-side on the Enforza vs AWS Network Firewall comparison.
How much can Enforza save compared with AWS Network Firewall?
Enforza is a flat per-firewall licence — £179/month per firewall, dropping to £149 from your sixth — at $0/GB, plus the EC2 instance you run it on. Against AWS Network Firewall stacked with a NAT Gateway (two per-hour fees plus two per-GB data-processing charges, duplicated per Availability Zone), the flat line typically lands 60–80% cheaper at modest egress, and the gap widens as traffic grows because the Enforza line stays flat while the metered stack climbs. Rates are directional and dated — run your own numbers in the savings calculator.
Does Enforza remove my whole AWS bill?
No. Enforza removes the per-GB data-processing tax and the per-endpoint-hour and NAT-gateway fees, and replaces them with one flat per-firewall licence. You still pay AWS for the EC2 instance the firewall runs on (typically $100–$200/month at modest egress) and for normal data-transfer-out where it applies. The saving is on the firewall and NAT metering, not on AWS's underlying infrastructure.
Cut the AWS Network Firewall bill — flat, no per-GB tax.
Egress, ingress and east-west control with identity-aware L7 filtering and secure NAT in one appliance, at a flat per-firewall price with no data-processing charges and no per-AZ endpoint fee — you pay only for the EC2 instance you run it on. Start free, no card.