AWS Network Firewall cost

AWS Network Firewall pricing — and how to cut it.

AWS Network Firewall bills $0.395 per endpoint-hour per Availability Zone — around $288/month before any traffic — plus a $0.065-per-GB data-processing charge on every byte it inspects. And it does not connect you to the internet, so you still pay for a NAT Gateway underneath. Here is what it really costs, why secure egress meters you per gigabyte twice, and how a flat-priced firewall NVA cuts the bill by up to 60–80% with no per-GB tax.

The two charges on your bill

How AWS Network Firewall pricing works

AWS Network Firewall is billed two ways. The per-endpoint-hour fee is the fixed line — and it is charged per Availability Zone. The per-GB data-processing charge is the part that grows with your traffic, quietly, forever.

Per endpoint-hour $0.395 / hour, per firewall endpoint, per Availability Zone — roughly $288/month before a single byte. Multiply by every AZ you cover.
Data-processing charge $0.065 / GB inspected — on every byte the firewall sees. This is the line that scales with you. TLS and threat-defence inspection bill on top again.

Rates VERIFIED us-east-1, re-confirmed live 2026-07-04 against AWS's published Network Firewall pricing — directional and subject to change. AWS Network Firewall inspects traffic; it does not provide outbound connectivity, so a NAT Gateway is still required underneath.

A worked example — one Availability Zone

One firewall endpoint, 730 hours, 5 TB of inspected egress in a month — firewall only, before the NAT Gateway:

Endpoint-hours ($0.395 × 730)
$288
Data-processing charge ($0.065 × 5,000 GB)
$325
Monthly total — firewall only, one AZ
~$613

Illustrative, directional. Add the NAT Gateway you still need ($0.045/hr + $0.045/GB) and one AZ of secure egress is roughly $871/month — then multiply by every AZ you run.

It gets worse in front of a NAT Gateway

Securing egress on AWS meters you per gigabyte — twice

AWS Network Firewall filters, but it does not connect. To reach the internet your subnets still route through a NAT Gateway — a second product, with its own per-hour fee AND its own data-processing charge on the same traffic.

AWS native Secure egress, stacked
AWS Network Firewall Stateful L7 inspection & filtering
Per endpoint-hour
$0.395 / AZ
Data processing
$0.065 / GB
AWS NAT Gateway Egress connectivity — no filtering
Per hour
$0.045
Data processing
$0.045 / GB

Two products. Two per-hour fees — the firewall one duplicated per Availability Zone. Two separate data-processing charges on the same gigabytes on top.

With Enforza
Enforza NVA L7 firewall + secure NAT, in one
Per hour
$0
Data processing
$0 / GB

Flat per-firewall licence — £179/mo (£149 from your sixth), plus the EC2 instance you provision. No per-AZ endpoint fee, no per-GB tax.

AWS Network Firewall $0.065/GB and AWS NAT Gateway $0.045/GB are two separate per-GB data-processing charges on the same traffic when you stack them for filtered egress. Rates VERIFIED us-east-1, dated 2026-07-04 — directional and subject to change. Savings of 60–80% are typical at modest egress; the gap widens as traffic grows.

The 98% you actually use — none of the bloat

Same firewall capability — and more — at a flat price

Enforza is the drop-in replacement for the cloud-native firewall: the egress, ingress and east-west control most organisations actually need, on one appliance, without the per-GB tax or the per-AZ double-bubble.

AWS Network Firewall + NAT Gateway

  • $0.395 / endpoint-hour, per Availability Zone
  • $0.065 / GB firewall data-processing charge
  • Plus a NAT Gateway: $0.045/hr + $0.045/GB
  • Two per-GB meters; cost scales with egress, forever

Enforza, instead

  • Egress, ingress and east-west control, plus secure NAT
  • Identity-aware L7 (SNI/FQDN) filtering — without breaking TLS
  • Compliance baked in: 25 framework packs, 210+ controls
  • Flat per-firewall licence, $0/GB — managed, self-patching

Enforza is deliberately the right-scoped tool — not a six-figure enterprise platform you would half-fill. It covers roughly 98% of what most organisations actually run a firewall for, at a fraction of the cost. Its single-pass packet classification and verdict engine classifies each flow once, in microseconds (p99 ~49.5 µs, verified), then enforces in-kernel at line rate — and its control plane is outbound-only, so there is no inbound management port to expose.

Migration is a route change

Switch from the metered stack in three steps

You do not re-architect. You re-route. The Enforza appliance sits in your network and takes over both filtering and outbound translation.

  1. Launch the Enforza firewall

    A single Linux VM in your own AWS network — deploy it one-click from the AWS Marketplace, now live, or from your own AMI. It self-registers; you claim it in the console.

  2. Point the route at it

    Change the route that currently exits via your NAT Gateway so it exits via the Enforza instance instead. Secure source-NAT and L7 filtering are on the same box — the workloads keep their path out.

  3. Retire the metered stack

    Decommission both AWS Network Firewall and the NAT Gateway. Both per-GB data-processing charges and the per-AZ endpoint fee stop. Your egress policy carries over as identity-aware L7 rules.

FAQ

AWS Network Firewall cost — common questions

How much does AWS Network Firewall cost?

AWS Network Firewall bills two ways: $0.395 per firewall-endpoint-hour, per Availability Zone — roughly $288/month per AZ before a single byte — plus a data-processing charge of $0.065 per GB on all traffic it inspects (us-east-1, dated 2026-07-04, directional). A workload pushing 5 TB/month through one endpoint lands near $613/month for the firewall alone, and most teams run an endpoint per AZ for resilience, which multiplies the hourly line.

What is the AWS Network Firewall data-processing charge?

It is the $0.065-per-GB fee AWS applies to every gigabyte the firewall endpoint inspects, separate from the per-hour endpoint fee. It is easy to miss when budgeting because the endpoint fee is the visible line — but the per-GB charge scales directly with how much traffic you inspect, and on a busy estate it can rival or exceed the hourly cost. TLS/advanced inspection and active threat defence are billed on top again.

Does AWS Network Firewall replace a NAT Gateway?

No. AWS Network Firewall inspects and filters traffic; it does not provide outbound connectivity. To reach the internet your private subnets still route through a NAT Gateway, which bills its own $0.045 per gateway-hour plus its own $0.045 per GB data-processing charge. So securing egress on AWS means stacking two products — two per-hour fees and two separate per-GB meters on the same traffic. At 5 TB/month in one AZ that stack is roughly $871/month, before you add a second AZ.

Why is my AWS Network Firewall bill so high?

Two reasons usually. First, the per-endpoint-hour fee is charged per Availability Zone, so a two- or three-AZ deployment multiplies the fixed cost before any traffic. Second, the $0.065-per-GB data-processing charge is levied on every inspected byte and never stops scaling — as egress grows, the per-GB line grows with it. Add the NAT Gateway you still need underneath (its own per-hour and per-GB charges) and the same gigabytes are metered twice.

How do I reduce AWS Network Firewall cost?

Replace the metered stack with a flat-priced firewall NVA. Enforza is a single Linux VM in your own AWS network that does the same egress, ingress and east-west control — identity-aware L7 (SNI/FQDN) filtering, secure source-NAT and threat hardening — under a flat per-firewall licence at $0/GB. You pay only the EC2 instance plus the flat Enforza licence, with no per-endpoint-hour fee and no per-GB data-processing charge, so the bill stops scaling with your traffic. Migration is a route-table change.

Is there a cheaper alternative to AWS Network Firewall?

Yes. Enforza covers the roughly 98% of firewalling most organisations actually use — egress, ingress and east-west control, identity-aware L7/FQDN filtering without breaking TLS, secure NAT and compliance — as one flat-priced appliance, with no per-GB tax and no per-AZ endpoint fee. It is not a six-figure enterprise platform and does not try to be; it is the drop-in replacement for the cloud-native firewall at up to 60–80% less. See the full side-by-side on the Enforza vs AWS Network Firewall comparison.

How much can Enforza save compared with AWS Network Firewall?

Enforza is a flat per-firewall licence — £179/month per firewall, dropping to £149 from your sixth — at $0/GB, plus the EC2 instance you run it on. Against AWS Network Firewall stacked with a NAT Gateway (two per-hour fees plus two per-GB data-processing charges, duplicated per Availability Zone), the flat line typically lands 60–80% cheaper at modest egress, and the gap widens as traffic grows because the Enforza line stays flat while the metered stack climbs. Rates are directional and dated — run your own numbers in the savings calculator.

Does Enforza remove my whole AWS bill?

No. Enforza removes the per-GB data-processing tax and the per-endpoint-hour and NAT-gateway fees, and replaces them with one flat per-firewall licence. You still pay AWS for the EC2 instance the firewall runs on (typically $100–$200/month at modest egress) and for normal data-transfer-out where it applies. The saving is on the firewall and NAT metering, not on AWS's underlying infrastructure.

Stop paying two per-GB meters to filter your own egress.

Cut the AWS Network Firewall bill — flat, no per-GB tax.

Egress, ingress and east-west control with identity-aware L7 filtering and secure NAT in one appliance, at a flat per-firewall price with no data-processing charges and no per-AZ endpoint fee — you pay only for the EC2 instance you run it on. Start free, no card.