AWS Network Firewall
Firewall software
Network security software
- Features
- Ease of use
- Ease of management
- Quality of support
- Affordability
- Market presence
Take the quiz to check if AWS Network Firewall and its alternatives fit your requirements.
Pay-as-you-go
Free Trial unavailableFree version unavailable
Small
Medium
Large
- Healthcare and life sciences
- Information technology and software
- Energy and utilities
What is AWS Network Firewall
AWS Network Firewall is a managed network firewall service for filtering and inspecting traffic within Amazon Virtual Private Cloud (VPC) networks. It is used by cloud and security teams to enforce inbound, outbound, and east-west traffic controls for VPCs and centralized network architectures. The service supports stateful and stateless rule processing and can use Suricata-compatible rule syntax for deep packet inspection. It integrates with AWS networking constructs such as VPC routing and AWS Firewall Manager for multi-account policy management.
Native AWS VPC integration
The service deploys as firewall endpoints inside VPCs and is enforced through VPC route table changes, which fits common AWS hub-and-spoke and shared services designs. It integrates with AWS Firewall Manager to apply policies across multiple accounts and VPCs under AWS Organizations. This reduces the need to operate separate virtual appliances for baseline network filtering in AWS. It also aligns with AWS-native logging and monitoring workflows.
Stateful and stateless inspection
AWS Network Firewall supports both stateless rules for high-speed filtering and stateful rules for connection-aware enforcement. It can perform deep packet inspection using Suricata-compatible rules, enabling protocol and content-based controls beyond simple 5-tuple filtering. This allows teams to implement layered controls for different traffic classes (e.g., north-south vs. east-west). The rule model supports managed rule groups as well as custom rule groups.
Centralized logging and visibility
The product exports firewall logs to AWS services such as Amazon CloudWatch Logs, Amazon S3, and Amazon Kinesis Data Firehose for retention and downstream analytics. This supports centralized visibility across VPCs and accounts when combined with AWS Organizations and policy tooling. Teams can integrate logs into SIEM pipelines and incident response processes without deploying separate log forwarders. Logging options cover alerting and flow-style records depending on configuration.
AWS-only deployment scope
AWS Network Firewall is designed for traffic inside AWS VPC environments and does not run in on-premises networks or other cloud providers. Organizations with multi-cloud or hybrid requirements typically need additional products or architectures to achieve consistent policy enforcement across environments. This can increase operational complexity when standardizing controls. Portability of configurations is also limited to AWS constructs.
Not a full security stack
The service focuses on network-layer firewalling and intrusion-prevention-style inspection rather than providing a complete secure access or endpoint-to-cloud security suite. Capabilities commonly bundled in broader platforms (for example, user-centric access controls, SWG/CASB, or endpoint integration) are outside its primary scope. As a result, it is often one component in a larger security architecture. Buyers may need complementary services for identity-based access and remote user protection.
Rule tuning and operations effort
Using Suricata-compatible rules and deep inspection typically requires tuning to reduce false positives and to match application traffic patterns. Policy design can become complex in large environments with many VPCs, accounts, and segmented workloads, especially when coordinating route changes and centralized inspection. Cost and performance planning also require attention because inspection capacity and logging volume can scale with traffic. Teams may need mature processes for change control and rule lifecycle management.
Plan & Pricing
Pricing model: Pay-as-you-go (usage-based)
Free tier/trial: No permanently free tier; no time-limited free trial stated on the official AWS Network Firewall pricing page (see notes).
Pricing components (examples & region-specific rates shown on AWS official pricing page):
- Network Firewall endpoint hourly charge (standard endpoint): $0.395 per hour (example / US East (N. Virginia) and shown as base rate in multiple examples).
- Network Firewall data processing (traffic) charge: $0.065 per GB processed.
- Secondary (additional) endpoint hourly charge: $0.158 per hour (example / US East (N. Virginia) for secondary endpoints).
- Advanced Inspection (TLS inspection) endpoint hourly charge: varies by region (examples: $0.489 per hour in Europe (Ireland); $0.711 per hour in Asia Pacific (Sydney)). Advanced Inspection has no additional per-GB data processing surcharge beyond the standard $0.065/GB standard traffic processing charge.
- Advanced Threat Protection (active threat defense managed rule groups) processing charge: example $0.005 per GB (example shown for US West (Oregon)).
- NAT Gateway: when service-chained with Network Firewall in the same networking path and region, NAT Gateway hourly and data processing charges are waived (one-to-one basis) up to matching Network Firewall usage; otherwise standard NAT Gateway charges apply (examples shown: $0.045/hr and $0.045/GB in US East (N. Virginia); $0.059/hr and $0.059/GB in Asia Pacific (Sydney)).
- Managed rule groups from AWS Marketplace: additional fees set by the Marketplace seller; billed separately from AWS Network Firewall charges.
Example monthly calculation examples (from AWS official pricing page):
- Example (US East (N. Virginia), 2 AZs, 5,000 GB/month, 2 endpoints): total = $893.80/month (derived from $0.395/hr endpoint and $0.065/GB traffic processing).
- Example (US East (N. Virginia) with 10 secondary endpoints, 5,000 GB/month): total = $1,747/month (uses $0.395/hr primary + $0.158/hr secondary + $0.065/GB).
- Example (Europe (Ireland) with Advanced Inspection, 5,000 GB/month): total = $961.48/month (includes $0.489/hr Advanced Inspection endpoint). (These are illustrative examples published on the official pricing page.)
Discounts / cost reductions noted on the official page:
- NAT Gateway discounts / waivers when NAT Gateway is service-chained and in same path/region as Network Firewall (waives NAT hourly and data processing charges one-to-one for matching firewall usage).
- No explicit volume or commitment discounts are listed on the Network Firewall pricing page; managed Marketplace rule-groups may have separate pricing or discounts set by the seller.
Notes / limitations:
- All rates are shown per region and Availability Zone; AWS publishes region-specific variations for some rates (Advanced Inspection hourly rate, NAT Gateway rates, etc.).
- Prices and examples cited are from the AWS Network Firewall official pricing page and are region-specific examples; consult the AWS pricing page for the region(s) you will use.
Seller details
Amazon Web Services, Inc.
Seattle, Washington, USA
2006
Subsidiary
https://aws.amazon.com/
https://x.com/awscloud
https://www.linkedin.com/company/amazon-web-services/
