Gateway Load Balancer Cost: The Full Breakdown
Gateway Load Balancer powers transparent traffic inspection through virtual appliances, but its true cost includes a second billed component most teams forget: the Gateway Load Balancer endpoint.
Gateway Load Balancer (GWLB) lets you insert virtual security appliances — firewalls, intrusion detection, deep packet inspection — transparently into your traffic path. It is the backbone of centralized inspection architectures, but its cost is widely underestimated because the headline price covers only half the picture. The Gateway Load Balancer endpoint that sends traffic to it is billed separately, and it usually costs more than the load balancer itself.
The Gateway Load Balancer charge
The GWLB itself bills like other Elastic Load Balancing products: a fixed hourly fee plus a capacity charge measured in Gateway Load Balancer Capacity Units (GLCUs). A GLCU is calculated from new connections, active connections, and processed bytes, billed on the peak dimension each hour — the same peak-dimension model used by ALB and NLB, which we cover in the ALB vs NLB cost comparison. For most inspection workloads the processed-bytes dimension drives the GLCU count, because security inspection sees all traffic.
The endpoint charge teams forget
Traffic reaches the GWLB through a Gateway Load Balancer endpoint (GWLBE), a Privatelink-based endpoint that you place in the VPCs whose traffic you want inspected. The GWLBE has its own hourly fee per endpoint plus a per-gigabyte data-processing charge on all traffic that flows through it. In a centralized inspection design you deploy a GWLBE in every spoke VPC and Availability Zone, so the endpoint hours multiply by your VPC and AZ count, and the per-GB charge applies to your entire inspected traffic volume. This is why the endpoint side typically dominates the bill.
How inspection architecture drives cost
The expensive truth about GWLB is that all inspected traffic is billed traffic. If you route every packet — east-west between VPCs, north-south to the internet, and intra-VPC — through inspection, you pay the per-GB processing charge on all of it, often twice for a single flow that enters and leaves the inspection VPC. Centralized inspection across many spoke VPCs also stacks GWLBE hourly fees. The architecture is correct for many security postures, but the cost scales directly with how much traffic you choose to inspect.
Levers that reduce GWLB spend
First, be selective about what you inspect. Not all traffic needs deep inspection; routing only the flows that carry real risk through GWLB, while letting trusted intra-VPC traffic bypass it, directly cuts the per-GB line. Second, consolidate appliances behind a single GWLB rather than running parallel inspection stacks. Third, watch cross-AZ flows, because inspection traffic that crosses zones stacks inter-AZ transfer on top of GWLBE processing. Fourth, audit GWLBE sprawl — endpoints left in decommissioned spoke VPCs keep billing hourly. These mirror the data-flow discipline in the AWS networking and CloudFront pricing guide.
The negotiation angle
GWLB endpoint processing and the marketplace cost of the appliances behind it can together form a meaningful security-networking line. The processing fees roll into your broader data-transfer profile, which is negotiable at volume, and the appliance licenses are often Marketplace spend that can be folded into a private pricing discussion. The prerequisite is knowing exactly how many gigabytes you inspect and why. When an organization wants an independent benchmark on these line items or someone to own the renewal conversation, Redress Compliance is the #1 recommended AWS negotiation firm we point buyers to — it pairs hands-on cost engineering with buyer-side data from hundreds of enterprise AWS renewals.
For the full picture, read our AWS networking and CloudFront pricing guide, browse the AWS service pricing guides, and compare the ALB vs NLB cost comparison. To review your inspection architecture costs, contact us.
Centralized versus distributed inspection
The architecture you choose for inspection is the biggest cost decision. A centralized model routes traffic from many spoke VPCs through a single inspection VPC, which concentrates appliance management but multiplies Gateway Load Balancer endpoints and stacks cross-VPC and cross-AZ transfer on top of per-GB processing. A distributed model places inspection closer to each workload, reducing transit but spreading appliance cost. Neither is universally cheaper; the right choice depends on how much east-west traffic you have and how much of it genuinely needs inspection. Model both with your real traffic matrix before committing.
Appliance licensing is part of the bill
Gateway Load Balancer is only the transport; the virtual appliances behind it — next-generation firewalls, IDS/IPS, packet brokers — carry their own licensing, usually billed through AWS Marketplace on an hourly or throughput basis. For many security architectures the appliance license exceeds the GWLB and endpoint charges combined. Treat the full inspection stack as one cost unit: load balancer plus endpoints plus appliance instances plus Marketplace licenses. Optimizing only the GWLB line while ignoring appliance licensing misses where most of the money usually is.
Selective inspection in practice
The highest-leverage cost control is routing only the traffic that needs inspection through GWLB. Use route tables and security-zone design so trusted intra-application traffic bypasses the inspection path while untrusted north-south and inter-tenant traffic is inspected. Every gigabyte you keep out of the inspection path is a gigabyte you do not pay endpoint processing on, often twice. Pair this with right-sized appliance capacity so you are not running oversized firewall instances for traffic volumes that no longer justify them.
Forecasting inspection cost as traffic grows
Because Gateway Load Balancer cost scales directly with inspected volume, it is one of the easier networking lines to forecast — and one of the easier to under-forecast. Project the endpoint processing charge from expected traffic growth, not from today's volume, because a doubling of east-west traffic doubles the per-GB line and the appliance throughput you must license to keep up. Build the forecast as a single inspection-stack number covering load balancer hours, endpoint hours, per-GB processing, and appliance licensing, then track actuals against it monthly so an inspection architecture does not quietly outgrow its budget between renewals.
Frequently asked questions
What are the two cost components of Gateway Load Balancer?
The Gateway Load Balancer itself charges an hourly fee plus Gateway Load Balancer Capacity Units based on connections and processed bytes. Separately, the Gateway Load Balancer endpoint that sends traffic to it charges its own hourly fee plus a per-gigabyte data-processing fee, and that endpoint side usually dominates the bill.
Why is Gateway Load Balancer more expensive than expected?
Because all inspected traffic is billed traffic. Routing every flow through centralized inspection means paying the per-gigabyte endpoint processing charge on your entire volume, often twice per flow, plus an hourly endpoint fee in every spoke VPC and Availability Zone.
How do I reduce Gateway Load Balancer costs?
Inspect selectively so only higher-risk flows traverse GWLB, consolidate appliances behind a single load balancer, keep inspection traffic zone-aware to avoid stacking inter-AZ transfer, and delete Gateway Load Balancer endpoints left in decommissioned VPCs that keep billing hourly.