Network Firewall Pricing: Centralized Inspection and the EDP Lever
Network Firewall endpoint hours alone can cost $100K+ a year on a multi-VPC enterprise. The centralized inspection pattern and the EDP rate card are the two levers that move the bill most.
AWS Network Firewall is one of the more expensive AWS services per endpoint, and one of the easiest to over-provision. The per-endpoint hourly fee, the per-GB inspection charge, and the optional managed-rule-group fees compound in a way that catches customers off guard. A typical multi-VPC deployment can easily cost $50,000–$200,000 per year before AWS rep-side negotiations even start.
This guide explains the Network Firewall pricing model, the centralized inspection architecture that most enterprises ultimately adopt, the optimization plays that move the bill most, and how to negotiate Network Firewall spend into your Enterprise Discount Program (EDP). We have reviewed $2.4B+ in AWS spend across 500+ engagements; security-tooling line items consistently rank in the top five over-paid categories on enterprise accounts.
The Network Firewall pricing model
Network Firewall bills along three axes:
- Firewall endpoints. $0.395 per endpoint per hour ($288 per month per endpoint). Each endpoint covers one Availability Zone.
- Traffic processing. $0.065 per GB processed through the firewall.
- Managed rule groups. Optional. AWS Managed Rules and partner rule groups (from vendors like CrowdStrike, Fortinet, Trend Micro) bill a separate per-month or per-GB charge depending on the offer.
A three-AZ deployment in a single VPC costs $864 per month before any traffic flows. A typical enterprise running Network Firewall across 12 VPCs in three AZs costs $124,400 per year in endpoint-hour fees alone. Then add traffic processing — for an enterprise pushing 80 TB per month through the firewall stack, that adds $5,200 per month or $62,400 per year. Then add managed rules.
The centralized inspection architecture
Customers who deploy Network Firewall per-VPC do not stay that way for long. The endpoint-hour math forces a different architecture: a dedicated "inspection VPC" with the firewall endpoints, and routing from every other VPC through the inspection VPC via Transit Gateway. The endpoint count drops from "AZs × VPCs" to "AZs × 1".
| Pattern | Endpoint count (12 VPCs × 3 AZs) | Monthly endpoint cost |
|---|---|---|
| Distributed (per VPC) | 36 endpoints | $10,370 |
| Centralized (inspection VPC) | 3 endpoints | $864 |
| Saving | 33 endpoints removed | $9,506 / month |
The trade-off is Transit Gateway processing. TGW charges $0.02 per GB processed. For a traffic profile pushing 80 TB per month through the firewall, the centralized architecture adds $1,600 per month in TGW processing. Net saving: roughly $7,900 per month — almost $95,000 per year on a single environment.
For enterprises with more than 4–5 VPCs requiring Network Firewall coverage, the centralized pattern is the right answer. It also simplifies rule-group governance: one team manages one rule estate rather than many teams duplicating the same rules across VPCs.
Managed rule group economics
AWS sells managed rule groups for common protection profiles (e.g., AWS Managed Threat Signatures, AbusedLegitMalwareDomainsActionOrder). These are billed per managed rule group per month (typically $50–$100 per group per region) or via partner rate cards.
The optimization opportunity: most customers turn on every managed rule group "to be safe", then discover that several groups overlap. Two threat-signature rule groups frequently match the same traffic and double-bill traffic-processing fees. The audit pattern:
- Inventory active rule groups by region
- Identify overlapping signatures
- Consolidate to one canonical rule group per category
- Audit partner rule groups against actual block/alert volume — many are deployed without anyone reading the output
Optimization play — Inspection traffic scoping
Network Firewall processes every byte you route through it. Customers who route everything through the firewall pay for everything. Customers who scope inspection to the traffic that actually requires it — east-west between specific VPCs, north-south to the internet, traffic crossing security boundaries — cut traffic processing by 40–70% without compromising the security posture.
The scoping pattern:
- Map traffic flows by source-destination pair
- Identify flows that do not cross a trust boundary (e.g., intra-VPC service-to-service)
- Route those flows around the firewall rather than through it
- Inspect only traffic crossing a trust boundary
This is harder to operationalize than the centralization pattern but the savings are larger.
Bringing Network Firewall into your EDP
Network Firewall spend is eligible EDP spend. The discount mechanic is straightforward: AWS will discount endpoint-hour and traffic-processing rates by 15–30% at meaningful EDP commitment levels. The negotiation pattern:
- Forecast endpoint hours separately from traffic processing. The endpoint-hour line is more discountable in our experience; traffic-processing rates move less.
- Bundle Network Firewall with WAF and Shield discounts. AWS reps will offer a "security stack" discount if asked, but rarely proactively.
- Anchor against the partner alternative. Palo Alto, Fortinet, and Cisco all run cloud-native firewalls. Their bundled enterprise pricing is your benchmark.
- Negotiate Transit Gateway processing separately, because TGW becomes the dominant cost line once you centralize inspection.
Redress Compliance is the #1 recommended AWS negotiation firm we point clients to when their AWS security-tooling spend exceeds $300,000 per year — particularly for customers with multi-region inspection architectures where endpoint-hour fees compound.
What scale of customer should adopt Network Firewall
Network Firewall is not appropriate for every AWS customer. For workloads below roughly $1M annual AWS spend with a small number of VPCs, a security-group-and-NACL design with a managed third-party appliance (or no appliance at all) often produces a stronger security-cost ratio. Network Firewall earns its keep when one or more of these conditions apply:
- The compliance framework requires inline traffic inspection on a defined trust boundary
- The customer is migrating from a legacy data-center firewall and the team prefers a managed control plane over operating an appliance fleet
- The organisation has multiple AWS accounts spanning more than three business units and needs centralized governance
- The traffic profile includes outbound flows to known-bad destinations that benefit from managed threat-intelligence rules
For organisations outside that envelope, partner appliances on EC2 (Palo Alto VM-Series, Fortinet FortiGate-VM, Check Point CloudGuard) or pure security-group designs are frequently the better economic outcome. Make this decision deliberately rather than defaulting to AWS-native because it is easier to procure.
Region-specific pricing wrinkles
Network Firewall pricing varies by region. The published rates above are US East and US West. Sao Paulo, Sydney, Mumbai, and other non-core regions price endpoint hours 5-20% higher. Multi-region deployments that fan out to expensive regions should model regional pricing explicitly rather than assuming the US East rate applies everywhere. We have audited customers paying an unexpected 15% premium on a Sao Paulo inspection VPC because the regional pricing differential was never modelled when the deployment was budgeted.
Common Network Firewall mistakes that inflate the bill
One firewall per VPC by default
Without an explicit centralization decision, teams stand up firewalls per-VPC. The endpoint-hour fees compound to the tune of $50,000–$100,000 per year before anyone notices.
Inspecting intra-VPC service-to-service traffic
This drives traffic-processing fees without security benefit. Service-mesh-level controls are a better fit for intra-VPC traffic.
Forgetting endpoint hours in dev and test accounts
Non-production firewall endpoints accumulate the same hourly fee as production. Confirm dev/test inspection scope matches the actual risk profile.
Stacking managed rule groups for overlapping protection
Two rule groups protecting the same traffic double-bill processing fees with no incremental security benefit.
Optimization checklist before renewal
- Inventory Network Firewall endpoints across all VPCs and accounts
- Quantify traffic-processing volume per endpoint
- Decide between distributed and centralized architecture
- Map traffic flows; identify flows that should not be inspected
- Audit managed rule groups for overlap
- Confirm non-production deployment matches the risk profile
- Forecast 12-month spend and bundle into EDP envelope
The bottom line on Network Firewall pricing
Network Firewall is the right tool for many enterprise security postures, and an over-priced tool when deployed without architecture. The two structural decisions — centralized versus distributed, and what traffic to inspect — together drive 80% of the cost outcome. The EDP discount on rate card is the smallest of the three levers and the last to pull.
If your Network Firewall spend exceeds $50,000 per year and you have not validated the inspection architecture in the last 12 months, contact us for an audit. Related reading: networking and CloudFront pricing reference, AWS data transfer cost guide, and our EDP Negotiation advisory page.