Revisit Amazon Web Services re:Invent 2024’s biggest moments and watch keynotes and innovation talks on demand
Pricing summary / tiers
With Amazon Network Firewall, you pay an hourly rate for each firewall endpoint. You also pay for the amount of traffic, billed by the gigabyte, processed by your firewall endpoint. Data processing charges apply for each Gigabyte processed through the firewall endpoint regardless of the traffic's source or destination. You pay an additional hourly rate for Advanced Inspection and when you use the TLS inspection feature. You also incur standard data transfer charges for all data transferred via the Amazon Network Firewall.
NAT Gateway Pricing
If you choose to create a NAT gateway in your Amazon Web Services account along with Network Firewall, standard NAT gateway processing and per-hour usage charges are waived on a one-to-one basis with the standard Network Firewall Endpoint per-hour usage and standard Network Firewall Traffic Processing for your firewall. Network Firewall Advanced Inspection Endpoint and Network Firewall Advanced Inspection Traffic Processing is excluded from this benefit. Also, your NAT Gateway and Network Firewall must be in the same region to receive this benefit. For example, charges will not be waived if you use Network Firewall in Amazon Web Services China (Beijing) region, operated by Sinnet, and NAT Gateway in Amazon Web Services China (Ningxia) region, operated by NWCD.
The Pricing for Amazon Network Firewall is as follows:
Amazon Web Service China (Beijing) region
Resource Type | Price |
Network Firewall Endpoint | ¥ 7.171/hour |
Network Firewall Traffic Processing | ¥ 0.468/GB |
Network Firewall Advanced Inspection Endpoint | ¥ 3.495/hour |
Network Firewall Advanced Inspection Traffic Processing | ¥ 0.000/GB |
NAT gateway Pricing Use one hour & one GB of NAT gateway at no additional cost for every hour & GB charged for Network Firewall endpoints.
Amazon Web Service China (Ningxia) region
Resource Type | Price |
Network Firewall Endpoint | ¥ 4.036/hour |
Network Firewall Traffic Processing | ¥ 0.468/GB |
Network Firewall Advanced Inspection Endpoint | ¥ 3.279/hour |
Network Firewall Advanced Inspection Traffic Processing | ¥ 0.000/GB |
NAT gateway Pricing: Use one hour & one GB of NAT gateway at no additional cost for every hour & GB charged for Network Firewall endpoints.
Example 1 - Network Firewall with NAT Gateway Pricing
In this example, you have created a network firewall and a NAT gateway, and you have an Amazon EC2 instance with traffic routed to the Internet through the network firewall and NAT gateway. Your EC2 instance sends a 1 GB file to one of your S3 buckets. The EC2 instance, network firewall, NAT gateway, and S3 bucket are in the same region, and the network firewall, NAT gateway, and EC2 instance are in the same availability zone. The following charges apply:
- Network Firewall Endpoint Hourly Charges: ¥ 4.036 for each hour your firewall endpoint is provisioned.
- Network Firewall Data Processing Charges: ¥ 0.468 for 1 GB of data processed by the firewall.
- NAT Gateway Hourly Charges: No charge for each hour your firewall endpoint is provisioned.
- NAT Gateway Data Processing Charges: No charge per gigabyte of NAT gateway processing for each gigabyte processed by your firewall.
- EC2 Data Transfer Charges: Standard EC2 data transfer charges apply. But because your EC2 instance and S3 bucket are in the same region, there is no charge for data transfer between EC2 and S3. There is also no charge for data transfer between your NAT gateway and EC2 instance since the traffic stays in the same availability zone using private IP addresses. If your NAT gateway and EC2 instance were in different availability zones, EC2 data transfer charges would apply. See the Data Transfer section of the EC2 Pricing page for more details.
Total charges are therefore ¥ 0.468 for 1 GB of data processed by your firewall when using NAT gateway plus ¥ 4.036 for each hour your firewall is provisioned. There are no data transfer charges in this example. However, if you send the same file to a non-Amazon Web Services Internet location, EC2 data transfer charges will apply to data transferred out from EC2 to the Internet.
Note: To avoid NAT gateway data processing charges, you can create a gateway VPC endpoint and route traffic to and from S3 through the VPC endpoint instead of going through a NAT gateway. There are no data processing or hourly charges for using gateway VPC endpoints. For details on how to use VPC endpoints, see VPC Endpoints Documentation.
Example 2 - Network Firewall with NAT Gateway Pricing
In this example, you have 2 Network Firewalls in two AZs of China (Ningxia) region and have 5,000 GB of outbound traffic per month (30 days). If you are connecting to the Internet from a private subnet, you may decide to also use 2 NAT gateways in each AZ.
Your total usage for Amazon Network Firewall is
- 1,440 hrs of usage (720 hrs in a month * 2 network firewall endpoints)
- 5,000 GB of outbound traffic processed
Because each firewall is entirely zonally isolated for high availability, you pay no cross-AZ charges. Therefore, the charges would be ¥5,811.84 = (¥ 4.036 * 1,440 hours) plus ¥2,340 = (¥0.468 /GB * 5,000 GB processed). The Total Monthly Charge would be ¥8151.84 per month. For the NAT gateway, you would therefore receive 1,440 hours of NAT gateway and 5,000 GB of NAT gateway GB processed at no additional cost in this same month.
Example 3 - Network Firewall with Advanced Inspection Pricing
In this example, you have created a network firewall in Amazon Web Services China (Ningxia) region and have 5,000 GB of traffic per month. The following charges apply:
- Network Firewall Endpoint Hourly Charges: ¥ 4.036 for each hour your firewall endpoint is provisioned.
- Network Firewall Advanced Inspection Endpoint Hourly Charges: ¥ 3.279 for each hour your firewall endpoint is provisioned.
- Network Firewall Data Processing Charges: ¥ 0.468 for 1 GB of data processed by the firewall.
- Network Firewall Advanced Inspection Data Processing Charges: There is no additional charge for Advanced Inspection data processed by the firewall.
Total endpoint charges would be ¥5,266.8 = (¥ 4.036 * 720 hours per month) + (¥ 3.279 * 720 hours per month). Total data processing charges would be ¥2,340 = (¥ 0.468/GB * 5,000 GB processed). Your total bill would be ¥7,606.8 for the month.