Book a demo Start free
Firewalls

Understanding AWS Network Firewall

How AWS Network Firewall works, its Suricata-based rule engine, the per-endpoint and per-GB pricing model, and where a flat-priced alternative fits.

2 min read

AWS Network Firewall is Amazon’s managed network firewall service. It does stateful inspection, intrusion detection, and egress control for traffic inside your AWS networks. It is capable — and its pricing model is the reason a lot of teams go looking for an alternative. Here is how it works and where the costs land.

How it works

AWS Network Firewall is built on Suricata, the open-source threat-detection engine, and accepts Suricata-compatible rules. That gives it deep packet inspection, intrusion detection, and the ability to write detailed, signature-style rules for traffic passing through it.

You deploy a firewall endpoint into a dedicated subnet in each availability zone you want to protect, then steer traffic through it with route tables. Rules are grouped into rule groups and managed centrally.

Pricing structure

AWS Network Firewall charges on two mechanisms:

  • An hourly fee per firewall endpoint.
  • A per-GB data-processing charge on everything it inspects.

Two things make this add up. First, the per-GB charge scales directly with traffic — the more your workloads talk, the more you pay, whether or not a rule ever matched. Second, the endpoint model is per availability zone: a multi-AZ deployment multiplies the hourly endpoint charge across zones. For environments with significant east-west or egress volume, the data-processing line dominates the bill.

What it does well

  • Native AWS integration. It plugs into CloudFormation, CloudWatch, and Security Hub, so monitoring and provisioning sit inside tooling AWS teams already use.
  • Automatic scaling. The managed service scales with traffic without you sizing instances.
  • Expressive rules. Suricata-compatible rules support detailed inspection and detection logic.

Where it gets heavy

  • Cost at volume. The per-GB data-processing charge plus per-AZ endpoints make high-traffic environments expensive.
  • AWS only. It secures AWS networks. If you run more than one cloud, you manage a different service — with different concepts and a different bill — everywhere else.
  • Lock-in. Rules and operational patterns are tied to the AWS service.

The alternative

A network virtual appliance (NVA) from a vendor like Fortinet or Palo Alto gives you cloud portability and a deep feature set, but brings complex deployment, manual scaling, and licensing that most teams only half-use.

Enforza sits deliberately between the two. It delivers the egress, ingress and east-west control you actually need — identity-aware hostname (SNI/FQDN) filtering, secure NAT, threat hardening, compliance — on flat per-firewall pricing with no per-GB data-processing tax, and the same console works across AWS, Azure and GCP. It is the way to replace the cloud-native firewall on cost without buying a six-figure mega-NGFW platform you will never fully switch on.

See the side-by-side on the Enforza vs AWS Network Firewall page, or the broader Problem with Cloud-Native Firewalls.

← Back to all articles
Same features. Without the cost.

Ditch the data-processing charges.

Flat, per-firewall pricing — and no per-GB data-processing charges, ever. The same egress filtering, identity-aware L7 and NAT, in any cloud or on-prem. Start free, no card.

Start free See your savings