AWSAWS Network FirewallNetworking

`aws_networkfirewall_firewall` cost estimation

A managed VPC firewall billed per endpoint-hour plus traffic processed. One endpoint with 100 GB is ~$295/month — and multi-AZ deployments multiply the endpoint fee.

An aws_networkfirewall_firewall is a managed, stateful network firewall for VPCs. Cost has two parts: a per-endpoint-hour fee (~$0.395/hour, ~$288/month per endpoint) plus a per-GB traffic-processing charge (~$0.065/GB). One endpoint processing 100 GB/month is ~$295.

The endpoint fee is the cost driver, and it scales with availability design: Network Firewall deploys one endpoint per Availability Zone, so a firewall protecting a 3-AZ VPC runs three endpoints — ~$865/month before traffic. That per-AZ multiplication is the most common surprise.

The traffic charge then scales with how much data flows through the firewall. Routing only the traffic that needs inspection through it — rather than all VPC traffic — keeps the processing fee down.

c3x prices the firewall from endpoint_count and treats traffic as usage-driven, so the per-endpoint standing cost (and the multi-AZ multiplier) is visible before deployment.

Terraform example

A minimal but realistic configuration that C3X can estimate.

resource "aws_networkfirewall_firewall" "main" {
  name                = "vpc-firewall"
  firewall_policy_arn = aws_networkfirewall_firewall_policy.main.arn
  vpc_id              = aws_vpc.main.id

  dynamic "subnet_mapping" {
    for_each = aws_subnet.firewall[*].id
    content {
      subnet_id = subnet_mapping.value
    }
  }
}

Pricing dimensions

What you actually pay for when you provision aws_networkfirewall_firewall.

Dimension	Unit	What's being charged
Firewall endpoint	per hour	Per-endpoint-hour fee, one endpoint per Availability Zone. The standing cost driver. $0.395/hour ≈ $288/month per endpoint
Traffic processed	per GB	Per-GB charge for data inspected by the firewall. Usage-based. ~$0.065/GB → 100 GB = $6.50/month

Sample C3X output

One firewall endpoint processing 100 GB/month:

aws_networkfirewall_firewall.main
├─ Firewall endpoint (1)   730 hours   $288.35
└─ Traffic processed       100 GB        $6.50
                           Monthly     $294.85

Optimization tips

Common ways to reduce aws_networkfirewall_firewall cost without changing the workload.

Be deliberate about per-AZ endpoints

~$288/month per AZ endpoint avoided

Network Firewall deploys one endpoint per AZ at ~$288/month each. A 3-AZ firewall is ~$865/month before traffic. For non-production or lower-availability needs, fewer AZs cut the standing cost proportionally.

Inspect only the traffic that needs it

Proportional to traffic kept off the firewall

Route only the flows requiring inspection (e.g. egress to the internet) through the firewall rather than all VPC traffic. East-west traffic that doesn't need inspection shouldn't pay the per-GB processing fee.

Centralize firewalling with a shared inspection VPC

Per duplicate firewall avoided

A centralized inspection VPC (with Transit Gateway) lets multiple VPCs share one firewall deployment instead of each running its own per-AZ endpoints — fewer endpoints overall.

Consider security groups / NACLs for simple needs

Full firewall cost when not needed

Network Firewall is for deep stateful inspection and IPS-style rules. If your need is basic L3/L4 filtering, security groups and NACLs are free — don't run a managed firewall for what they cover.

FAQ

How is AWS Network Firewall billed?

Two charges: ~$0.395/endpoint-hour (~$288/month per endpoint) plus ~$0.065/GB of traffic processed. One endpoint with 100 GB is ~$295/month. The endpoint fee is the driver, and it's charged per Availability Zone.

Why is my Network Firewall cost higher than expected?

Per-AZ endpoints. The firewall deploys one endpoint per AZ at ~$288/month each, so a 3-AZ deployment is ~$865/month before traffic. Routing all VPC traffic through it (instead of just flows needing inspection) also runs up the per-GB charge.

How does c3x estimate the cost?

From endpoint_count, pricing the per-endpoint standing fee (so the multi-AZ multiplier is visible). Traffic processed is usage-driven and modelled separately.

Related resources

AWS

aws_transit_gateway

Centralized inspection VPC pattern to share one firewall across VPCs

Estimate this resource in your own Terraform

Free, open source, no API key. C3X parses your Terraform and shows line-item cost for every resource, including aws_networkfirewall_firewall.

Get Started Star on GitHub

← Browse all AWS resources