AWS Network Security Comparison
AWS WAF vs Network Firewall: Layer-7 vs Stateful L3-L7 on AWS
Most regulated workloads need both. Where each fits, what they protect, the cost model, and how AWS Firewall Manager pushes both as Organization-level policy across the AWS Organization.
<div class="quick-answer"> **Quick Answer:** WAF inspects HTTP/HTTPS at the application edge — use it on every CloudFront, ALB, and API Gateway. Network Firewall inspects all VPC traffic with Suricata IDS/IPS rules — use it when you need egress filtering, east-west inspection, or compliance-mandated network controls. Most regulated workloads run both. </div> WAF and Network Firewall are not interchangeable. They protect different layers, see different traffic, and answer different audit questions. Confusing them leads to either false confidence (deploying only WAF and missing east-west and egress threats) or unnecessary spend (deploying Network Firewall as a glorified WAF). This comparison is written for solutions architects deploying AWS-native network security on regulated workloads. ## The Core Distinction: Layer and Traffic Shape **AWS WAF** operates at the application layer — HTTP and HTTPS request inspection. It sits in front of CloudFront distributions, Application Load Balancers, API Gateway, AppSync GraphQL APIs, Cognito user pools, and Verified Access endpoints. Every inbound request hits WAF before reaching the protected resource. WAF inspects request headers, URI, query string, body (up to size limits), method, and source IP; it makes a per-request decision (Allow / Block / Count / CAPTCHA / Challenge). **AWS Network Firewall** operates at the network layer — stateful packet inspection inside a VPC. It sits between subnets (or at the VPC edge) and inspects all traffic — TCP, UDP, HTTP, HTTPS, DNS — using Suricata-compatible rules. Network Firewall sees packet flow, can decrypt TLS for inspection (optional), and enforces stateful connection tracking, IDS/IPS rule matching, and domain-based egress filtering. The right way to think about it: **WAF protects the application; Network Firewall protects the network.** ## What Each Service Catches **WAF catches:** - SQL injection, XSS, RCE patterns (AWS Managed Common Rule Set) - Bot traffic (AWS Managed Bot Control — basic and targeted bot rules) - OWASP Top 10 patterns (Managed PHP App, WordPress, Linux App rule sets) - Rate-based attacks (per-IP throttling, scope-down statements) - Geographic blocking (block specific countries or allow-list trusted geographies) - Known-bad IPs (Amazon IP Reputation List, Anonymous IP List for VPN/Tor) - Application-layer DDoS (combined with Shield Advanced for L3/L4) - PCI DSS 4.0.1 Req 6.4.3 script integrity (custom rules + CloudFront Functions) **Network Firewall catches:** - Outbound C2 traffic to known threat-listed domains - Lateral movement between subnets (east-west IDS detection) - Data exfiltration over DNS or unexpected protocols - Outbound traffic to non-allowed domains (egress filtering) - Crypto-mining traffic (Suricata rules for known mining pools) - IDS/IPS signatures for known CVE exploit attempts - TLS-inspected payloads for compliance-required deep inspection ## Cost Comparison (2026) **WAF:** - Web ACL: $5/month per ACL - Rules: $1/month per rule (most production deployments use 6–12 rules) - Requests: $0.60 per million requests - Bot Control add-on: $10/month per ACL + $1 per million requests - CAPTCHA: $0.40 per CAPTCHA puzzle solved Typical mid-market WAF spend: $100–$800/month per Web ACL. **Network Firewall:** - Endpoint: $0.395/hour ($284.40/month per AZ-endpoint) — most deployments use 2 AZs minimum - Traffic: $0.065 per GB processed - TLS inspection: additional cost (varies) Typical 2-AZ deployment with 1 TB/month: ~$635/month base. Multi-AZ HA at 5 TB/month: ~$900/month. **Firewall Manager:** free for AWS Organizations. **Combined typical mid-market spend:** $1,000–$3,000/month for the WAF + Network Firewall pair on a regulated workload. ## Decision Framework Use **WAF only** when: - You run public-facing web applications and need OWASP / bot / rate-limiting protection - You do not have compliance-mandated egress filtering or east-west inspection - Your VPC topology is simple and security groups are sufficient for L3-L4 Add **Network Firewall** when any of these is true: - You have compliance requirements that demand egress filtering (PCI DSS Req 1, HIPAA §164.312(e) for transmission security, SOC 2 CC6.7, ISO 27001 A.8.21) - You have east-west traffic between sensitive subnets that must be inspected (segmentation enforcement) - You need deep packet inspection or Suricata IDS/IPS at the VPC edge - You operate a multi-account Organization and want centralized network policy via Firewall Manager - You need TLS-inspected egress for regulated workloads In practice: **most regulated workloads run both**. WAF in front of every public application, Network Firewall at the VPC edge for compliance-mandated egress and east-west enforcement. ## Deployment Pattern We Use **Single account, public web app:** WAF on CloudFront with the AWS Managed Common Rule Set + Known Bad Inputs + Anonymous IP List + Bot Control + a custom rate-limit rule. Done in a day; covers the OWASP Top 10 and most automated abuse. **Multi-account regulated workload:** Firewall Manager-deployed: 1. WAF baseline policy on every CloudFront/ALB across the Organization (managed rule sets + a custom rate-limit rule) 2. Network Firewall policy on every workload VPC (egress allow-list, Suricata IPS rule set, DNS firewall for known-bad domains) 3. DNS Firewall policy at Route 53 Resolver level (additional defense in depth) 4. Shield Advanced for any account hosting consumer-scale public traffic 5. Security Hub aggregation in the Security account so WAF/Network Firewall findings feed the same dashboard as GuardDuty and Inspector v2 **Verified Access for workforce apps:** internal apps fronted by Verified Access with Identity Center as the trust provider and Cedar policies for per-request access decisions. WAF can sit in front for OWASP and bot rules. ## When You Outgrow Native AWS Network Security Native AWS network security covers most use cases. You start to need a third-party tool when: - You require very specific WAF rule logic (e.g., custom JavaScript-based bot detection beyond AWS Bot Control) — Cloudflare, Akamai, or Imperva - You need a multi-cloud network firewall single pane — Palo Alto Cloud NGFW, Fortinet, Check Point CloudGuard - You operate at hyperscale where the per-GB traffic charges of Network Firewall exceed the appliance-based cost of bringing in a third-party VPC-deployed firewall For regulated SaaS, healthtech, and fintech in AWS-only estates, the native pair (WAF + Network Firewall + Shield Advanced + Firewall Manager) is the right call. ## Related Reading - [AWS Cloud Security service](/services/aws-cloud-security/) — assessment, hardening, monitoring - [AWS Penetration Testing](/services/aws-penetration-testing/) — validate the protection - [Network & Application Security subtopic hub](/security-compliance/network-application-security/) - [Security & Compliance hub](/security-compliance/)
Quick Answer: WAF inspects HTTP/HTTPS at the application edge — use it on every CloudFront, ALB, and API Gateway. Network Firewall inspects all VPC traffic with Suricata IDS/IPS rules — use it when you need egress filtering, east-west inspection, or compliance-mandated network controls. Most regulated workloads run both.
WAF and Network Firewall are not interchangeable. They protect different layers, see different traffic, and answer different audit questions. Confusing them leads to either false confidence (deploying only WAF and missing east-west and egress threats) or unnecessary spend (deploying Network Firewall as a glorified WAF).
This comparison is written for solutions architects deploying AWS-native network security on regulated workloads.
The Core Distinction: Layer and Traffic Shape
AWS WAF operates at the application layer — HTTP and HTTPS request inspection. It sits in front of CloudFront distributions, Application Load Balancers, API Gateway, AppSync GraphQL APIs, Cognito user pools, and Verified Access endpoints. Every inbound request hits WAF before reaching the protected resource. WAF inspects request headers, URI, query string, body (up to size limits), method, and source IP; it makes a per-request decision (Allow / Block / Count / CAPTCHA / Challenge).
AWS Network Firewall operates at the network layer — stateful packet inspection inside a VPC. It sits between subnets (or at the VPC edge) and inspects all traffic — TCP, UDP, HTTP, HTTPS, DNS — using Suricata-compatible rules. Network Firewall sees packet flow, can decrypt TLS for inspection (optional), and enforces stateful connection tracking, IDS/IPS rule matching, and domain-based egress filtering.
The right way to think about it: WAF protects the application; Network Firewall protects the network.
What Each Service Catches
WAF catches:
- SQL injection, XSS, RCE patterns (AWS Managed Common Rule Set)
- Bot traffic (AWS Managed Bot Control — basic and targeted bot rules)
- OWASP Top 10 patterns (Managed PHP App, WordPress, Linux App rule sets)
- Rate-based attacks (per-IP throttling, scope-down statements)
- Geographic blocking (block specific countries or allow-list trusted geographies)
- Known-bad IPs (Amazon IP Reputation List, Anonymous IP List for VPN/Tor)
- Application-layer DDoS (combined with Shield Advanced for L3/L4)
- PCI DSS 4.0.1 Req 6.4.3 script integrity (custom rules + CloudFront Functions)
Network Firewall catches:
- Outbound C2 traffic to known threat-listed domains
- Lateral movement between subnets (east-west IDS detection)
- Data exfiltration over DNS or unexpected protocols
- Outbound traffic to non-allowed domains (egress filtering)
- Crypto-mining traffic (Suricata rules for known mining pools)
- IDS/IPS signatures for known CVE exploit attempts
- TLS-inspected payloads for compliance-required deep inspection
Cost Comparison (2026)
WAF:
- Web ACL: $5/month per ACL
- Rules: $1/month per rule (most production deployments use 6–12 rules)
- Requests: $0.60 per million requests
- Bot Control add-on: $10/month per ACL + $1 per million requests
- CAPTCHA: $0.40 per CAPTCHA puzzle solved
Typical mid-market WAF spend: $100–$800/month per Web ACL.
Network Firewall:
- Endpoint: $0.395/hour ($284.40/month per AZ-endpoint) — most deployments use 2 AZs minimum
- Traffic: $0.065 per GB processed
- TLS inspection: additional cost (varies)
Typical 2-AZ deployment with 1 TB/month: ~$635/month base. Multi-AZ HA at 5 TB/month: ~$900/month.
Firewall Manager: free for AWS Organizations.
Combined typical mid-market spend: $1,000–$3,000/month for the WAF + Network Firewall pair on a regulated workload.
Decision Framework
Use WAF only when:
- You run public-facing web applications and need OWASP / bot / rate-limiting protection
- You do not have compliance-mandated egress filtering or east-west inspection
- Your VPC topology is simple and security groups are sufficient for L3-L4
Add Network Firewall when any of these is true:
- You have compliance requirements that demand egress filtering (PCI DSS Req 1, HIPAA §164.312(e) for transmission security, SOC 2 CC6.7, ISO 27001 A.8.21)
- You have east-west traffic between sensitive subnets that must be inspected (segmentation enforcement)
- You need deep packet inspection or Suricata IDS/IPS at the VPC edge
- You operate a multi-account Organization and want centralized network policy via Firewall Manager
- You need TLS-inspected egress for regulated workloads
In practice: most regulated workloads run both. WAF in front of every public application, Network Firewall at the VPC edge for compliance-mandated egress and east-west enforcement.
Deployment Pattern We Use
Single account, public web app: WAF on CloudFront with the AWS Managed Common Rule Set + Known Bad Inputs + Anonymous IP List + Bot Control + a custom rate-limit rule. Done in a day; covers the OWASP Top 10 and most automated abuse.
Multi-account regulated workload: Firewall Manager-deployed:
- WAF baseline policy on every CloudFront/ALB across the Organization (managed rule sets + a custom rate-limit rule)
- Network Firewall policy on every workload VPC (egress allow-list, Suricata IPS rule set, DNS firewall for known-bad domains)
- DNS Firewall policy at Route 53 Resolver level (additional defense in depth)
- Shield Advanced for any account hosting consumer-scale public traffic
- Security Hub aggregation in the Security account so WAF/Network Firewall findings feed the same dashboard as GuardDuty and Inspector v2
Verified Access for workforce apps: internal apps fronted by Verified Access with Identity Center as the trust provider and Cedar policies for per-request access decisions. WAF can sit in front for OWASP and bot rules.
When You Outgrow Native AWS Network Security
Native AWS network security covers most use cases. You start to need a third-party tool when:
- You require very specific WAF rule logic (e.g., custom JavaScript-based bot detection beyond AWS Bot Control) — Cloudflare, Akamai, or Imperva
- You need a multi-cloud network firewall single pane — Palo Alto Cloud NGFW, Fortinet, Check Point CloudGuard
- You operate at hyperscale where the per-GB traffic charges of Network Firewall exceed the appliance-based cost of bringing in a third-party VPC-deployed firewall
For regulated SaaS, healthtech, and fintech in AWS-only estates, the native pair (WAF + Network Firewall + Shield Advanced + Firewall Manager) is the right call.
Related Reading
- AWS Cloud Security service — assessment, hardening, monitoring
- AWS Penetration Testing — validate the protection
- Network & Application Security subtopic hub
- Security & Compliance hub
Frequently Asked Questions
Is AWS WAF enough, or do I also need AWS Network Firewall?
They protect different layers and traffic shapes. WAF inspects HTTP/HTTPS traffic at the application layer (CloudFront, ALB, API Gateway, AppSync, Cognito, Verified Access) and is the right tool for SQL injection, XSS, bot mitigation, OWASP-pattern blocking, rate limiting, and geographic blocking. Network Firewall is a stateful network-layer (L3-L7) firewall for VPCs — it inspects all traffic in and out of a VPC (TLS-inspection optional), runs Suricata-compatible IDS/IPS rules, and enforces domain-based egress filtering. Most regulated workloads run both: WAF in front of the public application, Network Firewall on the VPC edge for east-west and egress control.
Can WAF alone protect us, or is Network Firewall always needed?
For internet-facing web applications without strict egress controls, WAF on CloudFront or ALB is often enough — combined with security groups for L3-L4 stateless filtering. You start needing Network Firewall when you have: (1) compliance requirements that demand egress filtering (PCI DSS Req 1, HIPAA §164.312(e), SOC 2 CC6.7), (2) east-west traffic between sensitive subnets that must be inspected, (3) an outbound-traffic exfiltration concern (data leaving via DNS or unexpected domains), or (4) Suricata IDS/IPS rule sets you want to enforce at the VPC perimeter.
How does AWS Firewall Manager fit?
Firewall Manager is the multi-account policy engine. It pushes WAF rule groups, Network Firewall stateful policies, Shield Advanced protections, security-group baselines, and DNS Firewall policies as Organization-level policies. New accounts inherit the policies on creation; drift (a manually-edited security group, a missing WAF rule) is auto-remediated or flagged based on policy mode. Without Firewall Manager you end up writing per-account Terraform — workable for 5 accounts, painful at 50, broken at 200. Firewall Manager requires AWS Organizations and one designated administrator account.
How much do WAF and Network Firewall cost?
WAF: $5/month per Web ACL + $1/month per rule + $0.60 per million requests. Bot Control adds $10/month per Web ACL + $1 per million requests. CAPTCHA puzzles bill separately. Typical mid-market WAF spend: $100–$800/month. Network Firewall: $0.395/hour per endpoint deployed (so $284/month per AZ-endpoint) + $0.065 per GB processed. A typical 2-AZ deployment with 1 TB/month: $568 endpoint cost + $66.50 traffic = ~$635/month. TLS inspection adds extra cost. Combined with Firewall Manager (free), most regulated workloads land at $1,000–$3,000/month for both.
Should we replace VPN with AWS Verified Access alongside WAF?
Verified Access is the right call for workforce access to internal HTTPS (and now TCP) applications — Jenkins, internal dashboards, ArgoCD, Grafana, internal SaaS clones. Each application gets its own endpoint, trust providers (IAM Identity Center, generic OIDC, or device posture from Jamf / CrowdStrike), and a Cedar policy that decides per-request whether to allow. It is not a WAF replacement — Verified Access does authentication and access policy; WAF does request inspection. Run them together: Verified Access fronts the workforce app, and WAF can sit in front of Verified Access for OWASP and bot rules.
Do we need AWS Shield Advanced?
Shield Standard (free) protects every CloudFront, Route 53, and Global Accelerator distribution against common L3/L4 DDoS — most workloads do not need Shield Advanced. Shield Advanced ($3,000/month per account, with Organization-wide pricing for ≥10 accounts) adds: 24/7 DDoS Response Team access, cost protection for DDoS-driven scaling, advanced attack diagnostics, and protection across more resource types (ALB, EIP, AWS Global Accelerator). Pair Shield Advanced with WAF for the full L3–L7 anti-DDoS pattern. Most regulated mid-market workloads add Shield Advanced once they hit consumer-scale traffic or run a public payment surface.
Not Sure Which AWS Service Is Right?
Our AWS-certified architects help engineering teams choose the right architecture for their workload, scale, and budget — before they build the wrong thing.