AWS WAF vs Network Firewall: Layer-7 vs Stateful L3-L7 on AWS

<div class="quick-answer">

**Quick Answer:** WAF inspects HTTP/HTTPS at the application edge — use it on every CloudFront, ALB, and API Gateway. Network Firewall inspects all VPC traffic with Suricata IDS/IPS rules — use it when you need egress filtering, east-west inspection, or compliance-mandated network controls. Most regulated workloads run both.

</div>

## Freshness Check (June 2026)

Use this page as a decision framework, then validate the latest pricing, quotas, and region-level feature parity in AWS documentation before final sign-off.

This page was refreshed against official AWS announcements and service documentation published in the last 12 months. Confirm region support, quotas, and pricing before final architecture sign-off.

- [AWS What's New](https://aws.amazon.com/about-aws/whats-new/)

WAF and Network Firewall are not interchangeable. They protect different layers, see different traffic, and answer different audit questions. Confusing them leads to either false confidence (deploying only WAF and missing east-west and egress threats) or unnecessary spend (deploying Network Firewall as a glorified WAF).

This comparison is written for solutions architects deploying AWS-native network security on regulated workloads.

## The Core Distinction: Layer and Traffic Shape

**AWS WAF** operates at the application layer — HTTP and HTTPS request inspection. It sits in front of CloudFront distributions, Application Load Balancers, API Gateway, AppSync GraphQL APIs, Cognito user pools, and Verified Access endpoints. Every inbound request hits WAF before reaching the protected resource. WAF inspects request headers, URI, query string, body (up to size limits), method, and source IP; it makes a per-request decision (Allow / Block / Count / CAPTCHA / Challenge).

**AWS Network Firewall** operates at the network layer — stateful packet inspection inside a VPC. It sits between subnets (or at the VPC edge) and inspects all traffic — TCP, UDP, HTTP, HTTPS, DNS — using Suricata-compatible rules. Network Firewall sees packet flow, can decrypt TLS for inspection (optional), and enforces stateful connection tracking, IDS/IPS rule matching, and domain-based egress filtering.

The right way to think about it: **WAF protects the application; Network Firewall protects the network.**

## What Each Service Catches

**WAF catches:**

- SQL injection, XSS, RCE patterns (AWS Managed Common Rule Set)
- Bot traffic (AWS Managed Bot Control — basic and targeted bot rules)
- OWASP Top 10 patterns (Managed PHP App, WordPress, Linux App rule sets)
- Rate-based attacks (per-IP throttling, scope-down statements)
- Geographic blocking (block specific countries or allow-list trusted geographies)
- Known-bad IPs (Amazon IP Reputation List, Anonymous IP List for VPN/Tor)
- Application-layer DDoS (combined with Shield Advanced for L3/L4)
- PCI DSS 4.0.1 Req 6.4.3 script integrity (custom rules + CloudFront Functions)

**Network Firewall catches:**

- Outbound C2 traffic to known threat-listed domains
- Lateral movement between subnets (east-west IDS detection)
- Data exfiltration over DNS or unexpected protocols
- Outbound traffic to non-allowed domains (egress filtering)
- Crypto-mining traffic (Suricata rules for known mining pools)
- IDS/IPS signatures for known CVE exploit attempts
- TLS-inspected payloads for compliance-required deep inspection

## Cost Comparison (2026)

**WAF:**

- Web ACL: $5/month per ACL
- Rules: $1/month per rule (most production deployments use 6–12 rules)
- Requests: $0.60 per million requests
- Bot Control add-on: $10/month per ACL + $1 per million requests
- CAPTCHA: $0.40 per CAPTCHA puzzle solved

Typical mid-market WAF spend: $100–$800/month per Web ACL.

**Network Firewall:**

- Endpoint: $0.395/hour ($284.40/month per AZ-endpoint) — most deployments use 2 AZs minimum
- Traffic: $0.065 per GB processed
- TLS inspection: additional cost (varies)

Typical 2-AZ deployment with 1 TB/month: ~$635/month base. Multi-AZ HA at 5 TB/month: ~$900/month.

**Firewall Manager:** free for AWS Organizations.

**Combined typical mid-market spend:** $1,000–$3,000/month for the WAF + Network Firewall pair on a regulated workload.

## Decision Framework

Use **WAF only** when:

- You run public-facing web applications and need OWASP / bot / rate-limiting protection
- You do not have compliance-mandated egress filtering or east-west inspection
- Your VPC topology is simple and security groups are sufficient for L3-L4

Add **Network Firewall** when any of these is true:

- You have compliance requirements that demand egress filtering (PCI DSS Req 1, HIPAA §164.312(e) for transmission security, SOC 2 CC6.7, ISO 27001 A.8.21)
- You have east-west traffic between sensitive subnets that must be inspected (segmentation enforcement)
- You need deep packet inspection or Suricata IDS/IPS at the VPC edge
- You operate a multi-account Organization and want centralized network policy via Firewall Manager
- You need TLS-inspected egress for regulated workloads

In practice: **most regulated workloads run both**. WAF in front of every public application, Network Firewall at the VPC edge for compliance-mandated egress and east-west enforcement.

## Deployment Pattern We Use

**Single account, public web app:** WAF on CloudFront with the AWS Managed Common Rule Set + Known Bad Inputs + Anonymous IP List + Bot Control + a custom rate-limit rule. Done in a day; covers the OWASP Top 10 and most automated abuse.

**Multi-account regulated workload:** Firewall Manager-deployed:

1. WAF baseline policy on every CloudFront/ALB across the Organization (managed rule sets + a custom rate-limit rule)
2. Network Firewall policy on every workload VPC (egress allow-list, Suricata IPS rule set, DNS firewall for known-bad domains)
3. DNS Firewall policy at Route 53 Resolver level (additional defense in depth)
4. Shield Advanced for any account hosting consumer-scale public traffic
5. Security Hub aggregation in the Security account so WAF/Network Firewall findings feed the same dashboard as GuardDuty and Inspector v2

**Verified Access for workforce apps:** internal apps fronted by Verified Access with Identity Center as the trust provider and Cedar policies for per-request access decisions. WAF can sit in front for OWASP and bot rules.

## When You Outgrow Native AWS Network Security

Native AWS network security covers most use cases. You start to need a third-party tool when:

- You require very specific WAF rule logic (e.g., custom JavaScript-based bot detection beyond AWS Bot Control) — Cloudflare, Akamai, or Imperva
- You need a multi-cloud network firewall single pane — Palo Alto Cloud NGFW, Fortinet, Check Point CloudGuard
- You operate at hyperscale where the per-GB traffic charges of Network Firewall exceed the appliance-based cost of bringing in a third-party VPC-deployed firewall

For regulated SaaS, healthtech, and fintech in AWS-only estates, the native pair (WAF + Network Firewall + Shield Advanced + Firewall Manager) is the right call.

## Related Reading

- [AWS Cloud Security service](/services/aws-cloud-security/) — assessment, hardening, monitoring
- [AWS Penetration Testing](/services/aws-penetration-testing/) — validate the protection
- [Network & Application Security subtopic hub](/security-compliance/network-application-security/)
- [Security & Compliance hub](/security-compliance/)