AWS WAF vs AWS Network Firewall: Which One Do You Actually Need?

Two Firewalls, Very Different Jobs

AWS offers two managed firewall services with overlapping names and completely different purposes. AWS WAF inspects HTTP/HTTPS traffic at Layer 7 -- it sits in front of CloudFront, Application Load Balancers, and API Gateway to block SQL injection, cross-site scripting, and bot abuse. AWS Network Firewall operates across Layers 3 through 7 inside your VPC -- it filters all traffic types including TCP, UDP, and ICMP using stateful Suricata rules, domain-based filtering, and deep packet inspection.

Choosing wrong costs you money and leaves gaps. WAF alone cannot control egress traffic or filter non-HTTP protocols. Network Firewall alone cannot inspect HTTP headers or apply rate-based rules at the edge. This guide breaks down exactly what each service does, what it costs, when you need one or both, and how to deploy them with Terraform.

What Is a Cloud Firewall?

Definition: A cloud firewall is a managed security service that monitors and filters network traffic based on predefined rules. Unlike traditional hardware firewalls, cloud firewalls scale automatically, integrate with cloud-native services, and can be deployed through infrastructure-as-code. AWS provides two distinct firewall services: AWS WAF for HTTP-layer (Layer 7) inspection and AWS Network Firewall for full network-layer (Layers 3-7) inspection within a VPC.

Understanding the OSI model distinction is critical. Layer 7 (Application) means AWS WAF sees HTTP headers, request bodies, query strings, and cookies. Layers 3-4 (Network/Transport) means Network Firewall sees IP addresses, ports, and protocols before traffic even reaches your application. Network Firewall also handles Layer 7 via Suricata rules for protocol-aware inspection, but it does not integrate with CloudFront or API Gateway the way WAF does.

AWS WAF: Layer 7 HTTP Protection

AWS WAF is purpose-built for web application security. It attaches to three AWS resources: CloudFront distributions, Application Load Balancers, and API Gateway REST/HTTP APIs. Every HTTP request passing through these services can be evaluated against your WAF rules before reaching your application.

Core Capabilities

• Managed rule groups -- AWS provides pre-built rule sets for OWASP Top 10 threats (SQLi, XSS, LFI, RFI), known bad inputs, and IP reputation lists. Third-party vendors like Fortinet and Imperva sell additional managed rules through the AWS Marketplace.
• Bot Control -- identifies and categorizes automated traffic. The targeted bot control tier detects credential stuffing, scraping, and account takeover attempts using behavioral analysis and CAPTCHA challenges.
• Rate-based rules -- throttle requests from a single IP or custom key (header value, query parameter, cookie) when they exceed a threshold within a 5-minute window. Essential for DDoS mitigation and brute-force protection.
• Custom rules -- match on any combination of IP address, geo-location, HTTP headers, URI path, query string, body content, and request size. Rules support regex patterns, logical AND/OR/NOT operators, and label-based chaining.
• Fraud Control -- account creation fraud prevention and account takeover prevention modules that analyze login and signup request patterns.

What WAF Cannot Do

WAF only sees HTTP/HTTPS traffic at the resources it attaches to. It cannot inspect raw TCP or UDP traffic, filter DNS queries, control egress traffic leaving your VPC, or apply rules to traffic between VPC subnets. If your workload involves non-HTTP protocols like database connections, MQTT for IoT, or custom TCP services, WAF provides zero visibility into that traffic.

AWS Network Firewall: VPC-Wide Traffic Control

AWS Network Firewall is a stateful, managed network firewall deployed inside your VPC. It inspects all traffic entering, leaving, or moving between subnets -- not just HTTP. It sits in a dedicated firewall subnet and uses route table entries to force traffic through its inspection endpoints.

Core Capabilities

• Stateful inspection -- powered by the Suricata intrusion detection engine. You can write custom Suricata rules or use AWS-managed threat intelligence rule groups that block known command-and-control domains, malware signatures, and botnets.
• Domain-based filtering -- allow or deny outbound traffic to specific DNS domain names. This is how you restrict egress to only approved destinations (e.g., allow api.github.com but block everything else).
• TLS inspection -- decrypt and inspect outbound TLS traffic using certificates managed through AWS Certificate Manager. This lets Suricata rules examine encrypted payloads for threat indicators.
• Stateless rules -- basic Layer 3-4 filtering by source/destination IP, port, and protocol. Processed before stateful rules with pass, drop, or forward-to-stateful actions.
• Protocol-aware inspection -- Suricata rules can parse application-layer protocols including HTTP, TLS, DNS, SSH, and FTP even on non-standard ports.

What Network Firewall Cannot Do

Network Firewall does not integrate with CloudFront, API Gateway, or ALB as an inline inspection point the way WAF does. It cannot apply rate-based rules per HTTP client. It does not have managed rule groups for OWASP web application threats like SQLi or XSS pattern matching. It does not perform bot detection or serve CAPTCHA challenges. Network Firewall is not a web application firewall -- it is a network firewall that happens to support application-layer protocol parsing.

Feature Comparison

Feature	AWS WAF	AWS Network Firewall
OSI Layer	Layer 7 (HTTP/HTTPS only)	Layers 3-7 (all protocols)
Deployment Point	CloudFront, ALB, API Gateway	VPC subnet (firewall endpoint)
Inspection Engine	AWS proprietary rule engine	Suricata (open source IDS/IPS)
Egress Filtering	No	Yes (domain/IP/protocol)
TLS Inspection	Terminates at ALB/CloudFront	Yes (with ACM certificates)
Bot Detection	Yes (Bot Control module)	No
Rate Limiting	Yes (per IP or custom key)	No
SQLi/XSS Detection	Yes (managed rules)	Only via custom Suricata rules
Non-HTTP Protocols	No	Yes (TCP, UDP, ICMP, DNS, SSH)
East-West Traffic	No	Yes (inter-subnet inspection)
IDS/IPS Signatures	No	Yes (Suricata rule format)
AWS Firewall Manager	Yes	Yes

Pricing Comparison

The pricing models are fundamentally different. WAF charges per rule and per request. Network Firewall charges per endpoint and per gigabyte inspected. Understanding which model favors your architecture determines the cost-effective choice.

AWS WAF Pricing (US East)

Component	Cost
Web ACL	$5.00/month
Rule (per rule)	$1.00/month
Request inspection	$0.60 per 1M requests
Bot Control (common)	$10.00/month + $1.00 per 1M requests
Bot Control (targeted)	$10.00/month + $10.00 per 1M requests
Fraud Control (ATP)	$10.00/month + $1.00 per 1K login attempts

AWS Network Firewall Pricing (US East)

Component	Cost
Firewall endpoint	$0.395/hour ($288.35/month)
Traffic processed	$0.065 per GB

Cost Models for 3 Architectures

The following estimates assume US East region pricing as of early 2026.

Architecture 1: Web API behind ALB (50M requests/month, 500 GB traffic)

• WAF only: $5 (ACL) + $10 (10 rules) + $30 (50M requests) = $45/month
• Network Firewall: $288.35 (1 endpoint) + $32.50 (500 GB) = $320.85/month
• Winner: WAF -- 7x cheaper for pure HTTP workloads.

Architecture 2: VPC with mixed traffic (HTTP + database + internal services, 2 TB traffic)

• WAF only: Covers HTTP portion but leaves database and internal traffic unprotected. Not a complete solution.
• Network Firewall: $288.35 (1 endpoint) + $130 (2 TB) = $418.35/month
• WAF + Network Firewall: $45 + $418.35 = $463.35/month for full coverage.
• Winner: Both -- WAF for the HTTP layer, Network Firewall for everything else.

Architecture 3: Multi-AZ production VPC with egress control (10 TB traffic, compliance requirements)

• WAF only: Cannot enforce egress controls or inspect non-HTTP traffic. Fails compliance.
• Network Firewall: $576.70 (2 AZ endpoints) + $650 (10 TB) = $1,226.70/month
• WAF + Network Firewall: $45 + $1,226.70 = $1,271.70/month
• Winner: Network Firewall required. Add WAF for HTTP-specific rules at marginal cost.

Terraform Deployment Examples

AWS WAF with Managed Rules

resource "aws_wafv2_web_acl" "main" {
  name        = "app-web-acl"
  description = "Web ACL with managed rules"
  scope       = "REGIONAL"

  default_action {
    allow {}
  }

  rule {
    name     = "aws-managed-common"
    priority = 1

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      sampled_requests_enabled   = true
      cloudwatch_metrics_enabled = true
      metric_name                = "awsManagedCommon"
    }
  }

  rule {
    name     = "aws-managed-sqli"
    priority = 2

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesSQLiRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      sampled_requests_enabled   = true
      cloudwatch_metrics_enabled = true
      metric_name                = "awsManagedSqli"
    }
  }

  rule {
    name     = "rate-limit"
    priority = 3

    action {
      block {}
    }

    statement {
      rate_based_statement {
        limit              = 2000
        aggregate_key_type = "IP"
      }
    }

    visibility_config {
      sampled_requests_enabled   = true
      cloudwatch_metrics_enabled = true
      metric_name                = "rateLimit"
    }
  }

  visibility_config {
    sampled_requests_enabled   = true
    cloudwatch_metrics_enabled = true
    metric_name                = "appWebAcl"
  }
}

resource "aws_wafv2_web_acl_association" "alb" {
  resource_arn = aws_lb.app.arn
  web_acl_arn  = aws_wafv2_web_acl.main.arn
}

AWS Network Firewall with Egress Domain Filtering

resource "aws_networkfirewall_rule_group" "egress_domains" {
  capacity = 100
  name     = "allow-egress-domains"
  type     = "STATEFUL"

  rule_group {
    rule_variables {
      ip_sets {
        key = "HOME_NET"
        ip_set {
          definition = ["10.0.0.0/16"]
        }
      }
    }

    rules_source {
      rules_source_list {
        generated_rules_type = "ALLOWLIST"
        target_types         = ["HTTP_HOST", "TLS_SNI"]
        targets              = [
          ".amazonaws.com",
          ".github.com",
          "registry.npmjs.org",
          "api.datadog.com"
        ]
      }
    }
  }
}

resource "aws_networkfirewall_firewall_policy" "main" {
  name = "egress-policy"

  firewall_policy {
    stateless_default_actions          = ["aws:forward_to_sfe"]
    stateless_fragment_default_actions = ["aws:forward_to_sfe"]

    stateful_rule_group_reference {
      resource_arn = aws_networkfirewall_rule_group.egress_domains.arn
    }

    stateful_default_actions = ["aws:drop_established"]

    stateful_engine_options {
      rule_order = "STRICT_ORDER"
    }
  }
}

resource "aws_networkfirewall_firewall" "main" {
  name                = "vpc-network-firewall"
  firewall_policy_arn = aws_networkfirewall_firewall_policy.main.arn
  vpc_id              = aws_vpc.main.id

  subnet_mapping {
    subnet_id = aws_subnet.firewall_az1.id
  }

  subnet_mapping {
    subnet_id = aws_subnet.firewall_az2.id
  }
}

Integration with AWS Firewall Manager

If you manage multiple AWS accounts through AWS Organizations, Firewall Manager lets you centrally deploy and manage both WAF and Network Firewall policies across all accounts. This is not optional at scale -- without it, each account team manages their own firewall rules, leading to inconsistent security posture and policy drift.

1. Set up a Firewall Manager administrator account -- designate one account (typically your security account) as the Firewall Manager admin in AWS Organizations.
2. Create a WAF security policy -- define the baseline WAF rules that must exist on every ALB and CloudFront distribution across all accounts. Firewall Manager auto-remediates if someone removes a required rule.
3. Create a Network Firewall policy -- define the VPC-level firewall rules. Firewall Manager deploys Network Firewall endpoints into the target VPCs and configures route tables automatically.
4. Define the scope -- use tags, account lists, or organizational units to control which accounts and resources the policies apply to.
5. Monitor compliance -- Firewall Manager reports which resources are compliant and which are not. Integrate with AWS Config rules and Security Hub for unified visibility.

Pro tip: Firewall Manager charges $100/month per policy per region. For a single-account setup, skip Firewall Manager and manage WAF and Network Firewall directly. The overhead only pays for itself when you have 5 or more accounts with consistent security requirements.

Decision Framework: Which Firewall Do You Need?

Use this step-by-step framework to determine the right deployment for your architecture:

1. Identify your traffic types -- if your workload is exclusively HTTP/HTTPS behind ALB, CloudFront, or API Gateway, start with WAF only. If you have non-HTTP protocols (databases, message queues, custom TCP/UDP), you need Network Firewall for those.
2. Check egress requirements -- if you must control what your VPC can reach on the internet (compliance, data loss prevention, restricting outbound connections), you need Network Firewall. WAF has no egress capability.
3. Evaluate east-west traffic -- if you need to inspect traffic between subnets or between VPCs through a transit gateway, Network Firewall is the only option. WAF does not see inter-subnet traffic.
4. Assess web application threats -- if you face SQLi, XSS, credential stuffing, or bot abuse, WAF's managed rules and Bot Control module handle these with minimal configuration. Implementing equivalent detection in Suricata rules on Network Firewall requires significantly more effort.
5. Calculate the budget -- WAF starts at under $50/month for a typical web application. Network Firewall starts at $288/month per endpoint before traffic charges. If your security requirements are HTTP-only, WAF delivers more protection per dollar.

Quick Reference

Scenario	Recommendation
Web API behind ALB or CloudFront	WAF only
SPA + API with bot protection	WAF only (with Bot Control)
VPC with database + internal services	Network Firewall only
Compliance requiring egress logging	Network Firewall only
Web app + VPC egress control	WAF + Network Firewall
Multi-account organization	WAF + Network Firewall + Firewall Manager
Tight budget, HTTP-only workload	WAF only (start here, add NF later)

Frequently Asked Questions

Can AWS WAF replace AWS Network Firewall?

No. WAF only inspects HTTP/HTTPS traffic at CloudFront, ALB, or API Gateway. It cannot filter non-HTTP protocols, control egress traffic, or inspect traffic between VPC subnets. If your workload is exclusively web traffic behind an ALB, WAF is sufficient. For anything involving raw TCP/UDP, database protocols, or outbound traffic control, you need Network Firewall.

Does AWS Network Firewall inspect HTTP traffic like WAF?

Network Firewall can parse HTTP traffic using Suricata rules, but it lacks WAF's managed rule groups for OWASP threats, rate-based rules, bot detection, and CAPTCHA challenges. You would need to write and maintain custom Suricata signatures to achieve similar HTTP-layer protection, which is significantly more operational effort. For HTTP-specific threats, WAF is the better tool.

How much does it cost to run both firewalls together?

For a typical web application with 50 million requests/month and 2 TB of VPC traffic across 2 AZs, expect roughly $45/month for WAF and $706/month for Network Firewall (2 endpoints + traffic), totaling about $750/month. WAF adds marginal cost on top of Network Firewall because its per-request pricing is low. The expensive component is always the Network Firewall endpoints.

Can I use Security Groups and NACLs instead of Network Firewall?

Security groups and NACLs provide basic IP/port filtering but cannot perform stateful deep packet inspection, domain-based filtering, or IDS/IPS signature matching. They are free and should always be your first layer. Network Firewall adds capabilities that security groups and NACLs simply cannot provide: Suricata-based threat detection, TLS inspection, domain allowlists for egress, and centralized logging of all traffic decisions.

How does AWS Shield relate to WAF and Network Firewall?

AWS Shield is a DDoS protection service, not a firewall. Shield Standard is free and protects against Layer 3/4 volumetric attacks automatically. Shield Advanced ($3,000/month) adds Layer 7 DDoS protection, cost protection, and 24/7 access to the AWS DDoS Response Team. Shield Advanced integrates with WAF to automatically create rate-based rules during an attack. Network Firewall does not integrate with Shield.

What logging options are available for each service?

WAF logs every request decision to CloudWatch Logs, S3, or Kinesis Data Firehose with full HTTP request details including headers, URI, and country. Network Firewall sends flow logs and alert logs to CloudWatch Logs, S3, or Kinesis Data Firehose with source/destination IP, port, protocol, and Suricata alert metadata. Both support log filtering to reduce volume and cost. For security investigations, send both to a SIEM or Amazon Security Lake.

Should I use AWS WAF or a third-party WAF like Cloudflare?

If your infrastructure runs on AWS and you use ALB or CloudFront, AWS WAF integrates natively with zero additional latency. Third-party WAFs like Cloudflare sit in front of your entire stack and add a network hop but offer features AWS WAF lacks, such as more sophisticated bot management and DDoS mitigation at the edge. For AWS-native architectures, start with AWS WAF. Consider a third-party WAF if you need multi-cloud coverage, more advanced bot detection, or if your traffic is already routed through that provider.

Choose Based on Traffic, Not Marketing

The naming creates confusion, but the decision is straightforward once you understand what each service inspects. AWS WAF is a web application firewall -- it protects HTTP endpoints from application-layer attacks. AWS Network Firewall is a network firewall -- it protects your VPC from network-layer threats and controls all traffic in and out. Most production architectures that serve web traffic and run backend services benefit from both: WAF at the ALB for HTTP threat detection at low cost, and Network Firewall in the VPC for egress control and non-HTTP inspection. Start with whichever matches your most immediate risk, measure the traffic patterns, and add the second service when the gap in coverage justifies the cost.