Almost $.40/hour, you need one per AZ, and it’s $.06/GB for network traffic. I’m happy to see the capability (mainly outbound URL filtering), but this looks like it’s going to be a hard sell to my managers.
You’re probably looking at a grand per month per account. On the plus side, they don’t double charge for NAT gateway traffic.
For folks that are deploying ec2-based firewalls already, the hourly cost is flat.
Usage price seems high at first but honestly you're paying a premium for any commercial firewall product. Palo Altos, for example, are $1.38/hr if you license them through the marketplace (above the instance costs). That breaks even at 21GB/hr, so you're likely to pay a lot more for the AWS product for anything in production (possibly by an order of magnitude).
For large enough enterprises, $1k a month is a rounding error.
Also, depending on how you're provisioning accounts and laying out your networking, you may not want to be sticking one of these in every VPC. There's no one-size-fits-all, but in many cases a transit VPC that handles the egress centrally would make more sense.
It’s really not a rounding error. What happens is we have hundreds of these little rounding errors and some poor dude exists solely to work out where all the money is leaking out of the budget.
Then you find it’s some weird inter VPC peering transit cost through a firewall because something was designed by an external consultancy who didn’t do a cost analysis or didn’t understand which one of the myriad of complex charging rules were invoked. The end game being you’re architecturally tied into paying $1000 a month 100 times over.
Corporate clouds are complicated and with complexity comes extreme expense. Even small ones can escalate quickly.
Every place I've worked the AWS bill has always gone into a sort of a cost center blackhole. Finance would do their best in the beginning of the year to negotiate discounts & teams would do their best to keep costs low w/ reserved instances, etc.
Even though $1k is indeed a rounding error where I work vs. what we pay each month, it's becoming annoying how granular the billing for new setups is becoming. When I'm asked to compare TCO of an on-prem solution vs. a hosted one that includes all-of-the-above, I feel like I'm playing actuary and not cloud engineer.
When asked to compare I always immediately get instructed by subordinates to apply the existing lies they were telling. That's how you manage cloud costs!
For large enough enterprises, $1M a month is similarly irrelevant.
Should security pricing only be accessible to businesses over a certain size?
A monthly price floor on services like this is trash. It’s pay-what-you-use, so it should scale evenly down to $0, just like lambda or network transfer usage costs.
To be fair, you are ALWAYS using a security device even if your instance should not be doing anything. You want to know when something malicious is incoming from the internet, or when suddenly that malware calls out to a C2 server. You may think your instances are being quiet, but, that is why you have security tools for the abnormal behaviors and those can happen at anytime.
Similarly, the instance is ALWAYS connected to the internet, but I only have to pay for what I transfer. Same with Lambda and S3 and everything else AWS sells (except a few weird exceptions like this).
Amazon often makes it a little too convenient to segment things more than you really need, which adds extra cost, like additional NAT gateways, or in this case, Managed Firewalls.
But you can use Shared VPCs that spans many accounts and drastically reduce the need for things like attachments to virtual gateways, nat gateways, service endpoints, and so on.
You’re probably looking at a grand per month per account. On the plus side, they don’t double charge for NAT gateway traffic.