Last Updated on June 7, 2022
Question: If we have an AWS Network Firewall and its endpoints are launched across multiple AWS Accounts, which AWS Account will be billed? Is it the account where AWS Network Firewall rules are configured or the AWS Account that has the Network Firewall endpoint?
The AWS Network Firewall will bill the AWS Account that has the endpoint. Not the AWS Account where the AWS Network Firewall was created/configured.
If you look at the AWS Network Firewall pricing, it has 2 components to charge your AWS Network Firewall.
- Network Firewall Endpoint (charged per hour)
- Network Firewall Traffic Processing (charged per GB)
Both will be billed to the AWS Account where the Network Firewall endpoint is.
This is actually good news to me since only the AWS Account that has high traffic will be slapped with a high bill.
If everything is billed within the AWS Account that launched and configures the rules for the AWS Network Firewall, we will have to query the VPC Flow Logs just to know how much to charge the team that has high traffic inspection on their AWS Network Firewall.
I have not experienced this yet so I asked AWS Support for this information and they confirmed the above.
I just wish that the AWS Network Firewall pricing page would be more explicit on this.
By the way, I’m happy to tell you that (as of now) if you use NAT Gateway with AWS Network Firewall endpoint you will get the NAT Gateway for free. It should be 1 AWS Network Firewall endpoint is to 1 NAT Gateway to get the free NAT Gateway.
I hope this helps.