【Table of contents】
-
1. AWS WAF cost structure
AWS WAF is a web application firewall provided by AWS (Amazon Web Services) and is a tool used to protect websites from attacks on web applications on AWS. Compared to WAFs installed on-premises, it can be installed at a very low cost.
-
a) Basic cost structure
This section explains the basic fee structure of AWS WAF.
AWS WAF is priced based on the following three points
・Number of WebACLs created
・Number of rules created
・Number of web requests
You can think of the WebACL as a collection of "rules". Also, it is safe to think that the "number of requests to WAF" is the number of connections made from the Internet to the web application via the WAF. The billing system is as follows.Type Usage fee Number of WebACLs created $5 per ACL/month Number of rules created $1 per rule/month Number of web requests $0.6 for every 1 million requests
In addition, the initial cost for implementation will be 0 yen. The initial cost of installing a WAF on-premises can be in the tens of millions of yen in some cases. If you think about it, you will find that AWS WAF can be deployed at a very low cost. You will be charged only for what you use, so the fee structure is simple and straightforward.
-
b) In case of using managed rules
AWS WAF rules are also available for purchase on the marketplace. In that case, depending on the vendor and rules in the marketplace, additional monthly prices will be added.
For example, let's say you purchase one managed rule from AWS Marketplace seller Cybersecurity Cloud, Inc. and simulate the price when using 9 rules created by the client. From the AWS console, click on Cybersecurity Cloud, Inc.'s managed rule and you'll see the price on a screen like the one below.
According to this description, the fee for the managed rule is $25 per month per region (per hour) and $1.2 per million requests. In addition to this, managed rules purchased on the marketplace also fall under the "rules created" category, so it costs $1 per rule.
Therefore, if you purchase one rule per region and apply this managed rule to a system with 10 million requests, the fee would be as follows.
・Total Web ACL Cost = 5.00 USD * 1 = 5 USD
・Rule cost = 1.00 USD * (1 + 9) = 10.00 USD (* 1 managed rule + 9 rules created by the client)
・Web request cost = 0.60 USD / 1 million * 10 million = 6.00 USD
・Total AWS WAF Cost = 21.00 USD / month・Managed rules cost = 25.00 USD
・Managed rules request cost = 1.20 USD / 1 million * 10 million = 12.00 USD
・Total AWS Marketplace Cost = 37.00 USD / month・Total cost = 58.00 USD / month
If you use the managed rule, the price will increase a little, but in return, managed rules are a very secure way of defending your product, prepared by a security expert vendor. We hope you'll consider it.
-
c) In case of using an EC2 instance type WAF
Now we will explain the charges when you install WAF as EC2 (Elastic Compute Cloud) instead of AWS WAF. The EC2 instance type WAF is also sold on the EC2 instance creation screen. In the AMI (Amazon Machine Image) selection screen, specify the AMI and create a WAF. From the management console, select EC2 -> Instances -> Launch Instance -> AWS MarketPlace. The following screen will appear and you can search and select the AMI of WAF.
You can select AMI and deploy a WAF that works as an EC2. Click on the "Select" button to see the pricing structure.
-
-
2. Using it cost efficiently
Here are some tips on how to use AWS WAF at a lower cost.
-
a) Use the managed rules
If you are in the same account and in the same region, it may be cheaper to consider using WebACL around. Managed rules are tied to the number of WebACLs they apply, so if there is no increase in WebACLs, there is no increase in the charge for the managed rule. Therefore, it may be a good idea to consider whether WebACL can be used on different systems, as long as they have the same account and are in the same region.
-
b) Take advantage of the fact that managed rule billing is time prorated
When looking at the AWS WAF fee structure※, it is easy to mistakenly assume that if you use it even for a moment, you will be charged for the monthly fee because the managed rules are written as "monthly". In reality, however, they are billed on a time-proportional basis. Therefore, if you purchase a managed rule once and then deactivate it, you will only be charged for the time you have purchased it. For example, if you want to use a managed rule for $30 per month for one day and then deactivate it, the fee would be as follows
30 per month * 1 day/ 30 days = 1 dollar
So, if you purchase a managed rule for one day during product development, test it, disable it, and re-purchase and apply it just before the product release, you can use the managed rule for a little less money.※AWS WAF cost structure https://aws.amazon.com/waf/pricing/?nc1=h_ls
-
c) Using AWS Shield
AWS WAF adds a fee per request, which can be very expensive when the number of requests is large due to DDoS attacks. To prevent that from happening, it's also important to have AWS Shield enabled and blocking DDoS attacks. If your product has a large number of accesses (hundreds of millions to billions of accesses per month), you may want to consider installing AWS Shield Advanced.
-
-
3. Conclusion
The fee structure of AWS WAF is a bit complicated, but it is important to understand and use it properly. In some cases, you may want to consider using a managed rule; AWS WAF managed rules are more expensive than creating your own rules, but they allow you to safely defend your product. It can be done cheaply depending on the method, so please consider it.