Do I really need AWS Firewall and NAT Gateway to secure my servers?
We decided to create a special post about AWS Firewall and NAT Gateway to help you save time and money. Some AWS services can be expensive, and some can be unreasonably expensive. AWS Firewall and NAT Gateway fall into the latter category—not only do they cost a lot of money, but you’ll also spend a huge amount of time trying to set them up and enable basic logs.
AWS Network Firewall and Alternatives
Let’s start with AWS Network Firewall. It helps you block incoming and outgoing requests based on parameters like ports, IP addresses, and domains. Sounds great and very helpful—however, it's expensive. For example, if you have 2 different availability zones protected by a firewall, handling 5 TB of traffic per month, you will pay:
- Endpoint cost: 720 hrs × 2 × $0.395 = $568.80
- Traffic cost: 5,000 GB × $0.065 = $325
- Total ≈ $893.80 per month
To that, you should add your time—or your engineers’ time—spent setting up and managing AWS Firewall. It’s not a plug-and-play option. To deploy it, you need to create several other resources, set up logs using CloudWatch (which is billed per usage, of course), and spend a lot of time waiting for updates to complete.
So, What Are the Alternatives?
- TurboCloud, which includes a firewall with default OWASP rules. You can use a web console or API to update rules. TurboCloud also has a rate limiter that provides additional protection. It's free for basic usage, works with almost any cloud server, and has a fixed one-time payment of $99 if you need more than the basic features.
- Cloudflare, which protects your servers at the DNS level. The main issue is that Cloudflare is mostly designed for enterprises and protects your servers only until attackers find your IP addresses, since it operates solely at the DNS level. Still, it can serve as a great additional layer of protection.
- Classic iptables and UFW, which can work very well if you just want to block all traffic and allow a few IPs. However, this option requires some time to learn how both tools work.
NAT Gateway and Alternatives
A NAT Gateway is a simplified version of a firewall that blocks all incoming requests and allows only outgoing connections. This simple service is still quite expensive for what it does, but enterprises often don’t mind the cost and are willing to pay AWS for it.
For example, assume you have 1 NAT Gateway running 24×7 and processing 1 TB of data. In this case, you will pay:
| Component | Calculation | Cost |
|---|---|---|
| Hourly | 0.048 × 24 × 30 ≈ 720 hrs | $34.56 (~€32) |
| Data Processing (1 TB) | 1,024 GB × 0.048 | $49.15 (~€46) |
| Internet Egress (1 TB) | 1,024 GB × 0.09 | $92.16 (~€87) |
| Total Estimated Cost | — | ≈ $176 (~€165) |
So, What Are the Alternatives When You Just Want to Block All Incoming Requests and Allow Outgoing Requests?
- Use TurboCloud, which uses
iptablesto block incoming requests at a low level. With TurboCloud, you can also define where your servers are allowed to send requests. In other words, you can create the same setup as AWS Firewall + NAT Gateway, but without the high costs. - Use iptables on each machine directly (check commands here: https://www.cyberciti.biz/tips/linux-iptables-4-block-all-incoming-traffic-but-allow-ssh.html)
- Cloudflare, which can block incoming requests at the DNS level. But again, Cloudflare protects your servers only until attackers discover your IP addresses.
Final Tip
Don’t overengineer your setup with AWS Firewall and NAT Gateway. You can secure your servers or machines much more easily and at a significantly lower cost.
Feel free to contact us at hey@turbocloud.dev if you have any questions.