AWS WAF Cost Calculator

Estimate AWS WAF-style costs with a simple model: Web ACL monthly fees + rule monthly fees + request charges. Compare baseline vs peak requests with your pricing.

Maintained by CloudCostKit Editorial Team. Last updated: 2026-02-07. Editorial policy and methodology.

Best next steps

Use this calculator for the first estimate, then validate the answer with the closest guide or companion tool.

Guide: WAF pricing Guide: estimate WAF request volume Guide: reduce WAF costs Guide: WAF cost spikes during attacks

Inputs

Web ACLs
Rules (total)
Count managed rule groups and custom rules you evaluate.
Requests (per month)
Avg 76.15 req/sec.
Requests per second (avg)
Est 196,992,000 requests/month.
Price ($ / Web ACL / month)
Price ($ / rule / month)
Price ($ / 1M requests)
~$600.00 per 1B requests.
Scenario presets
This model excludes add-ons like bot control, CAPTCHA/challenges, logging, and downstream analytics.

Results

Estimated monthly total
$150.00
Web ACLs
$10.00
Rules
$20.00
Requests
$120.00
Requests/month
200,000,000

AWS WAF cost is a layered security bill, and attacks can create a second bill beside it

The visible WAF line items are only the first layer: Web ACLs, rules, and evaluated requests. In practice, attack periods also create downstream logging, scan, and analysis costs that make the true incident month more expensive than the WAF charge alone suggests.

  • ACL inventory: the steady monthly security surface across accounts, regions, and environments.
  • Rule inventory: managed and custom logic that grows as protection coverage expands.
  • Evaluated requests: the variable layer that spikes during attacks, bot waves, or sudden traffic shifts.

Where WAF estimates usually drift

  • Baseline traffic is modeled carefully, but blocked traffic and attack windows are undercounted or ignored.
  • Rule inventory expands gradually across regions and environments after the original estimate was made.
  • Teams review the WAF invoice but forget that log ingestion and query costs exploded at the same time.
  • One blended request assumption hides the difference between a quiet month and a defensive month.

What to review before trusting the WAF baseline

  • Count Web ACLs and rules by environment and region so the steady security surface is visible.
  • Estimate evaluated requests with blocked traffic included, not just successful application traffic.
  • Model attack or bot weeks separately because request-based charges are the first part of the defensive cost story.
  • Keep downstream logging and analytics nearby so the incident month is not falsely treated as a pure WAF problem.

Baseline vs attack-expanded WAF scenarios

Scenario ACLs Rules Requests
Baseline Configured Configured Expected
Peak Same Same Attack/bot spike

How to review the first real WAF incident month

  • Check whether the miss came from evaluated-request spikes, inventory growth, or downstream observability costs before changing the entire model.
  • Review attack periods separately so a few defensive days do not disappear inside one monthly average.

Next steps

Guides All calculators Guide: WAF pricing Guide: estimate WAF request volume WAF request volume estimator Guide: reduce WAF costs Guide: WAF cost spikes during attacks

Example scenario

  • 2 Web ACLs, 20 rules, and 200M requests/month using $5/ACL, $1/rule, and $0.60 per 1M requests.
  • Peak 220% scenario helps budget for attack or bot spikes.

Included

  • Web ACL baseline: number of ACLs x $ per ACL-month.
  • Rule baseline: number of rules x $ per rule-month.
  • Request charges: requests/month x $ per million requests.
  • Baseline vs peak scenario table for request spikes.

Not included

  • Bot control, CAPTCHA/challenge features, and managed add-ons unless modeled separately.
  • Log storage/analysis and downstream security tooling ingestion.

How we calculate

  • ACL cost = web ACLs x $ per ACL-month.
  • Rules cost = rules x $ per rule-month.
  • Request cost = (requests per month / 1,000,000) x $ per 1M requests.
  • Total = ACL + rules + requests.

FAQ

What should I count as a rule?
Count the rules you evaluate: custom rules plus managed rule groups you enable (based on how your pricing counts them). If unsure, start with your configured total and refine.
Why does cost spike during an attack?
Because request charges scale with total requests evaluated. Spikes in traffic (legitimate or malicious) can increase request-based cost and also downstream logging/analysis costs.
How can I reduce WAF cost?
Reduce evaluated requests (CDN caching, rate limiting, blocking early) and keep rule count tight. Also control downstream logging/analysis volume.

Related tools

Guide: WAF pricing Guide: estimate WAF request volume Guide: reduce WAF costs Guide: WAF cost spikes during attacks Guide: AWS WAF vs Cloudflare WAF cost WAF request volume estimator CloudFront cost calculator

Related guides

API Gateway vs ALB vs CloudFront cost: what to compare (requests, transfer, add-ons)
A practical cost comparison of API Gateway, Application Load Balancer (ALB), and CloudFront. Compare request pricing, data transfer, caching impact, WAF, logs, and the hidden line items that change the answer.
CloudFront vs Cloudflare CDN cost: compare the right line items (bandwidth, requests, origin egress)
A practical comparison checklist for CloudFront vs Cloudflare pricing. Compare bandwidth ($/GB), request fees, region mix, origin egress (cache fill), and add-ons like WAF, logs, and edge compute. Includes a modeling template and validation steps.
Estimate WAF request volume (CDN/LB to monthly requests)
How to estimate WAF request volume for cost models: from CDN/LB metrics, from logs, and what to do about bot spikes.
CloudFront cache hit rate: how it changes origin egress cost
Cache hit rate strongly influences origin requests and origin egress (cache fill). Learn a simple model, what breaks hit rate, and the practical levers to improve it safely.
CloudFront pricing: estimate bandwidth and request costs (without hardcoding prices)
A practical way to estimate CloudFront-style CDN costs using your own bandwidth ($/GB) and request-fee ($ per 10k/1M) assumptions, plus common pitfalls like tiered pricing and origin egress.
Lambda vs Fargate cost: a practical comparison (unit economics)
Compare Lambda vs Fargate cost with unit economics: cost per 1M requests (Lambda) versus average running tasks (Fargate), plus the non-compute line items that often dominate (logs, load balancers, transfer).

Disclaimer

Educational use only. Not legal, financial, or professional advice. Results are estimates based on the inputs and assumptions shown on this page. Verify pricing and limits with your providers and documentation.

Last updated: 2026-02-07. Reviewed against CloudCostKit methodology and current provider documentation. See the Editorial Policy .