AWS WAF Cost Calculator

Estimate AWS WAF-style costs with a simple model: Web ACL monthly fees + rule monthly fees + request charges. Compare baseline vs peak requests with your pricing.

Inputs

Web ACLs
Rules (total)
Count managed rule groups and custom rules you evaluate.
Requests (per month)
Avg 76.15 req/sec.
Requests per second (avg)
Est 196,992,000 requests/month.
Price ($ / Web ACL / month)
Price ($ / rule / month)
Price ($ / 1M requests)
~$600.00 per 1B requests.
Scenario presets
This model excludes add-ons like bot control, CAPTCHA/challenges, logging, and downstream analytics.

Results

Estimated monthly total
$150.00
Web ACLs
$10.00
Rules
$20.00
Requests
$120.00
Requests/month
200,000,000

How to get your inputs

  • Requests: estimate evaluated requests/month (include blocked traffic).
  • RPS: if you only have RPS, use the WAF request estimator to model baseline + attack volume.
  • Baselines: count ACLs and rules as billed in your pricing model.
  • Downstream: add logging/storage/analytics volume as a second bill.

Result interpretation

  • ACL and rule counts are steady; request volume drives spikes.
  • If costs jump, verify bot traffic and retries before changing rules.

Common mistakes

  • Budgeting steady traffic but ignoring attack/bot surge scenarios.
  • Forgetting downstream log/scan costs that can exceed the WAF line item.

Input checklist

  • Count Web ACLs per account and region.
  • Separate managed rule groups from custom rules if billing differs.
  • Estimate evaluated requests for peak traffic and attack weeks.

Advanced inputs to capture

  • Count ACLs per region and environment.
  • Include managed rule groups in your rule count.
  • Estimate evaluated requests including blocked or bot traffic.
  • Add logging and analytics volume as a second bill.

Scenario planning

Scenario ACLs Rules Requests
Baseline Configured Configured Expected
Peak Same Same Attack/bot spike

Validate after changes

  • Track evaluated request volume and rule/ACL sprawl over time.
  • Check downstream log ingestion and scan/query costs during incidents.

Next steps

Guides All calculators Guide: WAF pricing Guide: estimate WAF request volume WAF request volume estimator Guide: reduce WAF costs Guide: WAF cost spikes during attacks
Advertisement

Example scenario

  • 2 Web ACLs, 20 rules, and 200M requests/month using $5/ACL, $1/rule, and $0.60 per 1M requests.
  • Peak 220% scenario helps budget for attack or bot spikes.

Included

  • Web ACL baseline: number of ACLs x $ per ACL-month.
  • Rule baseline: number of rules x $ per rule-month.
  • Request charges: requests/month x $ per million requests.
  • Baseline vs peak scenario table for request spikes.

Not included

  • Bot control, CAPTCHA/challenge features, and managed add-ons unless modeled separately.
  • Log storage/analysis and downstream security tooling ingestion.

How we calculate

  • ACL cost = web ACLs x $ per ACL-month.
  • Rules cost = rules x $ per rule-month.
  • Request cost = (requests per month / 1,000,000) x $ per 1M requests.
  • Total = ACL + rules + requests.

FAQ

What should I count as a rule?
Count the rules you evaluate: custom rules plus managed rule groups you enable (based on how your pricing counts them). If unsure, start with your configured total and refine.
Why does cost spike during an attack?
Because request charges scale with total requests evaluated. Spikes in traffic (legitimate or malicious) can increase request-based cost and also downstream logging/analysis costs.
How can I reduce WAF cost?
Reduce evaluated requests (CDN caching, rate limiting, blocking early) and keep rule count tight. Also control downstream logging/analysis volume.

Related tools

Guide: WAF pricing Guide: estimate WAF request volume Guide: reduce WAF costs Guide: WAF cost spikes during attacks Guide: AWS WAF vs Cloudflare WAF cost WAF request volume estimator CloudFront cost calculator

Related guides

API Gateway vs ALB vs CloudFront cost: what to compare (requests, transfer, add-ons)
A practical cost comparison of API Gateway, Application Load Balancer (ALB), and CloudFront. Compare request pricing, data transfer, caching impact, WAF, logs, and the hidden line items that change the answer.
CloudFront vs Cloudflare CDN cost: compare the right line items (bandwidth, requests, origin egress)
A practical comparison checklist for CloudFront vs Cloudflare pricing. Compare bandwidth ($/GB), request fees, region mix, origin egress (cache fill), and add-ons like WAF, logs, and edge compute. Includes a modeling template and validation steps.
Estimate WAF request volume (CDN/LB to monthly requests)
How to estimate WAF request volume for cost models: from CDN/LB metrics, from logs, and what to do about bot spikes.
CloudFront cache hit rate: how it changes origin egress cost
Cache hit rate strongly influences origin requests and origin egress (cache fill). Learn a simple model, what breaks hit rate, and the practical levers to improve it safely.
CloudFront pricing: estimate bandwidth and request costs (without hardcoding prices)
A practical way to estimate CloudFront-style CDN costs using your own bandwidth ($/GB) and request-fee ($ per 10k/1M) assumptions, plus common pitfalls like tiered pricing and origin egress.
Lambda vs Fargate cost: a practical comparison (unit economics)
Compare Lambda vs Fargate cost with unit economics: cost per 1M requests (Lambda) versus average running tasks (Fargate), plus the non-compute line items that often dominate (logs, load balancers, transfer).
Advertisement

Disclaimer

Educational use only. Not legal, financial, or professional advice. Results are estimates based on the inputs and assumptions shown on this page. Verify pricing and limits with your providers and documentation.

Last updated: 2026-02-07