Professional Documents
Culture Documents
Reduce Your Cost of Cloud Security On AWS
Reduce Your Cost of Cloud Security On AWS
Reduce Your Cost of Cloud Security On AWS
1
REDUCE YOUR COST OF CLOUD SECURITY ON AWS
À la carte Costs Your Compute charges cover a wide range of having the service delivered to your home or
resources, such as EC2 instances, as well as business and then charged per unit used, be
Business Money associated services like VPN, DNS, Network it kilowatt hours or gallons. When it comes to
One common pricing strategy on the cloud Firewall, NAT Gateway, and IDS/IPS. cloud services, a service has a fee and then a
is that you only “pay for only what you need.” charge for each unit downloaded or egressed
Cloud platforms have taken this to the Storage charges apply to items such as S3
out of AWS’ cloud. The unit of data egressed
extreme by breaking out every function in the buckets, EBS volumes, logs, and backups.
is a gigabyte (GB) for AWS.
firewall as a separate service you purchase Data transfer fees are incurred for outbound
and assemble into your cloud solution. data (data egress) that is sent from AWS to
Unfortunately, À la carte services can get How you can Save Money
different locations outside of the cloud.
expensive quickly when looking at just a with pfSense
handful of common functions asked of a It is important to note that AWS does not
To use pfSense Plus software on the AWS
firewall. charge for inbound data transfer.
cloud platform, an AWS Elastic Compute
Simply explained, AWS utilizes a multi- Cloud (EC2) instance is required. In our
layered pricing model that encompasses AWS Charges example, we will use the AWS US East Region
various types of charges. These include AWS Services are much like a utility bill. - Virginia or Ohio (see Assumptions1 below).
compute, storage, and data transfer fees. There is a fee for the access to the service An EC2 instance size of m5.large, using On-
and then a fee for how much of the actual Demand hourly pricing with no other services
utility you use or consume. Think of it like a is $0.096 per hour, or approximately $69.12
water or electricity bill; you are charged for per month.
1
ASSUMPTIONS:
• The average month has 4.33 weeks, 30 days, 720 hours, and 22 work days.
• The average work day has 8 hours, or 176 hours per work month.
• The Netgate recommended AWS EC2 instance type for pfSense Plus software is m5.large.
• US East AWS Region - N Virginia or Ohio (different AWS regions will have different EC2 instance/hour rates).
NOTE: AWS assumes 730 hours per month in their VPC Pricing Calculator
It is important to note that
AWS does not charge for
inbound data transfer.
4
REDUCE YOUR COST OF CLOUD SECURITY ON AWS
This is the Netgate recommended instance The AWS Network Firewall has multiple While the AWS Network Firewall is
size for pfSense Plus software on AWS. charges to consider. This paper provides a provisioned, AWS does not charge additional
Netgate recommends this instance size basic overview and is not intended to be a fees for NAT Gateway (hourly and data)
for production workloads as it represents comprehensive explanation of AWS Network usage. Please note that EC2 Data Transfer
a versatile blend of compute/memory/ Firewall pricing. For a complete description, charges may apply; more on that later.
networking capabilities at a reasonable price please see the AWS Network Firewall Pricing pfSense Plus software on an m5.large AWS
point. This is only a recommendation, as page. The two main charges associated with EC2 instance will cost the user $0.24/hour.
users may choose their ideal instance size the AWS Network Firewall are:
based on a variety of factors. Right away, choosing pfSense Plus software
• Network Firewall Endpoint Hourly:
from Netgate saves the user $0.155/hour, or
For new users that want to gain familiarity $0.395/hour
$111.60/month, or $1339.20/year in hourly
with pfSense Plus software capabilities • Network Firewall Data Processing Charge: charges.
on AWS, Netgate offers a 30 day free trial. $0.065/1 GB of data processed by the
During this trial, there is no cost for pfSense firewall
Plus software, but the user is responsible for
the cost of the AWS EC2 instance. EC2 Instance type Software/hr EC2/hr Total/hr
Users can start small and find the best m3.xlarge $0.32 $0.266 $0.586
instance size to fit their individual needs. It
is worth noting that the Netgate Engineering m4.large $0.24 $0.10 $0.34
team builds all new pfSense Plus software m4.xlarge $0.32 $0.20 $0.52
releases on AWS using a t3a.micro EC2
instance. The t3a.micro EC2 instance costs m5.large
$0.24 $0.096 $0.336
less than $0.01 ($0.009) per hour! Vendor Recommended
8
REDUCE YOUR COST OF CLOUD SECURITY ON AWS
The service fees for the AWS VPN plus data egress are over three times as much as the flat
AWS VPN rate for pfSense Plus software on AWS. In addition, you can add additional services with
Single subnet Endpoint pfSense Plus software, such as network address translation (NAT) and intrusion detection
Association Fee ($0.10/hr) and prevention for no additional service fees and only additional AWS data transfer fees per
720 hours/month gigabyte of outbound data transfer.
= $72 (Additional subnets are an extra cost)
Cost pfSense Plus AWS VPN Savings
100 clients
Connection Fee ($0.05/hr) Monthly Cost $331.92 $1,042.00 $710.08
176 hours/month = $880
Annual Cost $3,983.04 $12,504.00 $8,520.96
1,000 GB of data transfer
$0.09/GB = $90 Based on monthly billing. Assumes 1 TB of data egress fees. Fees as of March, 2023.
Total AWS VPN Fees: $1,042.00
pfSense Plus software also supports OpenVPN, in addition to IPSec, L2TP, and Wireguard. The AWS VPC Wizard, available in pfSense
pfSense Plus software goes beyond unlimited client VPN connections and supports site-to-site, Plus software, simplifies the configuration
and cloud-to-cloud VPN connections. of a VPN to a remote VPC from an on-
premises pfSense Plus firewall, allowing you
Type pfsense+ AWS Network Services to use pfSense Plus in both cloud and local
implementations, if you prefer, standardizing
Site-to-Site VPN Included AWS VPN
your platforms.
($36/month)
If you need a load balancer for servers
Client VPN Included AWS VPN
running in your Virtual Private Cloud (VPC),
($72.00 + $8.80/client/month)
pfSense Plus software fits the bill. You can
Network Firewall Included VPC Network Firewall automatically distribute incoming application
($284.40/month) traffic across multiple servers for no
additional service cost.
DNS Included route53
($0.50/route/month) Load balancing ensures your services
continue without disruption and ensure
Load Balancing/ Included CloudFront business continuity during peak traffic times.
Reverse Proxy ($87.04/month) It is worth noting that the AWS load balancer
IDS/IPS Included GuardDuty can distribute incoming traffic across your
($6.40/month + $0.60/GB) EC2 instances across multiple availability
zones as well. Both scenarios would require
NAT Gateway Included VPC NAT Gateway multiple instances.
($32.40/month)
Attack Prevention features built into pfSense
Monitoring Included CloudWatch Plus software protect your cloud instances
($0.05/GB) from malicious actors’ threats and exploits.
There is no need to add on AWS GuardDuty
Cost $241.92/month > $500+/month*
at the additional expense of $6.40/month +
24/7 Support $399/year $1200/year $0.60/GB processed.
($799/year w/ 4 hr SLA)
* Based on monthly billing. 1 month = 720 hours. Does not include data egress, storage, or per-client fees.
Fees as of March, 2023. 10
REDUCE YOUR COST OF CLOUD SECURITY ON AWS
From intrusion detection and prevention package repository do not incur additional Why Trust pfSense Plus
systems (IDS/IPS) to traffic analysis to fees and increase the value of using pfSense
deep packet inspection (DPI), pfSense Plus Plus software.
Software from Netgate?
software can monitor incoming and outgoing Netgate is not new to the firewall and router
When it comes to knowing what is industry, with over 20 years of business
traffic. As a firewall and gateway, pfSense
happening with your firewall, pfSense Plus experience and well over 500 combined
Plus software includes everything you need
software makes available all of the collected years of technical knowledge on the team.
to defend your VPC.
data to help monitor pfSense Plus on AWS. pfSense Plus software from Netgate
pfSense Plus software includes a package System Monitoring is not hidden from you operates with the same rich feature set in
system that can extend the software’s nor does it require additional subscriptions. the cloud, on Netgate Security Gateway
functionality without adding bloat and From an overview dashboard to monitoring Appliances, or on your own hardware (with
potential security vulnerabilities to the graphs to unrestricted log access, pfSense pfSense Plus subscription software). With
base distribution. More than 60 different Plus software on AWS provides unrestricted over 7 million installations world-wide,
packages are available that add additional access to all of the data required to make pfSense software continues to be a highly
filtering functionality, provide IDS/IPS, and informed decisions on the performance of trusted solution.
add bandwidth monitoring, proxies, and your firewall and services.
additional services. Packages in the Netgate
11
REDUCE YOUR COST OF CLOUD SECURITY ON AWS