Back to Blog

pfSense, Cloud

pfSense Plus Software on the AWS Cloud: An AWS NAT Gateway Alternative

pfSense Plus Software on the AWS Cloud: An AWS NAT Gateway Alternative

Cloud computing has many benefits; flexibility and the potential for lower costs are two very attractive reasons why the cloud is rapidly replacing data centers, and businesses are busy moving applications and workloads to the cloud. 

Many people are familiar with pfSense Plus software on Netgate secure gateway appliances, or perhaps with pfSense Community Edition (CE) software on 3rd-party, white-box, or virtual machine installations. With over 3 million downloads, for over 15 years, pfSense software continues to be a highly trusted solution.

What many are not as familiar with is running pfSense Plus software on the cloud. pfSense Plus software has been available on AWS and Azure clouds for years. Even fewer know that you can try pfSense Plus software with a 30 day free trial!

There are 3 popular use cases for running pfSense Plus software on the cloud:

  1. Securely connecting on-premise infrastructure to the cloud
  2. Protecting cloud-based applications and workloads
  3. Providing secure access to cloud workloads and applications

One of the key benefits of running pfSense Plus software on the AWS cloud is the potential cost savings of using the pfSense network address translation (NAT) compared to other options. Note that pfSense software includes NAT as part of its powerful firewall and routing capabilities. Other firewall products do too, but Netgate pfSense Plus software includes this, and many other services, as part of its “all-in” pricing. There are no extra or hidden costs.

What is a NAT Gateway?

When constructing and using virtual private clouds (VPC) on the AWS cloud, the user has a choice of how to connect the VPC to the internet; public or private subnet. Specific cloud applications and workloads can be governed by very specific compliance requirements. Many of these compliance requirements dictate that private subnets must be used. The private subnet option uses NAT gateways as an outbound connection to the internet, or other networks.

The AWS NAT Gateway - An Expensive Solution

The AWS cloud user should be aware that the AWS NAT gateway pricing is based on three factors:

  1. NAT Gateway Hourly Charge - hourly charges apply.
  2. NAT Gateway Data Processing Charge - this is based on the amount of data that goes through the NAT gateway.
  3. Data Transfer Charge - when moving data across regions and availability zones (AZ) on the AWS cloud, data transfer charges may apply.

Users will need to select the appropriate size NAT gateway to ensure optimal throughput and performance. Multiple gateways can be utilized to split loads. This will result in multiple hourly charges. All three charges will vary depending on what AWS Region the user chooses.

In addition to AWS NAT Gateway charges, AWS charges for data transfer out from Amazon EC2 to the internet in a tiered fee structure. There are monthly provisions for the first 100 GB of data transfer out to the internet at no charge. At the time of this writing, AWS does not charge for data transfer in to Amazon EC2 from the internet. These charges are independent of the AWS NAT Gateway charges.

Note: this article is in no way intended to be a comprehensive guide to NAT gateway pricing on AWS. For more information, please visit Amazon VPC Pricing and Amazon EC2 On-Demand Pricing.

The data processing and data transfer charges can quickly add up to some substantial charges based on the amount of data moving through the AWS NAT gateway, and possibly moving across AZs and regions. High availability (HA) requirements can be a reason to set up VPCs in different AZs or possibly even regions.  When a typical business running applications and workloads on the AWS cloud looks to lower their monthly expenses, common strategies advise to sign up for annual reserved instances (pre-paid), limit data transfers, limit data transfers across AZs and regions, and move S3 traffic to VPC endpoints. Ultimately, these “fixes” add constraints to the promise of flexibility of the cloud.

pfSense Plus as an AWS NAT Gateway Alternative

A much simpler alternative is to use the NAT capabilities built in to pfSense Plus software on AWS. Pricing is as simple as choosing your AWS Region & EC2 instance type, and noting your hourly (or annual) charges for the AWS infrastructure and pfSense Plus software. There are no Netgate or pfSense Plus charges for data processing and data transfer, please see the above note about AWS charges for data from Amazon EC2 to the internet.  pfSense Plus software provides the freedom to move the data you want, when you want, and where you want. When it comes to features and price for performance, pfSense Plus software on AWS is an extremely attractive firewall/router/VPN. There are no extra or hidden costs for additional functionality or updates of pfSense Plus software in the cloud.

Pricing includes Amazon EC2 plus pfSense Plus software

Netgate provides a wealth of resources for pfSense on AWS at no charge! Check out the following resources

More About pfSense Software

pfSense software is an open source solution providing powerful firewall, router, and VPN solutions. It provides a full complement of network services. Netgate is proud to be a sponsor of the pfSense software project, and other open source projects. Our vision is that secure networking should be a right for all, not a privilege for a few. We are also the exclusive source of pfSense Plus software; whether on security gateway appliances, on the cloud, and now by subscription


Flexibility and potential cost savings are two attractive features of moving applications and workloads to the cloud. The cloud lets businesses and institutions shift from capital expenditures for hardware and infrastructure to operating expenses associated with time and data. When considering a migration to the cloud, be sure to consider your TCO, or Total Cost of Operations. In this piece we have taken a very simple look at some of the costs associated with moving data on the AWS cloud. There are several different factors to consider. The beauty of using pfSense Plus software as your firewall/router/VPN on the AWS cloud is that you can minimize several of these costs associated with data movement and in turn gain back the promise of flexibility. Be sure to try pfSense Plus software on AWS with your 30 day free trial!

FREE 30 Day Trial


Did you like this article? Would you like to see more articles about Netgate products on the cloud? Please email us with your thoughts: