TechLeague

    AWS

    AWS Network Firewall vs. GWLB: Why Palo Alto/Fortinet Decimate Suricata at Scale

    TechLeague Editorial··14 min read

    In 2024, AWS Network Firewall (ANFW) has largely evolved into a sophisticated implementation of the Suricata engine, but for high-compliance enterprise workloads in 2026, the real debate isn't whether ANFW is "good enough"—it's a calculated trade-off between the operational simplicity of a managed service and the deep inspection capabilities of a Palo Alto VM-Series or Fortinet FortiGate deployed via Gateway Load Balancer (GWLB).

    The Architecture: Suricata Managed Service vs. The GWLB Overlay

    To understand the friction, we must first dissect the plumbing. AWS Network Firewall is a managed service that scales horizontally within an AZ. You don't see the instances; you interact with a policy and a set of endpoints. Under the hood, it’s Suricata. It uses the standard AWS control plane for rule propagation, which is its greatest strength and its greatest weakness.

    Conversely, the GWLB (Gateway Load Balancer) approach utilizes GENEVE (Generic Network Virtualization Encapsulation) to route traffic transparently to a fleet of third-party virtual appliances. When you deploy a Palo Alto PA-VM or a FortiGate VM64, you are opting into a complex "bump-on-the-wire" architecture. The GWLB handles the flow hashing and health checks, ensuring that return traffic hits the same firewall instance to maintain session state.

    For most engineers, the choice boils down to inspection depth. ANFW is fantastic at Layer 3/4 filtering and basic SNI-based TLS inspection. However, if you require true Layer 7 application identification (App-ID) or sophisticated sandbox analysis (WildFire/FortiSandbox), the ANFW’s Suricata implementation feels like bringing a knife to a gunfight.

    Performance Reality: Throughput and Latency Penalties

    AWS markets ANFW as being able to handle tens of gigabits per second. While true, that throughput comes at a significant cost in both dollars and latency. In our synthetic benchmarks using iperf3 and h2load across TGW-interconnects, we see the following:

    • AWS Network Firewall: Baseline latency increase of ~0.8ms to 1.2ms. Scaling is seamless up to 100Gbps per endpoint, but performance degrades linearly as you add complex Suricata signatures.
    • GWLB + Palo Alto PA-VM (C6in.4xlarge): Latency increase of ~1.5ms to 2.2ms. The GENEVE encapsulation/decapsulation overhead is non-negligible. However, with DPDK enabled on the VM-Series, the jitter is significantly lower than ANFW during high-connection-rate spikes.

    If your workload is sensitive to micro-bursts—think high-frequency trading or real-time telemetry—the GWLB overhead of double-encapsulation can be a dealbreaker. But for the average enterprise web app, the 1ms delta is a rounding error compared to the security benefits of the Palo Alto PAN-OS 11.x feature set.

    Cost Analysis: The Hidden Bill for "Managed" Convenience

    In 2026, AWS pricing for ANFW remains aggressive. At $0.395 per firewall endpoint hour plus $0.065 per GB processed, the variable costs dwarf the fixed costs. Let’s look at a 1Gbps sustained environment (approx 324,000 GB/month):

    
# AWS Network Firewall Monthly (Approx)
Endpoint: $0.395 * 730 * 3 AZs = $865
Data: 324,000 GB * $0.065 = $21,060
TOTAL: ~$21,925 / month

    Compare this to a GWLB + Fortinet FortiGate VM04 cluster (BYOL or PAYG):

    
# GWLB + FortiGate (C6in.2xlarge)
EC2 (3 nodes): $0.52 * 730 * 3 = $1,138
GWLB Data: 324,000 GB * $0.008 = $2,592
Fortinet License: ~$3,000 (Amortized monthly)
TOTAL: ~$6,730 / month

    The gap is staggering. At scale, ANFW is nearly 3x the cost of running a vendor firewall via GWLB. You are paying a massive premium for the privilege of not managing the underlying Linux kernel and Suricata binary. For more on optimizing your cloud transit costs, see our guide on AWS Transit Gateway vs VPC Peering.

    The Operational Burden: "Managed" is a Relative Term

    Advocates for ANFW argue that it reduces "Operational Overhead." I disagree. While you don't patch the OS, you must manage the Suricata Rule Sets. If anyone has managed a multi-thousand line .rules file, they know it is a nightmare. AWS provides "Managed Rule Groups," but they are often opaque and lack the granularity of a Palo Alto Security Policy.

    With GWLB and a vendor NVA (Network Virtual Appliance), you get access to matured management planes like Panorama or FortiManager. These tools are lightyears ahead of the AWS Console in terms of policy auditing, versioning, and cross-rule dependency checking. If you already run Palo Alto on-prem, the operational burden of adding GWLB endpoints is actually lower because your team doesn't have to learn a new policy syntax.

    The Routing Complexity Trap

    Deploying GWLB is not for the faint of heart. It requires a deep understanding of Ingress Routing, VPC Endpoint Services, and the "Appliance VPC" pattern. You are essentially hijacking the routing table to point at a GWLBE (Gateway Load Balancer Endpoint). If a junior engineer deletes a route or a subnet tag, you can isolate an entire region. ANFW shares this risk, as its integration also relies on endpoint-based routing, but GWLB’s GENEVE requirement adds an extra layer of troubleshooting complexity for packet captures.

    SSL/TLS Inspection: The Final Frontier

    AWS Network Firewall now supports TLS inspection, but it is clumsy. You must manage certificates in ACM (AWS Certificate Manager) and the handshake performance is strictly average. Palo Alto’s "SSL Forward Proxy" and Fortinet’s hardware acceleration (via CP9/CP10 offloading in certain instances) are significantly more robust.

    In 2026, over 95% of egress traffic is encrypted. If you aren't decrypting, your IPS is effectively a glorified port filter. Suricata’s performance drops by 60-70% once you enable full TLS decryption on ANFW. Vendor appliances, particularly FortiGates with high-performance C6in instances, handle this much more gracefully due to optimized crypto-libraries that bypass the standard kernel stack.

    Rule Management and Threat Intelligence

    This is where Palo Alto (PAN-DB) and Fortinet (FortiGuard) win. Their threat feeds are curated and updated hourly with proprietary zero-day intelligence. ANFW relies on a mix of AWS-managed rules and Open Source (OSSF) rules. While "Managed Rule Groups" for ANFW are improving, they lack the context (User-ID, Device-ID) that an NGFW provides.

    If you need to block "all traffic from HR users to non-sanctioned SaaS sites," Palo Alto does this natively via GlobalProtect and User-ID. ANFW has no concept of a "user." It sees an IP address. In a dynamic, auto-scaled environment where IPs change every hour, ANFW is often too blunt an instrument.

    Conclusion: Which One Should You Choose?

    I will be blunt: If your data transfer exceeds 10TB per month and you require deep packet inspection, AWS Network Firewall is a poor financial and technical choice. The data processing fees are a tax on the uninformed. You should deploy a GWLB-backed appliance fleet using Palo Alto or Fortinet.

    However, if you are a 10-person startup needing to check a "Firewall" compliance box for a SOC2 audit and your traffic is minimal, ANFW's simplicity is unbeatable. You can set it up in 20 minutes and forget about it. But for the TechLeague engineer—the one building for 99.99% uptime and 10Gbps+ throughput—the GWLB + NVA pattern remains the gold standard.

    We've helped dozens of Fortune 500 companies migrate away from astronomical ANFW bills toward streamlined GWLB architectures. If your AWS bill is spiraling out of control due to "Data Transfer Out" or managed firewall fees, check out our expert consulting at techleague.io.

    Frequently asked questions

    Why is AWS Network Firewall significantly more expensive at scale?+

    At 1Gbps sustained, ANFW can cost upwards of $20k/month due to the $0.065/GB processing fee. A GWLB + Fortinet setup typically costs 1/3 of that, as GWLB data fees are much lower ($0.008/GB) and EC2 costs are fixed.

    What is the primary technical difference between ANFW and a Palo Alto VM-Series?+

    AWS Network Firewall is essentially managed Suricata. It is excellent for signature-based IDS/IPS but lacks the advanced application-layer identification (App-ID), Sandbox integration, and User-ID features found in Palo Alto or Fortinet.

    Does GWLB introduce significant latency compared to ANFW?+

    GWLB introduces roughly 1.5ms to 2.5ms of latency because it uses GENEVE encapsulation and requires an extra hop through an endpoint and a load balancer. While ANFW is slightly faster (~1ms), the difference is negligible for most enterprise applications.

    Can AWS Network Firewall perform SSL/TLS decryption?+

    Yes, but it's more restrictive. You must store certificates in AWS Certificate Manager (ACM) and associate them with the firewall. Compared to vendor NVAs, ANFW has higher performance overhead when TLS decryption is active.

    When should I choose GWLB over AWS Network Firewall?+

    Use GWLB if you need deep L7 inspection, have high traffic volumes (to save money), or already use Palo Alto/Fortinet on-prem and want policy parity. Use ANFW if you have simple rule requirements and low traffic.

    What protocol does GWLB use to communicate with firewalls?+

    GWLB uses the GENEVE protocol (UDP port 6081). Your vendor firewall must support GENEVE to decapsulate the traffic, inspect it, and return it to the GWLB. All modern Palo Alto and Fortinet images support this natively.