Independent reference. Not affiliated with any vendor on this site.
Vendor deep-dive

AWS WAF Pricing 2026: Per-Web-ACL, Per-Rule, Per-Request, and the Bot Control Trap

AWS WAF is the cheapest published per-request WAF on the market with a $5 web-ACL base, $1 per rule, and $0.60 per million requests. The headline is honest. The trap is that Bot Control and Fraud Control rule groups charge a per-request fee on top of the standard request fee, and at 100M requests per month they can dwarf the $5 web-ACL line.

Last verified June 2026

Cloud-native WAF, per-request billing
AWS WAF
From
$5.00 per web-ACL per month
Rate position
AWS WAF sits in the lower third of the 6 vendors that publish a starting WAF rate.
AWS WAF (23%)Cloudflare $0.00FortiWeb Cloud $21.90

What it costs

AWS WAF prices on a per web-acl + per rule + per million requests basis. The cheapest published entry point is $5.00 per web-ACL per month. Full tier list below, taken from the live vendor pricing page.

AWS WAF pricing tiers
  • Tier 1Web ACL
    $5.00 per web-ACL per month
  • Tier 2Rule
    $1.00 per rule per web-ACL per month
  • Tier 3Requests
    $0.60 per million requests
  • Tier 4Bot Control
    $10.00 per web-ACL per month + per-request rule-group fees
  • Tier 5Account Takeover Prevention
    $10.00 per web-ACL per month + per-request fees
  • Tier 6CAPTCHA
    $0.40 per thousand CAPTCHA attempts
Source: https://aws.amazon.com/waf/pricing/ - retrieved 2026-06-19

What this vendor is best for

AWS-hosted apps that already use ALB, CloudFront, or API Gateway and want the bill on one console.

Hidden costs to watch

The line items most buyers miss
Bot Control and Fraud Control add per-request rule-group fees on top of the standard request fee. At 100M requests a month with Bot Control on, the rule-group fee alone can dwarf the $5 web-ACL line.
Direct answer
What does AWS WAF actually cost at 100M requests per month?
Use the cost calculator on the homepage to assemble a realistic monthly bill across all published-rate vendors. The default profile (100M req/mo, 1 protected app, 10 custom rules, bot management on) is labelled as an illustrative example so it can be re-run with your own numbers.
Source: https://aws.amazon.com/waf/pricing/, retrieved 2026-06-19

Worked example at 100M requests per month

One web-ACL, 10 custom rules, 100 million requests per month, Bot Control on. Numbers come straight from aws.amazon.com/waf/pricing retrieved 19 June 2026. Illustrative example, not a real company.

AWS WAF bill, 100M req/mo with Bot Control
  1. 1.Web-ACL base fee$5.00
  2. 2.10 custom rules at $1.00 each$10.00
  3. 3.100M requests at $0.60 / million$60.00
  4. 4.Bot Control rule group base$10.00
  5. 5.Bot Control request fee, 100M requests at ~$1.00 / million$100.00
Estimated monthly total~$185.00
Bot Control request fee dominates the bill once it is on. Without Bot Control the same workload costs roughly $75/mo. AWS publishes the Bot Control request fee in the pricing page footnote, not the headline table.

AWS WAF Classic vs WAFv2

AWS WAF Classic is the original 2015 product. WAFv2 launched in 2019 and is the current default for all new web-ACLs. Pricing on this page refers to WAFv2. Classic web-ACLs are still billable at the same web-ACL and rule rates but cannot use the v2 managed rule groups, including Bot Control. Migrate to WAFv2 before adding any managed rule group.

Closest alternatives
Two published-rate vendors with the most similar pricing model and product fit.
Azure WAF (Front Door)
Per policy + per rule + per million requests
$5.00 per policy per month (Front Door Premium managed rules)
Google Cloud Armor
Standard (per policy + per rule + per request) or Enterprise subscription
$5.00 per policy per month (Standard)

Source

Every number on this page is taken from https://aws.amazon.com/waf/pricing/, retrieved 2026-06-19. Re-check before signing a contract; vendors change pricing without notice.

Last verified June 2026