When AWS launched CloudFront flat-rate pricing plans in November 2025, bundling WAF (web application firewall) into a single monthly fee for the first time, it changed the cost equation for teams already running on AWS.
The comparison between Cloudflare’s WAF and AWS WAF has now essentially become a more straightforward apples-to-apples scenario.
And with cloud-based WAF adoption projected to reach 40% of enterprises by 2026, the question is on everyone’s lips.
This post is for:
- Engineering and platform teams running web applications on AWS who are evaluating WAF options
- Teams already using Cloudflare as a CDN (content delivery network) or DNS provider and considering its WAF
- Anyone weighing up whether to run Cloudflare WAF, AWS WAF or both
We cover the Cloudflare vs AWS WAF comparison across key dimensions: managed rules, custom rules, pricing, DDoS, bot management, logging, and when it makes sense to layer them.
But first…
What is a WAF?
A web application firewall inspects HTTP and HTTPS web traffic before it reaches your web application. It matches requests against rules patterns for SQL injection, cross-site scripting, malicious bot signatures, rate limits – and blocks, challenges or logs requests that match. The goal is application-layer protection: the kind of web attack that a network firewall or security group won’t catch.
Both Cloudflare WAF and AWS WAF fulfil this function. But the hows differ.
Cloudflare WAF
Cloudflare’s WAF is part of its edge network. When you proxy traffic through Cloudflare (handling DNS management by simply pointing your DNS at their nameservers), every request passes through Cloudflare’s infrastructure before it reaches your origin. The WAF runs at that edge, alongside DDoS mitigation, bot management and CDN caching. You don’t attach it to a specific AWS resource, instead configuring per zone (domain) in the Cloudflare dashboard.
Basic pricing info
WAF is included from the Pro plan ($20/month per zone) upward. The Free plan includes basic managed rules but limited customisation. Business ($200/month) and Enterprise (custom pricing, typically $3,000+/month) add progressively more custom rules, advanced rate limiting, and features like payload logging.
AWS WAF
AWS WAF is a filtering layer you attach to specific AWS resources: CloudFront distributions, load balancing services, API Gateway endpoints, AppSync APIs and several others. It doesn’t come with its own network. It runs wherever the resource it’s attached to runs: at CloudFront’s edge locations for CloudFront, or regionally for ALB and API Gateway.
You configure it through Web ACLs (access control lists) containing rules. Those rules can be custom, AWS-managed or sourced from third-party vendors on the AWS Marketplace.
Basic pricing info
Pricing is usage-based: $5/month per Web ACL, $1/month per rule, and $0.60 per million requests inspected.Alternatively, if you’re using CloudFront, the flat-rate pricing plans (Free, Pro at $15/month, Business at $200/month, Premium at $1,000/month) now include WAF with no per-rule or per-request charges.
Managed rules
Both platforms offer pre-configured rule sets that protect web applications against common threats: OWASP Top 10 vulnerabilities, known attack signatures, and credential stuffing patterns.
Cloudflare managed rules
Cloudflare provides two core managed rulesets: the Cloudflare Managed Ruleset, maintained by Cloudflare’s security team and updated frequently for zero-day threats, and the Cloudflare OWASP Core Ruleset, which uses a scoring model, each matching rule adds to a cumulative threat score, and the configured action triggers when the score exceeds a threshold. Both are available from the Pro plan.
These rules will be fit for 90% of web application use cases, but may fall short if you have specific security requirements. If you have these requirements, you’ll need to use the custom rules we cover in the next section.
AWS managed rules
AWS WAF offers AWS Managed Rules: a set of rule groups covering core OWASP protections, known bad inputs, SQL injection, Linux and POSIX-specific threats, and more. Beyond these, the AWS Marketplace hosts third-party managed rule groups from vendors like Fortinet, Imperva and F5, each with its own pricing (typically $20–30/month plus per-request fees). This marketplace model gives you more choice but adds cost complexity.
The marketplace option offers great flexibility for teams in need. For example, if you’d been running Fortinet WAF on-premise, you’d be able to subscribe to Fortinet (or other vendors’ rule sets).
Custom rules and rate limiting
Custom rules are where you encode your web application’s specific logic: blocking requests from certain geographies, enforcing header requirements, matching URI patterns or rate limiting API endpoints; they are applied before managed rules, and allow you to tune your setup.
Rate limits restrict requests from specified users, IPs or other configurables. AWS WAF included rate limits as custom rules, hence why they’re covered together, here.
Cloudflare custom rules and rate limiting
Cloudflare gives you 20 custom WAF rules on Pro, more on Business and Enterprise. Rules are written using Cloudflare’s expression language, which references fields like http.request.uri.path, ip.src, cf.bot_management.score and others.
Rate limiting is configured separately, with plan-tiered limits on the number of rules and the matching criteria available.
While Cloudflare’s expression language is sophisticated, allowing for xxx, the hard limit on rules can be an issue, causing users to have to bundle unrelated rules together with OR statements, which presents issues for management and debugging.
AWS custom rules and rate limiting
AWS WAF custom rules use a JSON-based rule syntax that matches on request components – headers, URI, query string, body, HTTP method, source IP. You can combine conditions with AND/OR/NOT logic.
Rate-based rules track requests from individual IPs and can trigger blocking when a threshold is exceeded. The number of rules you can create is limited only by Web ACL Capacity Units (WCUs) – the default allocation is 1,500 WCUs per Web ACL, with additional charges if you exceed it.
Rate limiting and custom rules being bundled together in this way offers a more dev-centric approach. As is the general difference between these tools, AWS here offers finer-grained control for higher cognitive burden.
DDoS and bot management
While managed and custom rules handle specific malicious payloads, DDoS and Bot Management address the volume and intent of traffic. Both platforms aim to distinguish between legitimate users, helpful crawlers, and malicious automation, but they differ fundamentally in how they package this protection.
Cloudflare DDoS and bot management
Cloudflare includes unmetered DDoS protection on all plans, including Free. L3/L4 and L7 DDoS attacks are absorbed at the edge with no additional charge and no bandwidth penalties. Bot management is plan-tiered: basic bot detection on Pro, more sophisticated scoring and analytics on Business, and full Bot Management (with ML-based scoring and detailed bot analytics) on Enterprise.
This approach offers good and cheap protection for a variety of use cases. However, you would need to upgrade to the enterprise tier to gain control of some fairly important features. Without an enterprise plan, you would not be able to see why bots were blocked, and you would be left open to ‘clean IP’ attacks.
AWS DDoS and bot management
AWS provides DDoS protection through AWS Shield. AWS Shield Standard is free and automatic – it covers L3/L4 DDoS attacks on CloudFront, Route 53 and Global Accelerator. AWS Shield Advanced costs $3,000/month (annual commitment) and adds L7 DDoS protection, DDoS response team access, and cost protection (AWS credits for scaling costs caused by DDoS). Bot Control is a paid AWS Managed Rules add-on: the common tier costs $10/month plus per-request charges, with a free tier of 10 million requests/month. The targeted tier, which detects more sophisticated bots, costs more.
Here, AWS is much the same as Cloudflare at lower levels of protection. However, requiring AWS Shield Advanced for L7 automated protection (or manual configuration) makes it the more difficult or more expensive route at base.
Logging and observability
Logging and observability refer to how each platform surfaces the telemetry behind every security event, providing the audit trail needed for forensics and troubleshooting. While both providers capture detailed request data, they approach visibility from different business perspectives
Cloudflare logging and observability
Cloudflare provides dashboard analytics and Instant Logs (real-time, browser-based, short-lived) on all paid plans. But Logpush – the feature that sends logs to external destinations like S3, Splunk, Datadog or your SIEM – is Enterprise only. Payload logging (seeing exactly what content triggered a rule) is also Enterprise only, and requires customer-provided encryption keys. If you’re on Cloudflare Pro or Business, you can see aggregated WAF analytics in the dashboard, but you cannot export logs to a SIEM or build custom alerting pipelines.
This approach gives you a useful at-a-glance view of WAF activity, but the lack of log export below Enterprise means teams needing forensic detail or SIEM integration will hit a wall quickly
AWS logging and observability
CloudFront logs can be sent to CloudWatch Logs, S3 or Kinesis Data Firehose. You get up to 500 MB of WAF logs free per million WAF requests via CloudWatch Vended Logs. The logs include full request detail – matched rules, action taken, source IP, headers, URI. There’s no plan gating: logging is available to every AWS WAF user. You can query logs in CloudWatch Logs Insights, build dashboards, set alarms, and feed them into your existing SIEM.
Here, AWS is the more open platform – full logging available to all users without plan gating – while Cloudflare reserves the same capability for its most expensive tier.
Pricing
This is where the comparison gets complicated, because the billing models are structurally different. Cloudflare charges per zone per month with WAF bundled. AWS WAF charges per component per request – unless you’re on a CloudFront flat-rate plan, which bundles everything.
Here’s what a realistic setup looks like at 50 million requests per month:
Cloudflare Pro: $20/month. WAF included. 20 custom rules. Unmetered bandwidth. No Logpush (Enterprise only). For a single zone handling this traffic volume, it’s the simplest option.
Cloudflare Business: $200/month. More custom rules, advanced rate limiting, 100% uptime SLA. Still no Logpush.
AWS WAF (pay-as-you-go): 1 Web ACL ($5) + 10 custom rules ($10) + 1 AWS managed rule group ($1) + request charges ($0.60 × 50 = $30) = approximately $46/month. Add Bot Control common tier ($10/month + per-request fees beyond the free 10 million) and you’re in the $70–80/month range, assuming Bot Control is scoped to dynamic requests only. Logging to CloudWatch or S3 adds further cost depending on volume.
CloudFront flat-rate Business plan: $200/month. Includes WAF, DDoS, CDN, DNS (Route 53), CloudWatch Logs ingestion, and S3 storage credits. Usage allowance: 125 million requests and 50 TB data transfer per month. No per-rule or per-request WAF charges. Blocked requests and DDoS traffic don’t count against your allowance.
The CloudFront flat-rate plans are the most significant recent change to this comparison. For teams already running CloudFront, the Business plan at $200/month includes everything that would cost considerably more if assembled from individual services on a pay-as-you-go basis. It also matches Cloudflare Business on price while adding AWS-native integration.
Using both: when and how to layer
Running Cloudflare WAF and AWS WAF together is a legitimate architecture. It’s not redundant if the two layers are scoped deliberately.
The pattern that works: Cloudflare sits at the edge and handles volumetric concerns – DDoS absorption, bot filtering, IP reputation, broad rate limiting. AWS WAF sits at CloudFront or ALB and handles rules specific to your web application – request validation against your API schema, geo-blocking for compliance, custom rules that reference AWS-specific context.
The pattern that causes problems: running overlapping rule sets in both. If both WAFs are blocking SQL injection with OWASP rules, you get duplicate blocks, conflicting rate limits and – critically – debugging blind spots. When a legitimate request is blocked, you need to check two dashboards, two log streams and two rule evaluation pipelines to find out why. If your Cloudflare Logpush isn’t set up (because you’re not on Enterprise), you’re doing that investigation with one hand tied behind your back.
If you’re going to layer, keep application-layer rules (OWASP, custom web application logic) in one place. Use the other for edge-level filtering only. Define which WAF owns which rule category, document it, and make sure your on-call team knows where to look.
How to decide
Cloudflare WAF only makes sense when you’re not deeply invested in AWS, or when your origin could be anywhere – multi-cloud, on-prem, a third-party platform. You get WAF, DDoS, CDN and DNS in one product from $20/month. The trade-off is that logging and advanced bot management require Enterprise pricing.
AWS WAF only makes sense when your web applications and supporting stack run on AWS, particularly if you’re already using CloudFront. The flat-rate plans make this simpler and more cost-predictable than it used to be. You get full logging at every tier, and WAF rules can reference AWS-native context. The trade-off is that DDoS protection beyond L3/L4 requires AWS Shield Advanced at $3,000/month.
Both, layered makes sense when Cloudflare is already in the path – handling your DNS, CDN or DDoS protection – and you want WAF rules specific to your web applications closer to the origin on AWS. This is common in architectures where Cloudflare was adopted for performance or DNS and AWS WAF was added later for compliance or application-layer control. It works well if scoped carefully. It creates operational overhead if not.
The right answer depends on your stack, your compliance requirements and your team’s operational maturity. There’s no universal recommendation, but a seamless integration can offer the best of both when the use case calls for it.
How we can help
As an Advanced AWS Consulting Partner and a next-gen MSP working with SMEs and enterprises around the world, Just After Midnight is perfectly placed to take you beyond today’s read and into the nitty-gritty of configuring your WAF solution.
But that is not all she wrote. From best-in-class consultation and implementation on AWS services and architecture to protecting mission-critical websites via our 24/7 support and SRE function, Just After Midnight is your one-and-done reliability partner for protection against security attacks, downtime and more.
With over 1000 onboardings and 180 active clients (including the likes of Hilton and Cartier), you’ll be in good company.
For more Cloudflare good stuff, why not check out our comparison of Cloudflare Pages vs Workers.
Or, for anything else, just get in touch.
