You’re probably looking at a grand per month per account. On the plus side, they don’t double charge for NAT gateway traffic.
Usage price seems high at first but honestly you're paying a premium for any commercial firewall product. Palo Altos, for example, are $1.38/hr if you license them through the marketplace (above the instance costs). That breaks even at 21GB/hr, so you're likely to pay a lot more for the AWS product for anything in production (possibly by an order of magnitude).
Also, depending on how you're provisioning accounts and laying out your networking, you may not want to be sticking one of these in every VPC. There's no one-size-fits-all, but in many cases a transit VPC that handles the egress centrally would make more sense.
Then you find it’s some weird inter VPC peering transit cost through a firewall because something was designed by an external consultancy who didn’t do a cost analysis or didn’t understand which one of the myriad of complex charging rules were invoked. The end game being you’re architecturally tied into paying $1000 a month 100 times over.
Corporate clouds are complicated and with complexity comes extreme expense. Even small ones can escalate quickly.
Even though $1k is indeed a rounding error where I work vs. what we pay each month, it's becoming annoying how granular the billing for new setups is becoming. When I'm asked to compare TCO of an on-prem solution vs. a hosted one that includes all-of-the-above, I feel like I'm playing actuary and not cloud engineer.
Should security pricing only be accessible to businesses over a certain size?
A monthly price floor on services like this is trash. It’s pay-what-you-use, so it should scale evenly down to $0, just like lambda or network transfer usage costs.
But you can use Shared VPCs that spans many accounts and drastically reduce the need for things like attachments to virtual gateways, nat gateways, service endpoints, and so on.
Similar to the AWS WAF, this seems geared for a smaller team that can't afford the time to deploy and manage virtual security appliances.
It looks like they're following the same formula as the WAF on this one by letting partners provide rulesets.
I'm waiting for AWS to really flesh these products out and eat all these "partners" lunches.
A key difference is that third-party appliances, and now with Suricata, hostname based (rather than IP addresses) filtering can be applied at the VPC level. This isn't possible in GCP's native offerings.
Disclaimer: I should add that I work for a third-party firewall appliance company myself so have been looking at these developments with a lot of interest.
Although a deep-dive analysis is pending on my side, on the face of it this would seem a security-lite offering as another hacker on this thread has put it. If one were to consider what protocols are supported for hostname based filtering, what depth of checks are run, how ECH/ESNI is handled, and at what level of granularity policies can be attached to individual applications, the offering is a bit underwhelming to say the least. Compare that to our product [2] (on AWS and GCP), and ours is more straightforward to deploy, incorporates the best protocol level decisions already, and has a closer association with individual applications. (You basically stick in the protocol and hostname (even for SSH) in the description field of each Security Group or Firewall Rule.)
[1] https://aws.amazon.com/blogs/aws/introducing-aws-gateway-loa... [2] https://chasersystems.com/
I guess one of the reasons they choose to say URL over FQDN or hostname is that the latter two are less likely what typical developers might venture out looking for - but I could be wrong. At least the requirements when they emerge would want URLs to be whitelisted and that is what the intercepting proxy world had been delivering.
Azure internal load balancers have some hang ups, but load balancing egress or east-west traffic across security appliances in AWS has always been diabolical in comparison.
I've never used the Geneve protocol, so I can't really tell if this is going to affect which vendors can use the GWLB.
