AWS Cost Optimisation
CloudFront Flat-Rate Pricing Plans: Which One is Right for Your Startup?
AWS launched new CloudFront flat-rate pricing plans with no overage charges. Compare Free, Pro, Business, and Premium tiers with real examples to find the right plan for your startup.
Cloud Associates
AWS has completely revamped CloudFront pricing with new flat-rate pricing plans. Instead of pay-per-request pricing that can spike unexpectedly, you now get predictable monthly costs with no overage charges—even during traffic spikes or DDoS attacks.
This is a game-changer for startups worried about surprise AWS bills.
This guide breaks down the four pricing tiers, shows you what’s included in each, and helps you choose the right plan based on your actual needs.
What’s New: Flat-Rate Pricing
The new pricing model bundles multiple AWS services into one monthly price:
- CloudFront CDN - Global content delivery
- AWS WAF - Web application firewall
- DDoS Protection - Always-on attack mitigation
- Amazon Route 53 - DNS hosting
- CloudWatch Logs - Log ingestion included
- TLS Certificates - Free via ACM
- CloudFront Functions - Serverless edge compute
- S3 Storage Credits - Bonus storage each month
The key benefit: no overage charges. If you get hit with a traffic spike or DDoS attack, you don’t pay extra. Blocked attacks don’t count against your usage allowance.
Note for Infrastructure as Code users: CloudFront’s flat-rate pricing plans aren’t yet available in Terraform/OpenTofu. See this GitHub issue for updates. You’ll need to configure pricing plans in the AWS Console for now.
The Four Pricing Tiers
Free ($0/month)
For hobbyists, learners, and developers getting started.
Usage Allowance:
- 1 million requests/month
- 100 GB data transfer/month
What’s Included:
- Global CDN (750+ edge locations)
- Basic WAF with 5 rules
- Always-on DDoS protection
- IP-based rate limiting
- Geographic blocking
- Route 53 DNS (50 records, 1M queries)
- 5 GB S3 storage credits
- CloudFront Functions
What’s NOT Included:
- Access logs
- Advanced DDoS protection
- Bot management
- Custom caching rules
- Header-based WAF rules
Best for: Personal projects, development environments, low-traffic marketing sites.
Pro ($15/month)
Launch and grow small websites, blogs, and applications.
Usage Allowance:
- 10 million requests/month
- 50 TB data transfer/month
Everything in Free, plus:
- 25 WAF rules
- Access logs (CloudWatch ingestion included)
- WAF request logs
- Header-based threat filtering
- Custom WAF responses
- Edge key-value store
- WordPress/PHP/SQL protections
- Route 53 DNS (100 records, 5M queries)
- 50 GB S3 storage credits
Best for: Small SaaS apps, blogs with moderate traffic, early-stage startups.
Business ($200/month)
Protect and accelerate business applications.
Usage Allowance:
- 125 million requests/month
- 50 TB data transfer/month
Everything in Pro, plus:
- 50 WAF rules
- Advanced DDoS protection (AntiDDoS AMR)
- Bot management and analytics
- JavaScript challenge
- Regex-based threat filtering
- Custom caching rules
- Custom origin/response header rules
- VPC private origins
- Uptime SLA
- Route 53 DNS (1,000 records, 20M queries)
- 1 TB S3 storage credits
Best for: Growing SaaS platforms, e-commerce sites, applications handling sensitive data.
Premium ($1,000/month)
Scale and protect business and mission-critical applications.
Usage Allowance:
- 500 million requests/month
- 50 TB data transfer/month
Everything in Business, plus:
- 75 WAF rules
- Origin Shield (high-speed origin routing + load reduction)
- Automatic origin failover
- Mutual TLS (mTLS)
- Route 53 DNS (5,000 records, 100M queries)
- 5 TB S3 storage credits
Best for: High-traffic applications, mission-critical systems, enterprise SaaS.
Need more than 500M requests or 50TB/month? Contact AWS for custom pricing.
Quick Comparison Table
| Feature | Free | Pro | Business | Premium |
|---|---|---|---|---|
| Monthly Price | $0 | $15 | $200 | $1,000 |
| Requests | 1M | 10M | 125M | 500M |
| Data Transfer | 100GB | 50TB | 50TB | 50TB |
| WAF Rules | 5 | 25 | 50 | 75 |
| Access Logs | ❌ | ✅ | ✅ | ✅ |
| Bot Management | ❌ | ❌ | ✅ | ✅ |
| Advanced DDoS | ❌ | ❌ | ✅ | ✅ |
| Origin Shield | ❌ | ❌ | ❌ | ✅ |
| Uptime SLA | ❌ | ❌ | ✅ | ✅ |
| S3 Credits | 5GB | 50GB | 1TB | 5TB |
Flat-Rate vs. Pay-As-You-Go: When to Use Each
Choose Flat-Rate Plans If:
- You want predictable monthly costs
- You’re worried about DDoS attacks or traffic spikes
- You need WAF protection bundled in
- You want simplified billing across CloudFront, WAF, and Route 53
- You’re serving under 500M requests/month
Stay on Pay-As-You-Go If:
- You need Lambda@Edge (not supported in flat-rate plans)
- You need real-time access logs
- You use CAPTCHA or targeted bot management
- You need continuous deployment/staging distributions
- Your traffic is highly variable and often below plan allowances
Important Limitations
Before switching to flat-rate plans, know what’s not supported:
Features you can’t use with flat-rate plans:
- Lambda@Edge (use CloudFront Functions instead)
- Real-time access logs (use standard logs)
- Continuous deployment / staging distributions
- CAPTCHA (use JavaScript challenge instead)
- Targeted bot management (use common bots)
- Partner managed WAF rules
- AWS WAF rule groups (create individual rules instead)
- Shield Advanced (built-in DDoS protection replaces this)
One distribution per plan: Each plan covers one CloudFront distribution with one apex domain. If you have multiple distributions, you need multiple plans.
Real-World Cost Comparison
Let’s compare costs for a typical SaaS startup:
Scenario: 5 million requests/month, 500GB data transfer, needs WAF protection
Pay-As-You-Go Pricing:
CloudFront requests: 5M × $0.0075/10K = $3.75
CloudFront data transfer: 500GB × $0.085 = $42.50
WAF Web ACL: $5.00
WAF requests: 5M × $0.60/1M = $3.00
WAF managed rules: ~$5.00
Total: ~$59/monthFlat-Rate Pro Plan:
Pro plan: $15/month
(Includes 10M requests, 50TB transfer, WAF, Route 53)
Total: $15/monthSavings: 75% - and you get DDoS protection, Route 53 DNS, and S3 credits included.
When Pay-As-You-Go Wins
Scenario: 500K requests/month, 50GB data transfer, no WAF needed
Pay-As-You-Go: ~$5/month
Free Plan: $0/month (within allowance)For very low traffic without security needs, pay-as-you-go or the Free plan wins.
Our Recommendation Framework
Based on monthly request volume and security needs:
Under 1M requests/month:
- Start with Free plan
- Upgrade to Pro if you need access logs or more WAF rules
- Expected cost: $0-15/month
1M - 10M requests/month:
- Use Pro plan
- Great value for small-to-medium applications
- Expected cost: $15/month
10M - 125M requests/month:
- Use Business plan
- Essential if you need bot management or advanced DDoS
- Expected cost: $200/month
125M+ requests/month:
- Use Premium plan
- Origin Shield alone can justify the cost at this scale
- Expected cost: $1,000/month
Migration Tips
Moving from Pay-As-You-Go to Flat-Rate
- Check for unsupported features - Remove Lambda@Edge, real-time logs, etc.
- Review your current usage - Ensure you’re within plan allowances
- Update legacy configurations - Replace OAI with OAC, use cache policies instead of ForwardedValues
- Subscribe in the console - Flat-rate plans are managed in the CloudFront console
Downgrading Plans
- Changes take effect at the start of the next billing cycle
- You can’t downgrade if current usage exceeds the lower tier’s allowance
- Cancel before month-end to avoid being charged for the current tier
What About Shield Advanced?
The old Shield Advanced ($3,000/month) is not compatible with flat-rate plans. However, the Business and Premium tiers include “Advanced DDoS Protection” using the AntiDDoS AMR, which provides:
- Automatic attack detection and mitigation
- Learning your application’s traffic patterns
- Distinguishing attacks from legitimate traffic surges
For most startups, this is sufficient. You only need the separate Shield Advanced subscription if you require:
- 24/7 DDoS Response Team (DRT) access
- Cost protection guarantees
- Features not available in flat-rate plans
Conclusion
CloudFront’s new flat-rate pricing is excellent for startups:
- Free tier is genuinely useful (1M requests, 100GB)
- Pro at $15/month is incredible value for small apps
- Business at $200/month makes sense once you need bot management
- No overage charges means no surprise bills
The main trade-off is losing access to Lambda@Edge and some advanced features. For most startups, CloudFront Functions is a sufficient replacement.
Start with the Free plan, upgrade to Pro when you need logs, and move to Business when security becomes critical.
Need help setting up CloudFront with the right pricing plan? Our AWS CDN/WAF Services include complete CloudFront configuration, WAF rules, and cost optimisation delivered in 4 weeks for a fixed price of $3,500.