AWS CloudFront Just Changed How You Pay for CDN - Here's Everything You Need to Know
In November 2025, AWS quietly launched something that a lot of cloud engineers had been asking for which is flat-rate pricing for CloudFront. No overages. No bill shock. One monthly price.
But before we get into the pricing, let's make sure the foundation is clear.
Update — March 2026: AWS has expanded flat-rate plans with four new capabilities: Lambda@Edge support, CAPTCHA, mutual TLS (mTLS), and an AI activity dashboard. Key changes are reflected below. Read the full AWS announcement here.
What is AWS CloudFront and What Does It Actually Do?
CloudFront is AWS's Content Delivery Network (CDN). A CDN is a globally distributed network of servers called edge locations, that sit closer to your users than your origin server does.
Here's the simple version of how it works:
Without CloudFront, every user request travels all the way to your origin server (say, an EC2 instance in us-east-1), gets a response, and travels back. If your user is in Mumbai and your server is in Virginia, that's a lot of miles for every single request.
With CloudFront, the content is cached at an edge location near Mumbai. The user gets the response from there faster, with less load on your origin.
But CloudFront is more than just caching static files. It also:
Terminates TLS connections close to the user (faster HTTPS handshakes)
Maintains persistent connections to your origin (reduces round trips)
Collapses duplicate requests so your origin doesn't get hammered
Routes traffic over AWS's private global network instead of the public internet
That last point matters more than people realize. The public internet is unpredictable. AWS's backbone is not.
Edge Computing: Logic That Runs Close to the User
This is where CloudFront goes beyond a traditional CDN.
With CloudFront Functions, you can run lightweight JavaScript logic at the edge right at the point where the request hits CloudFront before it ever reaches your origin. Things like:
Rewriting URLs or redirecting traffic
Adding or modifying HTTP headers
Simple A/B testing logic
Request validation
The benefit? Zero added latency from a round trip to your origin. The logic executes in milliseconds at the edge location nearest to your user.
This is what people mean when they say "edge computing" in the CloudFront context compute that runs distributed, globally, close to where your users actually are.
Note: CloudFront Functions are included in the flat-rate plans. Lambda@Edge (for heavier workloads) is not, more on that in the scenarios section.
What's Included in a CloudFront Plan?
This is the part that makes the flat-rate announcement interesting. It's not just CloudFront, it's a bundle of services that you'd normally have to configure and pay for separately:
| Service | What it covers |
|---|---|
| CloudFront CDN | Global content delivery, caching, connection optimization |
| AWS WAF + DDoS protection | Web Application Firewall rules, bot management, attack blocking |
| Amazon Route 53 | DNS hosting and query resolution for your domain |
| Amazon CloudWatch Logs | Log ingestion for your distribution |
| TLS Certificate | HTTPS for your domain, managed by AWS |
| CloudFront Functions | Serverless edge compute (lightweight JS) |
| Amazon S3 credits | Monthly storage credits to offset origin storage costs |
| CAPTCHA | WAF CAPTCHA challenge responses, now included in plan price |
| mTLS | Origin mTLS (Business+), Viewer mTLS (Premium) |
One important detail: blocked DDoS traffic and WAF rejected requests do NOT count against your usage allowance. You're only charged for legitimate traffic that passes through your rules. That's a meaningful protection against bill shock from attacks.
The Four Flat-Rate Plans and the Old Pay-As-You-Go Model
Flat-Rate Plans (Launched November 2025)
| Plan | Price | Data Transfer | Requests/month |
|---|---|---|---|
| Free | $0/month | 100 GB | 1M requests |
| Pro | $15/month | 50 TB | 10M requests |
| Business | $200/month | 50 TB | 125M requests |
| Premium | $1,000/month | 50 TB | 500M requests |
A few things worth noting:
No annual commitment required (month to month)
Up to 3 Free plans per AWS account
Up to 100 total plans per account
Each plan covers one CloudFront distribution with one apex domain
If you exceed your allowance, you won't be charged extra but performance may be throttled (served from fewer/more distant edge locations). Consider it a soft cap, not a hard wall.
Pay-As-You-Go (Still Available, Still Valid)
The original CloudFront pricing model is still there and still works well for many use cases. With PAYG:
You pay per GB of data transfer (varies by region)
You pay per 10,000 HTTPS requests
WAF, Route 53, CloudWatch Logs, and S3 are all billed separately
Includes a perpetual 1TB free tier for data transfer
Full access to all CloudFront features including Lambda@Edge
The trade-off is clear: more flexibility and feature access, but more billing complexity and exposure to cost spikes.
Two Real Scenarios: Which Model Makes Sense?
Scenario A: Go Flat-Rate ✅
Who: A startup running a SaaS product, marketing site, web app, and API all on AWS. They use S3 for static assets, ALB for the app, and Route 53 for DNS. Traffic is growing but still in the tens of millions of requests per month. They've had a couple of unexpected WAF bill spikes when a scraper hit their site.
Why flat-rate makes sense:
Predictable monthly cost ($200 Business plan) instead of reconciling 5 different AWS service bills
WAF and DDoS protection included by default (no separate setup or billing)
Route 53 and CloudWatch Logs covered in the plan
Data transfer from S3 and ALB to CloudFront is already free on AWS, the plan covers viewer facing data transfer
No surprise bills when they get traffic spiked or scraped
The Business plan at \(200/month replaces what could otherwise be a \)300–600/month variable bill across CloudFront + WAF + Route 53 + CloudWatch separately with the added guarantee of no overages.
Scenario B: Stay on Pay-As-You-Go ✅
Who: A large e-commerce platform running CloudFront with heavy Lambda@Edge usage. They use Lambda@Edge for complex request processing user authentication at the edge, personalization logic, and dynamic routing based on geo and device type. They handle predictable, high-volume traffic with well understood patterns and have reserved capacity and savings plans in place.
Why PAYG still makes sense for this team:
Their traffic is massive, predictable, and already optimized with savings plans PAYG is simply cheaper at their scale
They need granular WAF rule control beyond the bundled defaults
Advanced CloudFront configurations not available in flat-rate plans
Note: Lambda@Edge is no longer a blocker. As of March 2026, it is supported on all flat-rate plan tiers, invocations are billed separately at standard PAYG rates on top of the plan price. Similarly, CAPTCHA and mTLS are now fully supported. Scenario B now applies primarily to teams optimizing for cost at very high traffic volumes, not to Lambda@Edge users.
The flat-rate plans are designed for simplicity. If your use case demands deep customization, PAYG is still the right choice.
Who Does This Actually Matter To?
The flat-rate announcement is most relevant for:
Indie developers and side projects The Free tier ($0/month, 1M requests, 100GB) means you can run a personal site or portfolio with WAF, DDoS protection, and Route 53 on AWS without any financial risk, even if it suddenly goes viral.
Startups and small engineering teams Fewer services to configure, one bill to watch, security enabled by default. The Pro plan at $15/month is genuinely competitive with standalone CDN providers.
Agencies managing multiple client sites Up to 100 plans per account. Each distribution gets its own plan, its own domain, its own budget.
AWS-native teams If you're already on S3, ALB, or API Gateway, data transfer from those origins to CloudFront is free. The plan then covers the viewer facing delivery. That's a meaningful compound saving.
Who it doesn't immediately help: Teams relying on Lambda@Edge, organizations needing custom WAF configurations beyond what the bundled WAF supports, or very large, predictable workloads where PAYG + savings plans is already optimized.
The Bottom Line
AWS CloudFront's flat-rate pricing doesn't replace pay-as-you-go, it sits alongside it. The right choice depends on your workload.
If you want predictability, simplicity, and built-in security without managing five separate service bills, flat-rate is the move.
If you need full control, Lambda@Edge, or advanced configurations, stay on PAYG.
The most underrated part of this launch? The fact that attack traffic and blocked requests don't count against your allowance. That alone changes the risk calculus for anyone who's ever watched their WAF bill explode during a DDoS event.
The door is now genuinely open for smaller teams to run production grade, secure, global infrastructure on AWS without needing a cloud cost specialist to keep the bill predictable.
Thanks for reading !
If you found this helpful, give it a like.
Follow Balafor more.
