How FortiSASE shrinks your AWS / Azure cloud bill — the VM-sizing and egress math
Published 26 May 2026
· By
Pawan Sharma
· Fortinet
· 22 min read
Most cloud-security architectures were stitched together one VPC at a time. A FortiGate-VM pair here, a third-party SWG appliance there, a NAT Gateway in front of egress, an AWS Network Firewall endpoint per Availability Zone — each chosen sensibly, each billed by the hour and the gigabyte. By month twelve the bill no longer matches the workload. FortiSASE collapses that stack into a cloud-delivered fabric and bills it per user. The interesting question is not whether the architecture is cleaner — it obviously is — but how the cost math actually breaks down. This post does the math, with line-items, against the published AWS Mumbai and Azure Central India rate cards.
3 line-items
Where the savings come from
Over-sized security VMs, NAT-Gateway throughput inflated by hairpin inspection, and cloud-native NVA fees.
$0.395/hr
AWS Network Firewall
Per endpoint-hour, plus $0.065 / GB processed — one endpoint per AZ adds up fast.
$0.875/hr
Azure Firewall (Standard)
Per deployment-hour, plus $0.016 / GB processed — that's $638 / month before any data.
Per user
FortiSASE bills the people
A per-user licence replaces a stack that billed per VM, per endpoint, per AZ and per GB.
The three line-items FortiSASE attacks
Open last month's AWS or Azure invoice for a typical mid-market workload and three line-items dominate anything labelled "security" or "network":
▸ Over-sized security VMs
FortiGate-VM, third-party SWG, IDS/IPS appliances. Sized for peak, paid for 24×7, doubled for HA, often duplicated per VPC and per region.
▸ NAT Gateway + cross-AZ + cross-region egress
Per-GB processing on top of per-hour, then per-GB egress on top of that. Hairpinning traffic through in-VPC inspection inflates both meters.
▸ Cloud-native NVA fees
AWS Network Firewall and Azure Firewall — pure cloud-native services — are billed per endpoint-hour and per gigabyte processed. Both meters run forever.
The thesis of this post is simple: when FWaaS, SWG, CASB, ZTNA and DLP move out of the VPC and into FortiSASE PoPs, all three line-items get attacked at once. The in-VPC security stack shrinks (or disappears), inspection is no longer charged by the cloud, and egress stops doing pointless round-trips through it.
Architecture — before vs after
Before — security in every VPC
- Client → cloud LB → FortiGate-VM HA pair in a security VPC
- → SWG / IDS-IPS VM → CASB inline proxy VM
- → ZTNA gateway / VPN concentrator VMs
- → workload VPC → NAT Gateway → Internet
- Plus: AWS Network Firewall endpoint per AZ or Azure Firewall deployment
- Plus: cross-AZ + cross-region traffic for HA failover
After — security in the FortiSASE PoP
- Client → nearest FortiSASE PoP (FWaaS, SWG, CASB, DLP, ZTNA)
- → workload VPC over Private Link / private endpoints
- In-cloud security stack reduced to workload subnets + minimal networking
- NAT Gateway either gone or carrying a fraction of the volume
- AWS Network Firewall / Azure Firewall retained only for east-west if at all
- One per-user FortiSASE licence covers users in any location
This is what the FortiSASE Admin Guide calls a "secure access service edge" — a single cloud-delivered fabric that runs the network-security functions you were paying the hyperscaler to host inside its own VPC.
What FortiSASE delivers natively
For FortiSASE to actually replace the in-VPC stack, it has to carry all of those functions itself. Per the FortiSASE Admin Guide and datasheet, it does:
▸ FWaaS
Cloud-delivered firewall — replaces FortiGate-VM HA pairs deployed in security VPCs.
▸ SWG
Secure Web Gateway with URL filtering, AV, IPS, application control — replaces in-VPC SWG appliances.
▸ CASB
Inline and API-mode CASB for sanctioned SaaS — replaces standalone CASB inline proxies.
▸ ZTNA
Zero Trust Network Access — replaces VPN concentrator VMs and the per-instance HA pair.
▸ DLP
Inline Data Loss Prevention — removes the need for an additional in-VPC DLP appliance.
▸ SD-WAN to cloud
FortiExtender / IPSec / SD-WAN onramps from branch and remote users to FortiSASE PoPs.
▸ India + global PoPs
Backed by FortiGuard Labs threat intelligence; PoPs sized to keep latency low for Indian users.
▸ Endpoint enforcement
FortiClient + EMS push device posture into FortiSASE — so ZTNA decisions know the device, not just the user.
The math — AWS published rates (Mumbai, ap-south-1)
All rates below are taken directly from AWS's public pricing pages for the Mumbai region. Numbers shift over time — verify against aws.amazon.com/vpc/pricing/ and aws.amazon.com/network-firewall/pricing/ when you build your own model.
| Component | Hourly rate | Per-GB rate | What it bills for |
|---|---|---|---|
| NAT Gateway | $0.045 / hr | $0.045 / GB | One per AZ for HA; both meters run constantly. |
| AWS Network Firewall | $0.395 / endpoint-hr | $0.065 / GB | One endpoint per AZ; per-GB meter on top. |
| Inter-AZ data transfer | — | $0.01 / GB | Charged both directions; HA pairs talk constantly. |
| Internet egress (first 10 TB) | — | $0.1093 / GB | Out-bound to Internet from ap-south-1. |
| EC2 m5.xlarge (HA pair) | ~$0.214 / hr ea. | — | Baseline cost of an in-VPC FortiGate-VM HA pair. |
A worked example
Mid-market workload: 5 TB / month, 2-AZ HA, one VPC
NAT Gateway: 2 AZs × $0.045/hr × 730 hr = $65.70 hourly + 5,000 GB × $0.045 = $225 processing → $290.70 / month.
AWS Network Firewall: 2 endpoints × $0.395/hr × 730 hr = $576.70 hourly + 5,000 GB × $0.065 = $325 → $901.70 / month.
In-VPC FortiGate-VM HA pair: 2 × m5.xlarge × $0.214 × 730 = ~$312 / month compute alone (excluding licence, OS, EBS).
Inter-AZ HA chatter (≈ 500 GB / mo): 500 × $0.01 × 2 = $10 / month.
Internet egress (5 TB): 5,000 × $0.1093 = $546.50 / month.
Sub-total — in-cloud security & network: ~ $2,061 / month (~ ₹1.72 L at ₹83.5 / USD), before any FortiGate-VM, SWG or CASB licence cost.
A FortiSASE deployment removes the FortiGate-VM HA pair entirely, removes the Network Firewall endpoints (or shrinks them to east-west only), and drops NAT-Gateway throughput because most user-bound traffic now terminates in the FortiSASE PoP rather than hairpinning through the VPC. The remaining cost is the per-user FortiSASE licence and a modest amount of backhaul.
The math — Azure published rates (Central India)
Same exercise against Azure's public pricing pages for the Central India region. Source: azure.microsoft.com/en-in/pricing/details/azure-firewall/ and …/virtual-network/.
| Component | Hourly rate | Per-GB rate | What it bills for |
|---|---|---|---|
| Azure Firewall (Standard) | $0.875 / hr | $0.016 / GB | Per deployment, not per endpoint — but it's still per region. |
| Azure Firewall (Premium) | $1.25 / hr | $0.016 / GB | Adds TLS inspection, IDPS, URL filtering, web categories. |
| NAT Gateway | $0.045 / hr | $0.045 / GB | Per resource; egress goes through it. |
| D-series VM (NVA baseline) | varies | — | D4s_v5 ~ $0.192 / hr — baseline for an in-VPC NVA HA pair. |
A worked example
Same workload on Azure: 5 TB / month, Central India
Azure Firewall Standard: $0.875 × 730 hr = $638.75 + 5,000 GB × $0.016 = $80 → $718.75 / month just for the firewall.
NAT Gateway: $0.045 × 730 hr = $32.85 + 5,000 GB × $0.045 = $225 → $257.85 / month.
D4s_v5 HA pair (if running an extra in-VPC NVA): 2 × $0.192 × 730 = ~$280 / month compute alone.
Sub-total — Azure native + NVA: ~ $1,257 / month (~ ₹1.05 L at ₹83.5 / USD), before any licence.
What FortiSASE replaces it with
FortiSASE is licensed per user-per-year across three tiers (FortiSASE Standard, Advanced, Comprehensive), with thin-edge throughput options for branch sites and remote users. Specific INR or USD list pricing is partner-quoted rather than published — but the structural trade is straightforward:
The structural trade
Per-VM-hour + per-GB + per-endpoint → per-user-per-year
Instead of paying the cloud provider by the hour for security VMs, by the GB for inspection, and by the endpoint for native firewall services, you pay Fortinet a per-user-per-year licence. The user count scales with headcount, not with cloud growth — which means cost no longer rises automatically with workload size.
The break-even is set by user count vs cloud throughput. For workloads with low user counts but high egress (think public-facing APIs), the FortiSASE per-user model is dramatically cheaper. For workloads with very high user counts and almost no egress (rare), the in-cloud stack can sometimes match it. Most real environments sit firmly on the FortiSASE side of the break-even.
A recent Ogma engagement — anonymised
Real numbers, anonymised
A mid-market Indian SaaS firm, AWS Mumbai, ≈ 180 seats, ≈ 8 TB / month egress
Three regions, one primary VPC in ap-south-1 with HA, two satellite VPCs for compliance isolation. Before the move, the in-cloud security and networking line-items broke down as below. After FortiSASE was rolled out — FWaaS + SWG + CASB + ZTNA at the PoP, FortiClient on every endpoint, FortiExtender at the two India offices — the in-cloud stack shrank to workload + minimal networking.
| Line-item (monthly) | Before | After | Delta | % |
|---|---|---|---|---|
| FortiGate-VM HA pair (compute + licence amortised) | $1,180 | $0 | −$1,180 | −100% |
| AWS Network Firewall (2 endpoints + 8 TB) | $1,097 | $140 | −$957 | −87% |
| NAT Gateway (HA + 8 TB processed) | $425 | $135 | −$290 | −68% |
| SWG appliance VMs (HA pair, m5.large × 2) | $155 | $0 | −$155 | −100% |
| VPN concentrator VMs (replaced by ZTNA) | $110 | $0 | −$110 | −100% |
| Inter-AZ HA chatter | $45 | $15 | −$30 | −67% |
| Internet egress (8 TB) | $874 | $874 | unchanged | — |
| FortiSASE per-user licence (180 seats) | $0 | +$1,120 | +$1,120 | new |
| Monthly total | $3,886 | $2,284 | −$1,602 | −41% |
A 41% reduction on the in-cloud security and networking spend, with security posture measurably improved — every user got ZTNA + device posture, CASB now sees the sanctioned SaaS traffic that was previously invisible, and the team stopped hand-rolling NSG / security-group changes per VPC.
Figures are rounded and anonymised. They reflect one engagement's actual rate-card line-items and are not a quote — your numbers will depend on workload pattern, user count, region and tier selection.
What gets cheaper — and what gets slightly more expensive
Cheaper
- In-VPC security VMs — most eliminated, the rest down-sized
- AWS Network Firewall / Azure Firewall fees — often near-zero if east-west isn't required
- NAT-Gateway throughput — fewer hairpins through the cloud's inspection chain
- Inter-AZ HA chatter — fewer HA pairs to keep in sync
- VPN concentrator VMs — replaced by ZTNA, which scales without per-instance HA
- Operational toil — fewer security stacks to keep patched and certified
Slightly more expensive
- Per-user FortiSASE licence — net-new line-item
- Modest backhaul from VPC to FortiSASE PoP if both sides aren't already peered
- FortiClient / FortiExtender if you weren't already running them
The honest break-even. For very high user counts on near-static workloads (tens of thousands of seats, fewer TB / month than seats), the per-user maths starts to bite — that's the case where FortiSASE Comprehensive still wins on capability, but the cost gap closes. For everything else — typical mid-market, SaaS, ITES, e-commerce — the in-cloud stack loses on every dimension.
A 5-step deployment plan
Inventory the in-cloud security stack
List every FortiGate-VM, SWG, CASB, DLP and VPN-concentrator VM, every Network Firewall endpoint or Azure Firewall deployment, and the NAT-Gateway resources. Pull last 3 months of itemised bills.
Map the four traffic flows
User → SaaS, user → workload (north-south), workload → Internet (egress), workload → workload (east-west). Each flow tells you which FortiSASE function it'll terminate on, and what survives in-cloud.
Provision FortiSASE tenancy + connectivity
Stand up the FortiSASE tenancy. Connect remote users via FortiClient, branches via FortiExtender or IPSec, and the workload VPC via IPSec to the nearest PoP. Validate latency and policy mapping.
Cut over one flow at a time
Start with user → SaaS (lowest blast-radius, biggest visibility win) and only then move user → workload, then workload → Internet. East-west stays in-cloud until last and may stay forever if Network Firewall is doing real east-west work.
Re-baseline the cloud bill at +30 days
Pull the new itemised bill. Verify NAT-Gateway, Network Firewall and EC2 / VM line-items have dropped as forecast. Document the delta — that's the savings your CFO will want to see.
FAQ
Does FortiSASE replace AWS Network Firewall and Azure Firewall completely?
What's the latency impact of inspecting traffic at a FortiSASE PoP?
Can FortiSASE coexist with our existing FortiGate-VMs while we migrate?
How does this affect data residency for Indian regulated entities?
Do we still need NAT Gateway after moving to FortiSASE?
Is FortiSASE only for SaaS-heavy workloads, or also for traditional 3-tier apps?
How is FortiSASE licensed, and what's the minimum commitment?
How do we prove the savings to the CFO before committing?
Free FortiSASE cloud-bill audit
Show the CFO the math before you commit
Ogma reviews your last three months of AWS / Azure bills, models the FortiSASE replacement architecture, and returns a line-by-line before/after with the per-user licence already factored in. Five working days, no obligation.
Request the cloud-bill audit or explore Ogma as your Fortinet partner in IndiaSources (official documentation only)
- aws.amazon.com/vpc/pricing/ — NAT Gateway hourly + per-GB rates
- aws.amazon.com/network-firewall/pricing/ — AWS Network Firewall endpoint + per-GB
- aws.amazon.com/ec2/pricing/on-demand/ — EC2 on-demand rates, Mumbai (ap-south-1)
- azure.microsoft.com/en-in/pricing/details/azure-firewall/ — Azure Firewall hourly + per-GB
- azure.microsoft.com/en-in/pricing/details/virtual-network/ — Azure NAT Gateway rates
- docs.fortinet.com/product/fortisase — FortiSASE Admin Guide (FWaaS, SWG, CASB, ZTNA, DLP)
- fortinet.com/products/sase — FortiSASE datasheet and tier structure
Related: Fortinet Partner India · Security awareness training in the age of AI-powered phishing · Talk to Ogma
Stay ahead of cyber threats
One short email a week — curated Indian cybersecurity news, Fortinet releases, DPDPA updates. No fluff.
