CloudFront Flat-Rate Pricing: Should You Switch Now?

AWS just made website delivery and security far more predictable with CloudFront flat-rate pricing. On November 18, 2025, Amazon launched monthly plans that roll CDN delivery, AWS WAF, DDoS protection, Route 53 DNS, CloudWatch Logs ingestion, serverless edge compute, and S3 storage credits into a single price—with no overage fees. For teams that have lived through surprise egress bills after a product launch or DDoS, this is a real shift. But you’re trading per-unit billing for allowances and capacity shaping. Know the tradeoffs before you flip the switch.

What exactly changed—and what you get for each tier

CloudFront’s flat-rate plans come in four tiers: Free ($0/mo), Pro ($15/mo), Business ($200/mo), and Premium ($1,000/mo). Each plan bundles delivery plus security and ops features, and each has published usage allowances.

Key numbers to anchor your planning:

• Free: up to 1 million requests and 100 GB transfer per month; you can run up to three Free plans per account to build, learn, or prototype without overage risk.
• Pro, Business, Premium: each includes up to 50 TB transfer per month; request allowances scale by tier—10M (Pro), 125M (Business), 500M (Premium).
• Accounts can have up to 100 plans total and you can mix flat‑rate and pay‑as‑you‑go per distribution.
• No overages: cross your allowance and you won’t get surprise charges; you may see performance shaping and will get usage notifications at 50%, 80%, and 100%.
• Blocked traffic and DDoS attacks don’t count against your allowance, which means security doesn’t accidentally tax performance or cost.

That “no overages” line is the headline, but the fine print matters. You’re effectively pre‑buying enough capacity to run comfortably inside your allowance. If you’ll consistently exceed it, plan to upgrade or stick with pay‑as‑you‑go for that distribution.

CloudFront flat-rate pricing: the new baseline for predictable delivery

For the last decade, CDN cost control has meant modeling egress by region, counting HTTPS requests, tuning cache hit ratios, and watching WAF rules. The new plans collapse that complexity into a monthly number and include security by default. If your board or CFO wants predictable spend, this is the cleanest story AWS has offered for public web and API delivery.

Here’s the thing: predictability isn’t the same as cheapest. If you run at high, consistent scale with stellar cache efficiency, pay‑as‑you‑go may still be the floor. But for bursty workloads or teams that value budget certainty over chasing pennies, the math starts to favor flat‑rate.

Who wins—and who won’t

Winners:

• Bursty traffic patterns: launches, campaigns, and PR spikes that used to threaten your egress bill; now your plan absorbs it without overages.
• Apps with a meaningful threat profile: WAF + DDoS included, and blocked traffic doesn’t count against your allowance; you’re not punished for being attacked.
• Lean teams: fewer moving parts to price and monitor; simplified forecasting for finance.

Not great fits:

• Steady 24/7 high throughput near or above 50 TB monthly per distribution, where pay‑as‑you‑go and committed‑use contracts may still be cheaper.
• Ultra‑low latency edge compute heavy workloads that primarily run outside the CloudFront model, or that already rely on a different edge provider and have hard vendor constraints.

One more nuance: if you’ve consolidated around another edge vendor, weigh switching costs. We’ve helped teams save dramatically on compute by adjusting providers before—see our take on the Cloudflare Containers pricing switch—but delivery pipelines, observability, and security rules don’t move themselves. Treat this as an incremental trial, not a weekend migration.

How “no overages” actually behaves in production

Flat‑rate allowances are there to keep performance healthy at your tier. AWS will notify you at 50%, 80%, and 100% of allowance consumption, and you can watch the same numbers in the console. If you blow past your allowance, you’ll see shaping rather than a runaway bill. That makes it safe to experiment, but don’t build a business on sustained over‑allowance usage—upgrade the plan or split traffic.

Security traffic hygiene helps here. Since blocked WAF traffic and DDoS flows don’t count toward your allowance, you can tune rules to “subtract” junk before it hits your pool. That’s a rare case where raising security sensitivity directly protects performance.

Pay‑as‑you‑go vs flat‑rate: a quick comparison that’s actually fair

Comparisons often get silly because they ignore request mix and cache hit rates. A fair test looks like this:

1. Pick one candidate distribution with known seasonality.
2. Pull 90 days of data: total transfer by region, HTTPS request counts, cache hit ratio, and WAF block rate.
3. Simulate plan fit: map your average and p95 monthly usage to Pro, Business, Premium request allowances and the shared 50 TB transfer cap.
4. Stress the edge: model a 2–3× spike week to see whether you’d sit inside the allowance or need an upgrade that month.
5. Assign value to predictable spend: is avoiding a potential five‑figure overage worth an extra $X in a quiet month? For many leadership teams, yes.

If your candidate easily stays under 50 TB and 125M requests with room for spikes, the Business plan at $200/month is an easy place to start. If you’re routinely around 40–45 TB and 90–110M requests, you’ll likely enjoy lower variance and fewer anxious forecasts without materially overpaying.

Let’s get practical: a migration and measurement checklist

Here’s a battle‑tested framework we use when moving critical public traffic between pricing models or vendors. It keeps surprises rare and reversions painless.

1) Choose the right pilot

Start with a high‑value, bounded surface—one domain or API with clean observability. Avoid your entire monolith on day one. Good candidates include marketing sites with seasonal bursts, content APIs, or a regional storefront.

2) Establish a baseline

Capture the last 90 days of metrics: GB out by region, HTTPS requests, average and p95 cache hit ratio, WAF block counts, 4xx/5xx rates, and median and p95 TTFB. Freeze this in a dashboard so you can run A/B comparisons later.

3) Map to a plan with 30% headroom

Pick a tier where your typical month sits under 70% of the allowance for both transfer and requests. That leaves room for launches and quirky traffic. If you’re on the fence between Pro and Business, choose Business for the request headroom; the dollar gap is small relative to the headache you’re avoiding.

4) Stand up a parallel distribution

Create a new CloudFront distribution using the flat‑rate plan. Mirror your existing origin setup, TLS policies, caching keys, and behaviors. Recreate WAF rules and test in count mode first. Keep logs flowing to CloudWatch and your external SIEM if you use one.

5) Warm and verify

Warm the cache using synthetic traffic and limited real user traffic via DNS weighted routing (start at 5–10%). Compare latency, cache hit, error rates, and WAF efficacy. Iterate on cache policies and origin failover until metrics are at or better than baseline.

6) Shift progressively

Roll to 25%, then 50%, then 100% over a few days. Watch the allowance dials and the usage notifications. If you get within 80% late in a billing cycle and a launch is coming, pre‑emptively upgrade for that month.

7) Post‑move hardening

Once fully cut over, tighten WAF rules, tune bot management, and set budget alarms anyway. Flat‑rate removes overages, not the need to watch performance and abuse.

People ask us…

Is CloudFront flat‑rate cheaper than pay‑as‑you‑go?

Sometimes. If you run hot with great cache efficiency and low request overhead, pay‑as‑you‑go could still win. If your traffic is spiky or you want to cap financial risk from viral moments and attacks, flat‑rate is designed for you.

What happens if I exceed my allowance?

You won’t get billed extra. You may see reduced performance. You’ll get automated notifications at 50%, 80%, and 100%. Upgrade tiers if sustained usage will exceed the plan, or split traffic across plans.

Can I mix plans and pay‑as‑you‑go?

Yes. You choose per distribution. Many teams will keep core APIs on pay‑as‑you‑go and move marketing or content properties to flat‑rate to de‑risk spikes.

How many plans can I run?

Up to 100 per account, with up to three Free plans. That makes gradual adoption and ring‑fenced experiments straightforward.

Do attacks or blocked requests drain my allowance?

No. WAF‑blocked and DDoS traffic doesn’t count, which is exactly how it should be.

Gotchas and edge cases to think through

Allowance is per distribution. If you multiplex multiple busy domains into a single distribution, you can burn allowance faster than expected. Consider per‑domain distributions for cleaner isolation and upgrade control.

Cache keys and origin selection still drive cost/perf. Flat‑rate isn’t a magic wand. Bad cache keys turn a CDN into a pass‑through. Revisit cache policies, compression, and image resizing at the edge.

Logs are included but still worth optimizing. Flat‑rate plans include CloudWatch Logs ingestion. Keep retention sensible and filter noise. Your observability bill is better behaved now, but don’t treat it as free.

Plan changes are monthly. Plans auto‑renew each month. If you’re planning a big campaign or a holiday surge, upgrade early for that billing period and set a reminder to reassess afterward.

Egress from other providers. If your origin sits outside AWS, model latency and cost carefully. You’ll likely still come out ahead for predictability, but test it.

A quick scenario to sanity‑check the math

Say you’re a US‑ and EU‑heavy e‑commerce site serving 40 TB and ~90 million HTTPS requests a month with moderate cache efficiency and a healthy WAF block rate. On flat‑rate, the Business plan at $200/month covers 50 TB and 125M requests with security features on by default, plus no overages if a campaign spikes you for a week. On pay‑as‑you‑go, your cost would depend on your exact regional mix, request pricing, and cache hit ratio—cheap in quiet months, potentially volatile in big ones. If predictability is your top requirement this fiscal year, the Business plan is a rational default.

How this plays with your broader edge and cloud strategy

Flat‑rate CloudFront is part of a larger trend toward predictable, bundled compute and delivery. Cloudflare just reworked how it bills container CPU, cutting costs for bursty workloads; we broke down the move and how to capitalize in our containers pricing playbook. Reliability matters just as much as price, so pair any pricing change with your incident posture; our resilience playbook has a checklist you can adapt even if you’re all‑in on AWS.

If you want help evaluating whether flat‑rate is a fit for one of your properties, our team does this work weekly—architecture, cost modeling, and hands‑on migration. See what we do for delivery and edge strategy or reach out and we’ll scope a tight, low‑risk pilot.

Step‑by‑step: enabling a flat‑rate plan without downtime

Here’s a concise runbook you can hand to an engineer:

1. Pick the plan based on 90‑day p95 usage with 30% headroom; start with Business if you’re unsure.
2. Create a new distribution on the plan; mirror origin settings, TLS policies, and behaviors.
3. Bind or recreate WAF rules; run sensitive rules in count mode for a day to avoid false positives.
4. Enable logs to CloudWatch and your SIEM; tag everything so you can separate pilot metrics.
5. Warm the cache with synthetic traffic and then 5–10% real users via weighted DNS.
6. Validate TTFB, cache hit, 4xx/5xx, and WAF efficacy against baseline; fix cache keys and compression.
7. Roll traffic 25% → 50% → 100% while watching allowance gauges; set alerts at 50/80%.
8. Post‑cutover tighten WAF, tune bot management, and document upgrade conditions for your on‑call runbook.

What to do next

• Shortlist one distribution that fits under 50 TB and 125M requests monthly; run the allowance fit check.
• Pilot the Business plan for a month with progressive DNS shifts.
• Instrument your allowance and performance alerts; decide in week two whether to keep or upgrade.
• Document the decision rules: when to upgrade, when to revert to pay‑as‑you‑go, and who signs off.
• If you want outside help, we’ve got a tight engagement designed for this—see our services and contact us.

Zooming out, CloudFront flat‑rate pricing is a pragmatic response to two unsolved pains: unpredictable cost and asymmetric risk from the open internet. If your business cares more about capping exposure than squeezing the last nickel out of egress, start a pilot now. Keep your engineering habits sharp—good cache keys, disciplined WAF rules, and clean runbooks—and you’ll buy yourself budget certainty without sacrificing performance.