On November 18, 2025, AWS rolled out CloudFront flat‑rate pricing with no overages. Four plan tiers—Free ($0), Pro ($15), Business ($200), and Premium ($1,000) per month—bundle CDN delivery with WAF and DDoS protection, Route 53 DNS, CloudWatch Logs ingestion, serverless edge compute, and monthly S3 credits. All paid plans include up to 50 TB of data transfer with fixed request allowances per tier. It’s a big shift from the pay‑as‑you‑go world—and for a lot of teams, it can turn unpredictable bills into a fixed line item.
Here’s the thing: flat‑rate sounds like a slam dunk until you hit the edges. The allowances, the “one domain per plan” constraint, and how performance behaves after you exceed the plan’s limits all matter. If you’re deciding whether to switch, this guide gives you the math, the tradeoffs, and a one‑week migration plan you can actually run.
What changed—and why it matters now
Until now, most CloudFront customers lived on pay‑as‑you‑go: you paid per GB of data transfer to the internet, per 10,000 requests, and for extras like logs and edge compute. With the new plans, you can opt into a fixed monthly price that covers:
• CloudFront CDN delivery
• AWS WAF and DDoS protection (bot management included)
• Route 53 DNS
• CloudWatch Logs ingestion
• Serverless edge compute
• Monthly S3 storage credits
Plan allowances are straightforward: the Free tier supports 1 million requests and 100 GB of transfer (up to three Free plans per account). Paid tiers include 50 TB of transfer, with requests increasing per tier: Pro at 10 million, Business at 125 million, and Premium at 500 million per month. If you exceed the allowance, you won’t pay overages—but AWS may reduce performance for the rest of the cycle. You can mix flat‑rate and pay‑as‑you‑go distributions in the same account, and you can migrate existing distributions into a plan without an annual commitment.
CloudFront flat‑rate pricing: the real math
Let’s get practical. Under pay‑as‑you‑go in North America, CloudFront data transfer commonly starts around $0.085/GB after the first 1 TB, with request pricing layered on top. A single Pro plan includes up to 50 TB of transfer for $15/month. At pay‑as‑you‑go rates, 50 TB of egress alone can run well over four thousand dollars depending on region mix. On its face, that makes Pro look almost too good to be true.
But here are the catches you must model before you flip the switch:
• One domain per plan: each plan covers one distribution with a single domain. Multi‑brand or multi‑market architectures may need multiple plans. Accounts can have up to 100 plans.
• Request ceilings: Pro includes 10 million requests/month. If you regularly push 80–200 million requests, you’ll need Business or Premium—still with 50 TB of transfer included.
• Post‑allowance behavior: there are no overage charges, but performance can be throttled after you hit your allowance. That’s safer for budgets, riskier for launches if you size too small.
• Feature fit: the plan bundles WAF, DDoS protection, DNS, logs, and edge compute. If you already negotiated enterprise WAF pricing or run complex edge logic, confirm that the included allowances meet your needs.
Who should switch immediately?
Use this quick framework to decide in 30 minutes:
1) Map traffic: Pull 90 days of CloudFront or CDN logs. For each domain, compute monthly medians and p95 for requests and egress by region. If you have multiple domains per site, list them separately.
2) Fit to a plan: For each domain, find the smallest plan that covers p95 requests and 50 TB egress. If your egress is well under 50 TB but requests are high, you’ll size based on requests (e.g., Business at 125 million).
3) Stress for spikes: Check p99 for launches or promotions. If a spike would push you past the plan’s request cap, model the cost of creating a second plan for a temporary blue/green distribution during the event.
4) Validate security posture: If you rely on WAF managed rule groups, bot controls, or geo blocks, ensure your current rules translate cleanly and that the included capabilities match your policy. Keep your existing ruleset ready to import.
5) Confirm origin economics: The plan covers viewer egress; origin-to-CloudFront transfer from S3, ALB, or API Gateway is already free. Ensure your origin scaling and cache policies still make sense when egress is “fixed.”
If one or more of your domains maps neatly into Pro or Business without brushing the caps, you’re a candidate to switch now and pocket the savings—we’ve published thresholds and edge cases worth reviewing.
What about high‑traffic and SaaS multi‑tenant setups?
For multi‑tenant SaaS, the “one domain per plan” rule is the gating factor. If your tenants ride a single apex domain (e.g., customers on subpaths), you’re fine. If each tenant needs its own domain, you’ll consume multiple plans quickly. In that world, Business or Premium plans can still be a steal compared to pay‑as‑you‑go—but the operational overhead of plan sprawl becomes a real concern. Consider grouping smaller tenants under a shared domain while keeping enterprise tenants on dedicated pay‑as‑you‑go distributions with custom SLAs.
Media and API workloads deserve special attention. Low‑latency APIs can be sensitive to any post‑allowance performance reduction. If your request counts flirt with the ceiling, either size up a tier or keep the workload on pay‑as‑you‑go with a stop‑loss budget alert. For streaming, where bandwidth dominates, a paid flat‑rate plan will almost certainly beat pay‑as‑you‑go on egress alone, but confirm request volumes during ad beacons and playlist churn.
“No overages” isn’t “no limits”
Flat‑rate removes billing shock, not physics. Push past your allowance and you’ll be protected from runaway invoices, but AWS can reduce performance for the remainder of the month. Build safeguards:
• Set 50/80/100% usage alerts on requests and transfer. Wire alerts to an engineering‑owned Slack channel, not just finance.
• Pre‑provision an upgrade path: keep a Business or Premium plan ready to activate, or stage a secondary distribution you can promote in DNS.
• Treat major events like capacity tests: before a launch, run traffic replays or synthetic load to validate plan fit.
Concrete numbers you can plan around
• Launch date: plans became available on November 18, 2025.
• Tiers: Free ($0), Pro ($15), Business ($200), Premium ($1,000) per month.
• Transfer: all paid tiers include up to 50 TB/month.
• Requests: Pro 10 million; Business 125 million; Premium 500 million per month.
• Alerts: AWS sends emails at 50%, 80%, and 100% of plan usage.
• Accounts: up to three Free plans per account; up to 100 plans total across tiers.
• Migration: you can move existing distributions into a plan; mixing with pay‑as‑you‑go is supported.
Cost modeling that won’t lie to you
Start with your last full month:
1) Break out by domain: requests, egress GB, and regional split (NA/EU/APAC/SA).
2) Compute pay‑as‑you‑go cost: use current CloudFront pricing for your regions—don’t forget the first 1 TB free tier on pay‑as‑you‑go distributions.
3) Compare to flat‑rate: if any distribution’s p95 usage fits Pro or Business with room to spare, assign it a plan and retotal the month.
4) Sensitivity test: add 2× and 3× request spikes and 1.5× egress spikes to see if you’d cross plan limits. Model the impact of a temporary upgrade (e.g., Pro → Business) versus staying put.
For teams new to edge compute or Node.js runtime changes at the edge, align your modernization with the switch. Our AWS Lambda Node.js 24 upgrade guide covers the gotchas that frequently surface when you move more logic to the edge.
Security tradeoffs and opportunities
Bundled WAF and DDoS protection is the sleeper benefit here. If you’ve deferred bot controls or geo policies because of unpredictable WAF costs, a flat‑rate plan makes it easier to enforce them consistently. Use the migration to tighten rules and reduce origin load. And if you’re worried about software supply‑chain abuse driving malicious traffic, keep our npm supply‑chain attack playbook close; it pairs well with edge‑level filters.
How to migrate in one week
Day 1: Choose candidates. Pick one low‑risk domain and one high‑traffic domain. Pull 90 days of metrics (requests, GB, cache hit ratio). Decide initial plans (e.g., Pro for the smaller site, Business for the larger).
Day 2: Replicate config. Create a new CloudFront distribution under the chosen plan. Import TLS certs, headers, cache keys, and origin policies. Clone WAF rules and logging destinations. Keep the old distribution alive for rollbacks.
Day 3: Staging and cache. Point a staging domain (e.g., staging.domain.com) to the new distribution. Warm key paths, verify redirects, images, and API calls. Run lighthouse and synthetic checks from 5+ regions.
Day 4: Traffic trickle. Migrate 10–20% of users via weighted DNS. Watch cache hit ratio, error rates, WAF blocks, and origin CPU.
Day 5: Full cutover. Flip DNS for 100%. Keep the old distribution ready as a read‑only fallback for 24–48 hours.
Day 6: Validate allowances. Review request and transfer counters mid‑cycle. If you’re skating near caps, schedule a plan upgrade before your next campaign.
Day 7: Document and automate. Bake plan checks into CI/CD. Add budget and usage alerts at 50/80/100%. Create a runbook for event upgrades and emergency rollbacks.
People also ask
Does flat‑rate include 50 TB on every paid tier?
Yes. Pro, Business, and Premium each include up to 50 TB of data transfer per month. Tiers differ on request allowances and advanced capabilities.
What happens when I exceed my plan?
You won’t be billed overages, but AWS can reduce performance for the rest of the billing cycle. Plan upgrades apply going forward, so keep alerts and a rollback path ready.
Can I use multiple domains under one plan?
No. Plans are one distribution with one domain. If you host multiple brands or markets on separate domains, you’ll need additional plans—up to 100 per account.
Can I mix flat‑rate and pay‑as‑you‑go?
Yes. You can keep certain workloads on pay‑as‑you‑go (for example, volatile API traffic) and put stable, predictable sites on flat‑rate.
Risks and edge cases
• Event seasonality: a few days of holiday traffic can blow through request caps. Model worst‑case and schedule a temporary plan upgrade.
• Bot and scraper pressure: flat‑rate encourages stricter WAF. Just be careful with false positives; tune rules on staging first.
• Plan sprawl: many small domains can force operational overhead. Standardize distribution templates and IaC modules to keep plans sane.
• Logs and analytics: CloudWatch Logs ingestion is included, but queries still cost money elsewhere. Don’t shift the spend problem from egress to analysis without planning.
What to do next (this week)
• Audit by domain: classify each distribution as switch‑now, test‑first, or stay‑pay‑as‑you‑go.
• Stand up one Pro and one Business pilot and run the week‑long migration playbook above.
• Wire alerts and owner: engineering, not finance, should own 50/80/100% usage alerts.
• Pre‑approve upgrades: document who can bump a plan during a launch, and how.
• Revisit caching: with viewer egress “fixed,” more aggressive TTLs can cut origin bills further.
Zooming out
For years, teams begged for predictable CDN and security costs that didn’t punish them for success or for getting attacked. CloudFront flat‑rate pricing gets you most of the way there. The savings—especially for bandwidth‑heavy sites—are real. The limits are real too. Treat this as a new primitive in your architecture toolbox, not a blanket switch. Pilot, measure, then expand.
If you want a sanity check on your plan fit or a second set of eyes on the migration runbook, our team has shipped dozens of CDN and edge compute rollouts. See what we do for engineering teams and browse a few recent builds in our portfolio. If you’re wrestling with adjacent platform changes—App Store AI disclosures, Copilot billing, or .NET LTS moves—we’ve written practical guides on those too in the blog.
