diff --git a/aws/modules/infrastructure_modules/vpc/firewall.tf b/aws/modules/infrastructure_modules/vpc/firewall.tf
index 818aa67..99ec555 100644
--- a/aws/modules/infrastructure_modules/vpc/firewall.tf
+++ b/aws/modules/infrastructure_modules/vpc/firewall.tf
@@ -8,7 +8,7 @@ resource "aws_networkfirewall_firewall" "firewall" {
   vpc_id              = module.vpc.vpc_id
 
   dynamic "subnet_mapping" {
-    for_each = aws_subnet.network_firewall[*].id
+    for_each = var.firewall_endpoint_per_az ? aws_subnet.network_firewall[*].id : [aws_subnet.network_firewall[0].id]
 
     content {
       subnet_id = subnet_mapping.value
diff --git a/aws/modules/infrastructure_modules/vpc/variables.tf b/aws/modules/infrastructure_modules/vpc/variables.tf
index c4ef5c7..f32f5a8 100644
--- a/aws/modules/infrastructure_modules/vpc/variables.tf
+++ b/aws/modules/infrastructure_modules/vpc/variables.tf
@@ -146,6 +146,13 @@ variable "domain_allow_capacity" {
   description = "Capacity for Domain allow rule group"
 }
 
+variable "firewall_endpoint_per_az" {
+  type        = bool
+  description = "Whether to create a firewall endpoint per-AZ or just use one. Note: There are running costs associated with Firewall Endpoints. For Production-like environments this should be true"
+
+  default = true
+}
+
 # Subnet ACLs
 variable "create_public_dedicated_network_acl" {
   description = "Whether to use dedicated network ACL (not default) and custom rules for public subnets"