AWS Architecture for discrimiNAT Firewall

The discrimiNAT firewall is a highly-available EC2 Instance placed on the route between application subnets and the internet, filtering HTTPS/TLS traffic transparently for policy adherence and compliance. AWS' reference architecture on VPC with Public and Private Subnets (NAT) is Chaser's recommended too, and the discrimiNAT firewall simply replaces the NAT Instance for itself.

Here is the representation of a typical network layout in one Availability Zone with discrimiNAT performing the firewalling and NAT functions, in a customer provided VPC and subnets.

AWS Architecture for discrimiNAT firewall

Key points to note are:

  • Application instances are in a Private/Application Subnet and do not have direct access to the internet. These subnets are configured to have Private IP Addresses only.
  • The discrimiNAT firewall receives internet bound traffic from the Private Subnet via a route for destination 0.0.0.0/0 (i.e. everything else other than local networks within the VPC) set to the Elastic Network Interface attached to itself.
  • An AutoScaling Group (for High Availability), the Elastic Network Interface & IP, and the requisite IAM Permissions for Logging can be provisioned with one-click via the use of our Standalone discrimiNAT firewall for existing VPC CloudFormation template.
  • Alternatively, the customer may configure a discrimiNAT instance, for their bespoke architecture, by only supplying the hostnames whitelist through an AWS SSM Parameter, after subscribing to the AMI via the AWS Marketplace. The whitelist can be altered any time on-the-fly through a RESTful API call to the AmazonSSM.PutParameter endpoint as well.
  • A separate NAT Instance per Availability Zone is recommended. This is again in-line with AWS' reference architecture on VPC with Public and Private Subnets (NAT).

Further reading: