AWS Architecture for Secure Egress Gateway

The Secure Egress Gateway is a highly-available EC2 Instance placed on the route between Application Subnets and the Internet, filtering HTTPS/TLS traffic transparently for policy adherence and compliance. AWS' reference architecture on VPC with Public and Private Subnets (NAT) is Chaser's recommended too, and the Secure Egress Gateway simply replaces the NAT Instance for itself.

Here is the representation of a typical network layout in one Availability Zone with the Secure Egress Gateway performing the firewalling and NAT functions, in a customer provided VPC and subnets.

AWS Architecture for Secure Egress Gateway

Key points to note are:

  • Application instances are in a Private/Application Subnet and do not have direct access to the Internet. These subnets are configured to have Private IP Addresses only.
  • The Secure Egress Gateway receives Internet bound traffic from the Private Subnet via a route for destination 0.0.0.0/0 (i.e. everything else other than local networks within the VPC) set to the Elastic Network Interface attached to itself.
  • An AutoScaling Group (for High Availability), the Elastic Network Interface & IP, and the requisite IAM Permissions for Logging can be provisioned with one-click via the use of our Standalone Secure Egress Gateway for existing VPC CloudFormation template.
  • Alternatively, the customer may configure the Secure Egress Gateway Instance, for their bespoke architecture, by only supplying the hostnames whitelist through an AWS SSM Parameter, after subscribing to the AMI via the AWS Marketplace. The whitelist can be altered any time on-the-fly through a RESTful API call to the AmazonSSM.PutParameter endpoint as well.
  • A separate NAT Instance per Availability Zone is recommended. This is again in-line with AWS' reference architecture on VPC with Public and Private Subnets (NAT).

Further reading: