If you require complex or custom routing, and have Infrastructure-as-Code for your deployments already, this is where you will find the key information. Terraform practitioners pick this option.
For a 5-minute deployment, assuming secure defaults, from within the marketplace console itself. This will totally lock down the private subnets in your VPC from the get-go unless appropriate FQDN-based egress firewall rules exist for outbound connections.
The various ways AWS-native Security Groups can be annotated with appropriate FQDN allowlists and traffic monitoring rules after deployment of discrimiNAT.
Fields, filters and recipes to find what you need from discrimiNAT’s config and flow logs in AWS.
Pertaining to the Quick Start only. If you go down the DIY route, the architecture will be as per your design.
The discrimiNAT firewall is a highly-available EC2 Instance placed on the route between application subnets and the internet, filtering TLS and SSH traffic transparently for policy adherence and compliance. AWS' reference architecture on VPC with Public and Private Subnets (NAT) is Chaser’s recommended too, and the discrimiNAT firewall simply replaces the NAT Instance for itself.
Here is the representation of a typical network layout in one Availability Zone with discrimiNAT performing the firewalling and NAT functions, in a customer provided VPC and subnets.
Our library of CloudFormation templates caters for a variety of scenarios to setup a discrimiNAT firewall in. Have a look below to pick one and launch it straight away! If your circumstances do not fit any of these, get in touch, and we’d be happy to add more to our library.
Best suited for cases where VPCs and related networking are managed by the customer to their specific design. This stack will place a discrimiNAT firewall in the environment, but the customer will have to change the routing tables of the Private/Application Subnets, which hold the EC2 instances reaching out to the internet via a NAT Gateway, to instead reach out to the internet via the discrimiNAT firewall.
This is supplied as a working example with a typical network layout for one Availability Zone. It is a good way to bootstrap a VPC with all the right subnets and routing tables if none exists already.
This is supplied as a working example with a typical network layout for three Availability Zones. It is a good way to bootstrap a VPC with all the right subnets and routing tables if none exists already.
The discrimiNAT firewall is self-served from the AWS Marketplace. The CloudFormation stacks discussed above are available to launch on subsequent steps from the marketplace subscription.