discrimiNAT on AWS

Table of Contents

DIY ➜

If you require complex or custom routing, and have Infrastructure-as-Code for your deployments already, this is where you will find the key information. Terraform practitioners pick this option.

QUICK START ➜

For a 5-minute deployment, assuming secure defaults, from within the marketplace console itself. This will totally lock down the private subnets in your VPC from the get-go unless appropriate FQDN-based egress firewall rules exist for outbound connections.

CONFIG REFERENCE ➜

The various ways AWS-native Security Groups can be annotated with appropriate FQDN allowlists and traffic monitoring rules after deployment of discrimiNAT.

LOGS REFERENCE ➜

Fields, filters and recipes to find what you need from discrimiNAT’s config and flow logs in AWS.

ARCHITECTURE

Pertaining to the Quick Start only. If you go down the DIY route, the architecture will be as per your design.

The discrimiNAT firewall is a highly-available EC2 Instance placed on the route between application subnets and the internet, filtering TLS and SSH traffic transparently for policy adherence and compliance. AWS' reference architecture on VPC with Public and Private Subnets (NAT) is Chaser’s recommended too, and the discrimiNAT firewall simply replaces the NAT Instance for itself.

Contact our DevSecOps at [email protected] for queries at any stage of your journey. Alternatively, just reach out in the live chat.

Here is the representation of a typical network layout in one Availability Zone with discrimiNAT performing the firewalling and NAT functions, in a customer provided VPC and subnets.

AWS Architecture for discrimiNAT firewall

Key points to note

  • Application instances are in a Private/Application Subnet and do not have direct access to the internet. These subnets are configured to have Private IP addresses only.
  • The discrimiNAT firewall receives internet bound traffic from the Private Subnet via a route for destination 0.0.0.0/0 (i.e. everything else other than local networks within the VPC) set to the Elastic Network Interface attached to itself.
  • An AutoScaling Group (for High Availability), the Elastic Network Interface & IP, and the requisite IAM permissions for logging can be provisioned with one-click via the use of our Standalone discrimiNAT firewall for existing VPC CloudFormation template.
  • A separate NAT Instance per Availability Zone is recommended. This is again in-line with AWS' reference architecture on VPC with Public and Private Subnets (NAT).

Further reading

AWS' NAT Instance documentation

CLOUDFORMATION

Our library of CloudFormation templates caters for a variety of scenarios to setup a discrimiNAT firewall in. Have a look below to pick one and launch it straight away! If your circumstances do not fit any of these, get in touch, and we’d be happy to add more to our library.

Standalone discrimiNAT firewall for existing VPC

Best suited for cases where VPCs and related networking are managed by the customer to their specific design. This stack will place a discrimiNAT firewall in the environment, but the customer will have to change the routing tables of the Private/Application Subnets, which hold the EC2 instances reaching out to the internet via a NAT Gateway, to instead reach out to the internet via the discrimiNAT firewall.

Prerequisites

  • A VPC
  • A Public Subnet in an Availability Zone, with ‘Auto-assign public IPv4’ turned on
  • An Internet Gateway set as the Target for Destination 0.0.0.0/0 in the Route Table of the Public Subnet

Resources Provisioned

  • IAM Role, Policy and Instance Profile for permissions to write logs to CloudWatch and report Instance Health
  • Network Interface as a static Target for Destination 0.0.0.0/0, for Route Tables of the Private/Application Subnets
  • Elastic IP for a static NAT IP on all outbound traffic
  • Auto Scaling Group for the discrimiNAT instance itself

discrimiNAT standalone CloudFormation


Complete VPC example, with networking for 1 AZ

This is supplied as a working example with a typical network layout for one Availability Zone. It is a good way to bootstrap a VPC with all the right subnets and routing tables if none exists already.

Prerequisites

  • None

Resources Provisioned

  • IAM Role, Policy and Instance Profile for permissions to write logs to CloudWatch and report Instance Health
  • Network Interface as a static Target for Destination 0.0.0.0/0, for Route Tables of the Private/Application Subnets
  • Elastic IP for a static NAT IP on all outbound traffic
  • Auto Scaling Group for the discrimiNAT instance itself
  • A VPC with a Private/Application Subnet and a Public Subnet in one Availability Zone
  • Public Subnet routing through an Internet Gateway
  • Private/Application Subnet routing to the internet via a discrimiNAT firewall

discrimiNAT standalone CloudFormation


Complete VPC example, with networking for 3 AZs

This is supplied as a working example with a typical network layout for three Availability Zones. It is a good way to bootstrap a VPC with all the right subnets and routing tables if none exists already.

Prerequisites

  • None

Resources Provisioned

  • Same as above but in three Availability Zones

discrimiNAT standalone CloudFormation

Contact our DevSecOps at [email protected] for queries at any stage of your journey. Alternatively, just reach out in the live chat.

MARKETPLACE

Launch Free Trial on AWS

The discrimiNAT firewall is self-served from the AWS Marketplace. The CloudFormation stacks discussed above are available to launch on subsequent steps from the marketplace subscription.

Finding the needles in the CloudWatch haystack

Fields, filters and recipes to find what you need from discrimiNAT's config and flow logs in AWS

Configuring the upgraded Security Groups

The various ways AWS-native Security Groups can be annotated with appropriate FQDN allowlists and traffic monitoring rules after deployment of discrimiNAT.

DIY for discrimiNAT on AWS

Integrate discrimiNAT firewall on AWS in your bespoke VPC layout

Creating a Bastion for SSH access on AWS

In AWS, you may want a bastion host present in your VPC for accessing a discrimiNAT instance over SSH or a host without a public IP.

Quick Start for discrimiNAT on AWS

Deploy discrimiNAT firewall on AWS in 5 minutes – Quick Start Guide