discrimiNAT on AWS

Table of Contents

QUICK START ➜

ARCHITECTURE

The discrimiNAT firewall is a highly-available EC2 Instance placed on the route between application subnets and the internet, filtering TLS and SSH traffic transparently for policy adherence and compliance. AWS' reference architecture on VPC with Public and Private Subnets (NAT) is Chaser’s recommended too, and the discrimiNAT firewall simply replaces the NAT Instance for itself.

Here is the representation of a typical network layout in one Availability Zone with discrimiNAT performing the firewalling and NAT functions, in a customer provided VPC and subnets.

AWS Architecture for discrimiNAT firewall

Key points to note

  • Application instances are in a Private/Application Subnet and do not have direct access to the internet. These subnets are configured to have Private IP addresses only.
  • The discrimiNAT firewall receives internet bound traffic from the Private Subnet via a route for destination 0.0.0.0/0 (i.e. everything else other than local networks within the VPC) set to the Elastic Network Interface attached to itself.
  • An AutoScaling Group (for High Availability), the Elastic Network Interface & IP, and the requisite IAM permissions for logging can be provisioned with one-click via the use of our Standalone discrimiNAT firewall for existing VPC CloudFormation template.
  • A separate NAT Instance per Availability Zone is recommended. This is again in-line with AWS' reference architecture on VPC with Public and Private Subnets (NAT).

Further reading

AWS' NAT Instance documentation

CLOUDFORMATION

Our library of CloudFormation templates caters for a variety of scenarios to setup a discrimiNAT firewall in. Have a look below to pick one and launch it straight away! If your circumstances do not fit any of these, get in touch, and we’d be happy to add more to our library.

Standalone discrimiNAT firewall for existing VPC

Best suited for cases where VPCs and related networking are managed by the customer to their specific design. This stack will place a discrimiNAT firewall in the environment, but the customer will have to change the routing tables of the Private/Application Subnets, which hold the EC2 instances reaching out to the internet via a NAT Gateway, to instead reach out to the internet via the discrimiNAT firewall.

Prerequisites

  • A VPC
  • A Public Subnet in an Availability Zone, with ‘Auto-assign public IPv4’ turned on
  • An Internet Gateway set as the Target for Destination 0.0.0.0/0 in the Route Table of the Public Subnet

Resources Provisioned

  • IAM Role, Policy and Instance Profile for permissions to write logs to CloudWatch and report Instance Health
  • Network Interface as a static Target for Destination 0.0.0.0/0, for Route Tables of the Private/Application Subnets
  • Elastic IP for a static NAT IP on all outbound traffic
  • Auto Scaling Group for the discrimiNAT instance itself

discrimiNAT standalone CloudFormation


Complete VPC example, with networking for 1 AZ

This is supplied as a working example with a typical network layout for one Availability Zone. It is a good way to bootstrap a VPC with all the right subnets and routing tables if none exists already.

Prerequisites

  • None

Resources Provisioned

  • IAM Role, Policy and Instance Profile for permissions to write logs to CloudWatch and report Instance Health
  • Network Interface as a static Target for Destination 0.0.0.0/0, for Route Tables of the Private/Application Subnets
  • Elastic IP for a static NAT IP on all outbound traffic
  • Auto Scaling Group for the discrimiNAT instance itself
  • A VPC with a Private/Application Subnet, a Public Subnet and a Spare Subnet (for Transit routing, etc.) in one Availability Zone
  • Public Subnet routing through an Internet Gateway
  • Private/Application Subnet routing to the internet via a discrimiNAT firewall

discrimiNAT standalone CloudFormation


Complete VPC example, with networking for 3 AZs

This is supplied as a working example with a typical network layout for three Availability Zones. It is a good way to bootstrap a VPC with all the right subnets and routing tables if none exists already.

Prerequisites

  • None

Resources Provisioned

  • Same as above but in three Availability Zones

discrimiNAT standalone CloudFormation

MARKETPLACE

Launch Free Trial on AWS

The discrimiNAT firewall is listed on the AWS Marketplace. The CloudFormation stacks discussed above are available to launch on subsequent steps from the marketplace subscription.

Creating a Bastion for SSH access

In AWS, on some occasions you may want a bastion host present in your VPC. Like for accessing a discrimiNAT instance over SSH, or accessing a host without a public IP.

Quick Start

Deploy discrimiNAT firewall on AWS in 5 minutes — Quick Start Guide