Quick Start

Deploy discrimiNAT firewall on AWS in 5 minutes

Table of Contents

This is a quick visual walkthrough of deploying a brand new VPC in AWS, secured by the discrimiNAT firewall for egress traffic filtering right from the onset.


Proceed to our AWS Marketplace page and click the Continue to Subscribe button.


Choose CloudFormation Template as the delivery method, and the Complete VPC example, with networking for 1 AZ template for this exercise.

Ensure the latest Software Version is selected, and the Region is one intended.


Choose Launch CloudFormation and hit Launch.


Stack name: This is a unique identifier for the deployment. In the case of this example, we have chosen the name plugleak. This name will prefix many resources that this stack will create.

InstanceType: We recommend that you start with something low and small. You will need more CPUs to handle concurrent clients; and larger types of instances for more bandwidth. It is worth mentioning this firewall is not a memory-intensive application.

KeyPairName: Leaving it blank will not setup any SSH keys in the firewall instance, so you won’t be able to log in and have a nose around. If you wish to enable SSH access (not advised for a security appliance), paste in the exact key name from EC2 -> Key Pairs.

VPCCIDR: The VPC level CIDR block to deploy in this region. If going with the example layout, try .

PrivateSubnetAZA: The Private Subnet for Availability Zone A. If going with the example layout, try .

PublicSubnetAZA: The Public Subnet for Availability Zone A. If going with the example layout, try .

TransitSubnetAZA: The Spare/Transit Subnet for Availability Zone A. If going with the example layout, try .


The firewall needs some permissions from AWS IAM to carry out its job. You will find these in IAM prefixed with the stack name chosen earlier.


Shouldn’t be more than a few minutes.

The stack is ready!


We encourage you to create security groups as you would normally. Tight in scope and tagged in a granular fashion dependent on application requirements. Following are the points to take additional care around for effective use of the discrimiNAT firewall:

  • Add destination protocols and FQDNs to the description field of each outbound rule. The format of this text is discrimiNAT:<protocol>:<fqdn>[,<fqdn>] .

    • Valid protocols are ssh and tls only.
    • There can be as many FQDNs as you can fit separated by commas. There cannot be whitespace, though.
    • There can be other text leading and trailing this specification, separated by whitespace.
    • All of it is case insensitive.
  • Some examples of what can go in the description field:

    • discrimiNAT:TLS:api.foo.example.com,downloads.example.net
    • discrimiNAT:SSH:sftp.txs.example.org,ssh.github.com
    • discriminat:tls:api-v2.example.com discriminat:tls:www.example.org
    • lorem ipsum discriminat:ssh:ssh.github.com,gitlab.com dolor sit amet
  • Must be under Outbound rules.

  • Under Type, choose any TCP protocol type and specify exactly one port number in Port range. Multiple ports, ranges, other protocols, and so on are not supported.

  • Destination must be set to the narrowest IP block you can think of. Now if you don’t have anything narrower than that is absolutely fine! The firewall takes care of validating the destination IP address of actual packets in many ways, but the outbound rule at the AWS networking and security level must allow the packet to leave the virtual machine at all. We repeat, is a safe choice with the discrimiNAT firewall in the way.

  • Should you wish to use the same port number again with a different rule, set to the destination to or or and so on.

  • That’s it!


Let’s now look at the configuration logs. Browse to CloudWatch -> Log Groups -> discrimiNAT -> config . You will see each instance of the firewall pick up the changes! Logs are structured (JSON) so filtering them in any way you like should be a walk in the park!


Time to test with a virtual machine. Create one as usual, in the same region as the firewall was deployed in. Pick the Private subnet created by your stack to place this machine in.

Attach the security group we created earlier to this machine.

You can now look at the flow logs to observe traffic from this machine. Browse to CloudWatch -> Log Groups -> discrimiNAT -> flow . You will see each connection that is allowed or disallowed!