NAT Gateway Replacement
Your cloud-managed NAT gateway provides internet access for private subnets but with zero visibility or control over what goes out. DiscrimiNAT is a drop-in replacement that adds egress security without requiring proxy configuration or application changes.
The Risk of Unfiltered Egress
Every AWS NAT Gateway and GCP Cloud NAT allows unrestricted outbound internet access by default. This creates significant security blindspots:
- Log4Shell & RCE exploits: Attackers download malicious payloads from arbitrary destinations
- Supply chain attacks: Compromised npm/PyPI packages establish command-and-control channels
- Data exfiltration: Insider threats or compromised workloads can send data anywhere
- Cryptomining: Infected instances communicate freely with mining pools
What DiscrimiNAT Adds
| Capability | AWS NAT Gateway | GCP Cloud NAT | DiscrimiNAT |
|---|---|---|---|
| High availability across AZs | ✅ | ✅ | ✅ |
| No proxy configuration needed | ✅ | ✅ | ✅ |
| No CA certificates to deploy | ✅ | ✅ | ✅ |
| FQDN-based allowlists | ❌ | ❌ | ✅ |
| Per-application allowlists | ❌ | ❌ | ✅ |
| TLS 1.2+ enforcement | ❌ | ❌ | ✅ |
| SNI spoofing detection | ❌ | ❌ | ✅ |
| Out-of-band DNS verification | ❌ | ❌ | ✅ |
| Monitor-only discovery mode | ❌ | ❌ | ✅ |
| Per-GB data processing charges | ✅ ($$) | ✅ ($$) | ❌ |
Migration Path: Zero-Downtime Rollout
DiscrimiNAT is designed for safe, incremental adoption. You can validate everything before blocking any traffic.
Phase 1: Discovery (Week 1-2)
Deploy DiscrimiNAT in see-thru mode parallel to your existing NAT gateway:
- Selectively route traffic of selected Private subnets via DiscrimiNAT; remainder of traffic goes via cloud-managed NAT
- DiscrimiNAT captures all outbound FQDNs without blocking anything
- Use the logs to build baseline allowlists for each application using our handy CLI one-liners
- Cloud-managed NAT gateway remains on standby should routing needs to be swapped back
Phase 2: Validation (Week 3-4)
Enable per-app dry-run mode to simulate enforcement:
- Logs show what would be blocked without actually blocking
- Security Groups/Firewall Rules define allowlists but don't enforce
- Iterate on allowlists based on dry-run results
- Zero production impact during validation
Phase 3: Gradual Rollout
Start shifting traffic progressively:
- Begin with non-critical workloads (dev/staging environments)
- Update route tables to direct all traffic through DiscrimiNAT
- Enable enforcement for validated applications
- Maintain cloud-managed NAT as fallback during transition
Phase 4: Full Enforcement
Once validated:
- Enable blocking mode for all applications
- Decommission cloud-managed NAT gateway
- Monitor logs for unexpected blocks
- Respond to legitimate new dependencies via allowlist updates
Rollback Procedure
If something goes wrong, rollback is fast and simple:
Revert your route table to the cloud-managed NAT gateway.
This is a single Terraform/CloudFormation change. No application changes required. Rollback achievable in under 1 minute.
# Terraform example: switch back to cloud NAT
resource "aws_route" "private_nat" {
route_table_id = aws_route_table.private.id
destination_cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.main.id # Switch back
# vpc_endpoint_id = module.discriminat.target_gwlb_endpoint.id # Comment out
}
Cost Comparison
DiscrimiNAT has no per-GB data processing charges, unlike cloud-managed NAT gateways.
| Monthly Egress | Cloud-managed NAT Cost | DiscrimiNAT Cost | Savings |
|---|---|---|---|
| 5 TB | $33 + $225 = $258 | ~$210 | ~18% |
| 10 TB | $33 + $450 = $483 | ~$210 | ~56% |
| 50 TB | $33 + $2,250 = $2,283 | ~$210 | ~90% |
Estimates based on us-east-1 pricing. Actual costs vary by region and instance type. See our pricing page for more info.
For workloads with high outbound data transfer (CI/CD, data pipelines, media processing), DiscrimiNAT can significantly reduce costs while adding security controls.
Why Not AWS Network Firewall or GCP Cloud NGFW?
Cloud-native next-gen firewalls have limitations that make them less effective for egress filtering:
SNI-Only Inspection
AWS Network Firewall and GCP Cloud NGFW rely solely on the SNI (Server Name Indication) field in TLS handshakes. This is trivially bypassed:
# Attacker can spoof SNI to an allowed domain while connecting to malicious IP
curl --resolve "allowed-domain.com:443:MALICIOUS_IP" https://allowed-domain.com/
DiscrimiNAT performs out-of-band DNS verification to ensure the IP being connected to actually belongs to the claimed domain.
See our comparison pages for a detailed breakdown of the bypasses and other features.
False Positive Issues
Palo Alto's Cloud NGFW has documented issues like FWAAS-1501 where low DNS resolution TTLs causes legitimate traffic to be blocked.
DiscrimiNAT's Wormhole DNS technology handles CDN, elastic, and load-balanced IPs correctly with zero false positives.
Getting Started
Schedule a Demo AWS Quick Start GCP Quick StartFAQ
Will this break my production traffic?
Not if you follow the migration path. Start with see-thru mode (monitoring only), then dry-run mode (simulated enforcement), then gradual rollout. You validate everything before blocking anything.
How long does migration take?
Typical timeline is 2-4 weeks:
- Week 1-2: Discovery in see-thru mode
- Week 3-4: Validation with dry-run mode
- Week 4+: Gradual enforcement rollout
What if I need to roll back?
Change your route table to point back to your cloud-managed NAT gateway. This is a single infrastructure-as-code change with no application modifications required. Rollback takes under 1 minute.
Do my applications need any changes?
No. DiscrimiNAT is fully transparent. No proxy configuration, no CA certificates, no code changes. If an application works through your current NAT gateway, it will work through DiscrimiNAT.
What protocols are supported?
TLS 1.2+, TLS 1.3, and SSH v2. HTTP/HTTPS traffic works seamlessly. Other protocols encapsulated in TLS (LDAPS, FTPS, IMAPS, SMTPS) are also supported.
How do I define allowlists?
Allowlists are defined in your existing AWS Security Groups, the Parameter Store or GCP Firewall Rules using tags/descriptions. No new UI to learn. Configuration lives in your infrastructure-as-code.