The Secure Internet Access Gateway is a highly available, egress filtering proxy and NAT gateway. The gateway restricts HTTP and HTTPS egress traffic from VPC resources to a whitelisted set of hostnames (FQDN). This solution is effective where traditional IP-based firewalls fall short. Access to package repositories and AWS APIs can be provided to instances in private subnets without granting them broad internet access. The gateway is ideally suited to protect your EC2 instances, AWS Workspaces and even Lambda functions from harmful internet traffic while still providing access to update servers, specific websites and services.

The gateway can operate in explicit and transparent mode. In explicit mode, the instance needs to be provided with the gateway's proxy address. The explicit mode provides more granular control over what application has access to the internet. In transparent mode the gateway is added to the subnet's route table allowing traffic to be filtered on its way out to the internet. No changes to applications on EC2 instances are necessary. The transparent mode is useful in scenarios where an application does not provide an option to define a proxy.

The Secure Internet Access Gateway is powered by the AWS Network Load Balancer (NLB). The gateway can therefore easily be shared with other VPCs in the same region using the VPC PrivateLink feature. Please note that only explicit mode is available when using PrivateLink.