Overview
The Secure Internet Access Gateway is a highly available, egress filtering proxy and NAT gateway. The gateway restricts HTTP and HTTPS egress traffic from VPC resources to a whitelisted set of hostnames (FQDN). This solution is effective where traditional IP-based firewalls fall short. Access to package repositories and AWS APIs can be provided to instances in private subnets without granting them broad internet access. The gateway is ideally suited to protect your EC2 instances, AWS Workspaces and even Lambda functions from harmful internet traffic while still providing access to update servers, specific websites and services.
The gateway can operate in explicit and transparent mode. In explicit mode, the instance needs to be provided with the gateway's proxy address. The explicit mode provides more granular control over what application has access to the internet. In transparent mode the gateway is added to the subnet's route table allowing traffic to be filtered on its way out to the internet. No changes to applications on EC2 instances are necessary. The transparent mode is useful in scenarios where an application does not provide an option to define a proxy.
The Secure Internet Access Gateway is powered by the AWS Network Load Balancer (NLB). The gateway can therefore easily be shared with other VPCs in the same region using the VPC PrivateLink feature. Please note that only explicit mode is available when using PrivateLink.
Highlights
- HIGH AVAILABILITY | The gateway can easily be deployed in multiple availability zones for redundancy.
- TRANSPARENT PROXY | Optionally filters traffic in transit without explicit proxy configuration.
- FILTER BY HOSTNAME | Control egress traffic by destination hostname instead of IP address.
Details
Pricing
Free trial
Instance type | Product cost/HostHours | EC2 cost/hour |
---|---|---|
t2.small | $0.042 | $0.023 |
t2.medium | $0.053 | $0.046 |
t2.large | $0.76 | $0.093 |
t2.xlarge | $0.123 | $0.186 |
t2.2xlarge | $0.216 | $0.371 |
t3.small | $0.042 | $0.021 |
t3.medium | $0.053 | $0.042 |
t3.large | $0.76 | $0.083 |
t3.xlarge | $0.123 | $0.166 |
t3.2xlarge | $0.216 | $0.333 |
Vendor refund policy
We do not currently support refunds, but you can cancel at any time.
Legal
Vendor terms and conditions
Content disclaimer
Delivery details
Existing VPC Deployment
"This template deploys the Secure Internet Access Gateway into an existing VPC in your AWS account. Please ensure that your existing VPC fulfills the following requirements:
- The CloudFormation template requires a VPC that is configured with at least one public and one private subnet in the same availability zone.
- Each private subnet requires a corresponding public subnet in the same availability zone.
- Each private subnet must have a dedicated route table that is not shared with other subnets.
If your VPC does not fullfill these requirements please contact us and we will customize the template to fit your needs."
CloudFormation Template (CFT)
AWS CloudFormation templates are JSON or YAML-formatted text files that simplify provisioning and management on AWS. The templates describe the service or application architecture you want to deploy, and AWS CloudFormation uses those templates to provision and configure the required services (such as Amazon EC2 instances or Amazon RDS DB instances). The deployed application and associated resources are called a "stack."
Version release notes
- Migrated to Amazon Linux 2
- Upgraded Squid to version 4.7
- Implemented improvements to transparent proxy behavior
- Added support for VPC Endpoint Services which allows you to share one Gateway with any number of VPCs
Additional details
Usage instructions
This solution is best deployed through CloudFormation templates. CloudFormation is an Infrastructure as Code (IaC) service provided by AWS which makes it fast and easy to set up complex cloud infrastructures.
The CloudFormation template will output the hostname of the Network Load Balancer (NLB) under Outputs, ProxyAddress. The port for the HTTP proxy is always 3128. On most Linux systems it is sufficient to set the http_proxy and https_proxy environmental variables. The majority of client applications will pick up these variables and configure themselves accordingly.
Please find detailed instructions at http://netcubed-ami.s3-website-us-east-1.amazonaws.com/sinac/v1.0.0/#configuring-applications-to-use-the-proxy
Resources
Vendor resources
Support
Vendor support
For paid support, email sales@netcubed.de for further information. Free support is provided via support@netcubed.de . For free support, we do not provide a guaranteed response time, however we do our best to respond to questions within 24 hours Monday through Friday.
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.