Sold by: Chaser Systems
Deployed on AWS
Free Trial
The DiscrimiNAT Firewall is a transparent, proxy-less NAT Gateway alternative to discover & filter egress traffic by FQDNs in a VPC.
4.8
Overview
GO TO NEW LISTING FOR LATEST VERSION: This listing is now deprecated in favour of the new listing at https://aws.amazon.com/marketplace/pp/prodview-7ulmdnoq5jnwu
CONSOLE INTEGRATION
There are no new UIs to learn the config is stored in Security Groups directly, and the flow & audit logs go to CloudWatch. Because only AWS APIs are used for interfacing, you will never have to leave the AWS console or introduce new tooling.
TRANSPARENT OPERATION
No need to set http_proxy like environment variables or change any code. Everything in the VPC, from VMs to EKS, Fargate, Lambda and even zero-trust WorkSpaces, will have its egress traffic routed via DiscrimiNAT. Swapping to (and from) AWS NAT Gateway is just updating the route tables.
REFINED OPERABILITY
We are an AWS Gateway Load Balancing Partner for Security Appliances and the DiscrimiNAT runs with high-availability, load-balancing & auto-scaling within your VPC. It's also completely maintenance-free!
ENTERPRISE READY
Whether you seek compliance with PCI DSS v4.0 or NIST SP 800-53 AC-4, SC-7 and SC-8, we've got it covered. DiscrimiNAT is hardened to CIS benchmarks, receives quarterly updates (critical OS updates in 10 days) and rolling updates apply with zero downtime.
Highlights
- GO TO NEW LISTING FOR LATEST VERSION: This listing is now deprecated in favour of the new listing at https://aws.amazon.com/marketplace/pp/prodview-7ulmdnoq5jnwu
- SPOOFING PREVENTION: Unlike AWS Network Firewall, DiscrimiNAT does conduct out-of-band DNS lookups, so TLS SNI spoofing by supply-chain malware will be logged & stopped. It even supports allowing SSH by FQDNs. The next Log4J won't slip through!
- FQDN DISCOVERY: Do not know what needs allowing? With the see-thru monitor mode, egress traffic can be logged without blocking; then a CloudWatch query extracts FQDNs accessed. Watch this 3.5 min video on how easy it is: https://youtu.be/63EfQQiirZQ
Details
Sold by
Categories
Delivery method
Delivery option
Latest version
Operating system
Ubuntu 24.04
Deployed on AWS
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Free trial
Try this product free for 31 days according to the free trial terms set by the vendor. Usage-based pricing is in effect for usage beyond the free trial terms. Your free trial gets automatically converted to a paid subscription when the trial ends, but may be canceled any time before that.
Pricing is based on actual usage, with charges varying according to how much you consume. Subscriptions have no end date and may be canceled any time. Alternatively, you can pay upfront for a contract, which typically covers your anticipated usage for the contract duration. Any usage beyond contract will incur additional usage-based costs.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Cost/hour |
|---|---|
t3.small Recommended | $0.27 |
c6a.xlarge | $0.27 |
c6i.large | $0.27 |
c6a.large | $0.27 |
c6i.xlarge | $0.27 |
c5.2xlarge | $0.27 |
c5.large | $0.27 |
c5.xlarge | $0.27 |
c6i.2xlarge | $0.27 |
c6a.2xlarge | $0.27 |
Vendor refund policy
You may terminate the EC2 instance(s) or delete the CloudFormation stack(s) at any time to stop incurring charges. Email devsecops@chasersystems.com for questions on billing.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
64-bit (x86) Amazon Machine Image (AMI)
Amazon Machine Image (AMI)
An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.
Version release notes
Additional details
Usage instructions
Resources
Vendor resources
Support
Vendor support
Contact us for expert help at devsecops@chasersystems.com at any stage of your journey, we'll jump on a screen-sharing call right away! Use of your work email is advised so we can provide support in the right context.
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Updated weekly
By Chaser Systems
By Palo Alto Networks
By QuotaGuard Static IPs
Sentiment is AI generated from actual customer reviews on AWS and G2
Functionality
Ease of use
Customer service
Cost effectiveness
Positive reviews
Mixed reviews
Negative reviews
AI generated from product descriptions
Transparent Network Traffic Routing
Routes all egress traffic from VPC resources including VMs, EKS, Fargate, Lambda, and WorkSpaces through the firewall without requiring proxy environment variables or code modifications
FQDN-Based Traffic Filtering
Filters and controls egress traffic based on Fully Qualified Domain Names with discovery capabilities through monitor mode that logs traffic without blocking for FQDN extraction
DNS Spoofing Prevention
Conducts out-of-band DNS lookups to detect and prevent TLS SNI spoofing attacks and supports FQDN-based filtering for SSH connections
AWS Console Integration
Stores configuration directly in Security Groups and sends flow and audit logs to CloudWatch using only AWS APIs without requiring additional tooling or external interfaces
High Availability and Auto-Scaling
Operates as an AWS Gateway Load Balancing Partner for Security Appliances with built-in high-availability, load-balancing, and auto-scaling capabilities within the VPC with zero-downtime rolling updates
Application Layer Visibility and Control
Complete application layer-7 visibility and control of traffic with next-generation firewall capabilities in AWS environments
AI/ML-Powered Threat Detection
AI/ML-powered inspection engine with researcher-grade signatures for detection of zero-day threats, exploits, malware, spyware, and command and control attacks
Dynamic Policy Management
Policy definitions that dynamically apply to cloud assets based on AWS tags, Application IDs, User IDs, geographies, or zones without manual intervention
Cloud Infrastructure Integration
Seamless integration with Gateway Load Balancer, AWS Auto Scaling, and Transit VPC with AWS Transit Gateway for protection across dynamic and large-scale deployments
Advanced Threat Prevention Service
Cloud-delivered Advanced Threat Prevention security service with market-leading threat coverage against known and zero-day threats while maintaining performance
Static IP Proxy Service
Route inbound and outbound traffic through load-balanced pairs of static IP addresses via proxied connections for third-party IP whitelisting and secure access to protected resources.
Protocol Support
HTTP and SOCKS5 proxy protocols available with SSL support and custom domain configuration.
High Availability Infrastructure
Health monitoring, load-balancing, and automated failover mechanisms across proxy cluster to ensure continuous service availability.
Multi-Region Deployment
Proxy infrastructure deployed across 8 AWS regions with ability to select specific regional endpoints for optimized latency.
Real-Time Monitoring and Analytics
Dashboard-based tracking of requests and usage metrics with real-time visibility into traffic patterns and account activity.
Standard contract
No
Customer reviews
Manufacturing
Good forward proxy for our egress security on Google Cloud
Reviewed on Feb 20, 2025
Review provided by G2
What do you like best about the product?
We like the fact that DiscrimiNAT is doing FQDN filtering on SNI while being a transparent proxy, that it integrates with native firewall rules on GCP and that it's really fast and performant. We deploy it with the Terraform module and it's maintenance-free for us. In addition, we always had really fast feedback and help from the Team anytime we reached out for advice / feedback. Price is also good.
What do you dislike about the product?
We don't have any issues as of now. In the past, the lack of wildcards was a downside, but it's now fully supported.
What problems is the product solving and how is that benefiting you?
We have a security requirement to filter egress traffic from our Cloud infrastructure. DiscrimiNAT makes that easy and integrates well.
Paul S.
Secure egress solution with very straightforward rule configuration
Reviewed on Nov 18, 2021
Review provided by G2
What do you like best about the product?
We really like the speed and simplicity of deployment using Terraform with the vendor-supplied modules, no need for console access, and authorization determined by security group rule descriptions. We initially used the "see-thru" mode to determine existing outbound traffic without enforcement.
We simply replaced our existing NAT Gateways with DiscrimiNAT, added the rules to our security groups, then checked traffic details in CloudWatch logs (AWS) or Cloud Logging (GCP).
It's particularly well suited to our organization with a large number of autonomous teams who want a simple, secure egress solution that's easy to configure, no change to application code, and no need for explicit proxy settings.
DiscrimiNAT is available via AWS and GCP Marketplaces, so it's easy to procure - as the cost is simply included in the monthly cloud provider bill.
There's a high standard of documentation with example Terraform code, and we received a prompt response to a minor technical query.
We simply replaced our existing NAT Gateways with DiscrimiNAT, added the rules to our security groups, then checked traffic details in CloudWatch logs (AWS) or Cloud Logging (GCP).
It's particularly well suited to our organization with a large number of autonomous teams who want a simple, secure egress solution that's easy to configure, no change to application code, and no need for explicit proxy settings.
DiscrimiNAT is available via AWS and GCP Marketplaces, so it's easy to procure - as the cost is simply included in the monthly cloud provider bill.
There's a high standard of documentation with example Terraform code, and we received a prompt response to a minor technical query.
What do you dislike about the product?
One downside of DiscrimiNAT is that it can't filter on URL path - for example, you can't block all of github.com except for github.com/mycompany. However, implementing that level of control would require an SSL interception solution which isn't suitable for us, due to the need to install the proxy certificate chain as trusted in our server operating systems and applications.
What problems is the product solving and how is that benefiting you?
DiscrimiNAT provides controlled egress to authorized domains from cloud computing environments in AWS and GCP, using TLS and SSH. It significantly reduces the risk of data exfiltration, malware, and command and control using reverse shell attacks.