The DiscrimiNAT Firewall is a transparent, proxy-less Managed NAT alternative to discover & filter egress traffic by FQDNs in a Shared VPC. It's built upon our cutting-edge technology, Wormhole DNS, that handles highly variable, low TTL and load-balanced domain name resolution results perfectly well to give your applications uninterrupted access to allowed destinations. CONSOLE INTEGRATION There are no new UIs to learn – the configuration is stored in cloud resources directly, and the flow & audit logs go to the native logging service. GitOps FTW because only cloud's APIs are used for interfacing, you will never have to leave the cloud console. SPOOFING PREVENTION Unlike SNI only or Suricata based, DiscrimiNAT does conduct out-of-band DNS lookups, so TLS SNI spoofing by supply-chain malware will be logged & stopped. It even supports allowing SSH by FQDNs. The next Log4J won't slip through! SAFE WILDCARDS Public Suffix List safeguard in place, by default, to reject wildcard patterns matching all tenants on a CSP or a CDN (aka Effective TLDs); precise patterns can also be configured with use of glob characters (*, ?). TRANSPARENT OPERATION No need to set http_proxy like environment variables or change any code. Everything in the VPC, from VMs to k8s and Serverless, will have its egress traffic routed through DiscrimiNAT. Swapping to (and from) Managed NAT is just changing a route table entry. FQDN DISCOVERY Don't know what needs allowing? With the ‘see-thru’ monitor mode, egress traffic can be logged without blocking; then a CLI command extracts FQDNs accessed. We have a 3½ min video on how easy it is! LEAST PRIVILEGE EGRESS You no longer need to apply the entire allowlist to large CIDR ranges hosting multiple applications. The policies are as granular as native firewall rules/security groups, so each application gets access to only what it needs. This translates to micro-segmentation in Zero Trust architectures. DEVELOPER GUARD RAILS With bidirectional enforcement of TLS 1.2+ and SSH v2, automated expiry of exemptions, dropping unencrypted Internet-bound traffic, etc., each feature has been carefully designed to avoid footguns. REFINED OPERABILITY DiscrimiNAT integrates with cloud's native load balancers and runs with high-availability, load-balancing & auto-scaling within your VPC. It's also completely maintenance-free! ENTERPRISE READY Whether you seek compliance with PCI DSS v4.0 or NIST SP 800-53 AC-4 , SC-7 and SC-8, we've got it covered. Also, DiscrimiNAT is hardened to CIS Ubuntu Linux 20.04 LTS Benchmark v1.1.0 Level 2 - Server. Besides the quarterly updates, critical OS updates are released in less than 10 days and rolling updates apply seamlessly.