The Secure Internet Access Gateway is a highly available, egress filtering proxy and NAT gateway designed to control outbound HTTP and HTTPS traffic from Virtual Private Cloud resources. By restricting egress traffic to a predefined set of fully qualified domain names , it effectively addresses scenarios where traditional IP-based firewalls are insufficient. This solution enables instances in private subnets to access necessary package repositories and AWS APIs without exposing them to broad internet access, thereby enhancing security for EC2 instances, AWS Workspaces, and Lambda functions.
Key Features and Functionality:
- High Availability: Deployable across multiple availability zones to ensure redundancy and continuous operation.
- Transparent Proxy Mode: Filters traffic in transit without requiring explicit proxy configuration on client applications, facilitating seamless integration.
- Hostname-Based Filtering: Controls egress traffic by destination hostname rather than IP address, allowing for more precise access management.
- Explicit Proxy Mode: Offers granular control by requiring applications to specify the proxy address, enabling selective internet access.
- Integration with AWS Network Load Balancer: Utilizes AWS Network Load Balancer for efficient traffic distribution and can be shared across VPCs using VPC PrivateLink.
Primary Value and User Solutions:
The Secure Internet Access Gateway provides a robust solution for organizations seeking to secure outbound internet access from their AWS environments. By allowing only whitelisted domains, it minimizes the risk of unauthorized data exfiltration and exposure to malicious sites. This approach is particularly beneficial for maintaining compliance with security policies and regulatory requirements. Additionally, the gateway's flexibility in deployment modes ensures compatibility with various application architectures, simplifying the implementation of secure internet access controls.
