Skip to content

Network Security

Control Internet access outbound traffic

Goals

  • Review and analyse available alternatives for controlling outbound traffic in VPCs.
  • All possible candidates need to offer a reasonable balance between features and pricing.

Solutions

Leverage currently supports

  • Network ACL (Subnet firewall)
  • Security Groups (Instance firewall)

What alternatives do we have?

Pre-considerations

First of all, keep in mind the following points before and while you go through the data in the table:

  • 1 EBS pricing at the moment of this writing:
  • GP2: $0.10 per GB-month
  • GP3: $0.08 per GB-month)

  • 2 DataTransfer costs will be incurred in all options

Dedicated Network NAT-GW + Network Firewall Account

Centralized Network Firewall deployment model, North-South: Centralized internet egress (VPC to internet via Transit Gateway) and NAT gateway.

leverage-aws-tgw

Figure: Multi-account dedicated network transit gateway + network firewall architecture diagram. (Source: Binbash Leverage, "Leverage Reference Architecture dedicated network account TGW + NFW implementation", Binbash Leverage Doc, accessed August 4th 2021).

Comparison of the alternatives analysed

Leverage Confluence Documentation

You'll find here a detailed comparison table including the alternative product and solution types, pricing model, features, pros & cons.