NATe: A Tax-Free Alternative to Cloud NAT Gateways

NATe: A Tax-Free Alternative to Cloud NAT Gateways

Whether you need to connect multiple cloud instances, communicate with the public internet from private resources, or directly connect to instances in local data centers, chances are you will be using Network Address Translation (NAT) to make that connection. All major cloud providers provide some product or service to provide NAT functionality, and some platforms even provide separate public and private variants. Because cloud instances running in private subnets are unable to access resources like time servers, webpages, or OS repositories without NAT functionality, most users find themselves relying on their cloud platform’s NAT offerings. By simply following their cloud providers’ recommended best practices, users are overpaying for an overcomplicated and inflexible service that a home cable modem does for free.  So why pay so much for such a simple network function?

If You’re Using Cloud Platform NAT Gateway(s), You’re Overspending on Cloud Deployments.

Overspending of any kind in the wake of the economic disruption caused by the COVID-19 pandemic can be deadly for any business. Yes, some have fared better than others during this challenging time but all organizations have revisited projections and budgets in the face of uncertainty. According to Gartner, the pressure is on for budget holders to optimize costs.

Pre COVID-19
of enterprises planned IT budget increases
Post COVID-19
of enterprises expect IT budget decreases

Where to Start?

Look to the sky! Your cloud bill is likely full of opportunities for savings, especially if your application relies on NAT functionality. Using AWS NAT Gateway pricing as an example, let’s start with the comparative base subscription costs:

  AWS NAT Gateway VNS3 NATe
Subscription $0.045 / hour $0.01 / hour*
Data Processing (TAX) $0.045 / GB $0.00 / GB
* Price includes runtime fees (on-demand t3.nano $.0052 / hr) + NATe subscription ($0.005 / hr)

As you can see from this example, the standalone subscription cost of an AWS NAT gateway is more than the cost of a single t3.medium instance. The already low VNS3 NATe subscription cost will provide you even more savings when you consider the fact that you don’t have to create as many individual NAT gateways, each of which would be  accompanied by an additional AWS NAT Gateway subscription. The cost differential here makes NATe an obvious choice at any deployment scale and we even offer a free NATe license for smaller deployments.

VNS3 NATe is also incredibly scalable because we don’t increase our data processing rates as your bandwidth needs scale.  Below is a pricing table that shows the total cost of running a single NAT Gateway vs a VNS3 NATe instance as the traffic throughput increases in a given month:

GB / Month AWS NAT Gateway VNS3 NATe
1 $32.45 $7.20
10 $32.85 $7.20
100 $36.90 $7.20
1,000 $77.40 $7.20
5,000 $257.40 $7.20
10,000 $482.40 $7.20
50,000 $2,282.40 $7.20
100,000 $4,532.40 $7.20

We also have customers who maintain 100s or 1000s of VPCs with NAT requirements of 1-100 GB per month.  Those enterprise cloud customer at scale have typically seen costs drop to 1/5 of what they would pay for AWS NAT Gateways.  To illustrate this savings, take the example from one of our customers has 1800 VPCs each with a NAT Gateway.  The total data processed through these NAT Gateways is low and averages 10GB / month with much more potential savings for deployments that pass more traffic out the NAT device.

Monthly Runtime $58,320 Monthly Runtime $12,960
Data Processing (TAX) $810 Data Processing (TAX) $0
* Price includes runtime fees (on-demand t3.nano $0.0052 / hr) + NATe subscription ($0.005 / hr)

Total NATe saving per month in this case is $46K and $554K per annum.

Of course, costs savings are not limited to just NAT Gateway spend.  Other opportunities for savings include right sizing instances (latest generation instance families are always less expensive), decommissioning unused services/resources (I’m looking at you load balancers), and reviewing storage strategies (such as EBS).

What is a NAT Gateway?

A NAT Gateway is a network service that performs a simple network function: Network Address Translation for cloud-based servers running in a private network (private VPC subnet). Here is the AWS documentation detailing the NAT Gateway functionality. NAT Gateways perform a specific type of NAT called IP Masquerading, where devices in a private IP network use a single public IP associated with the gateway for communication with the public Internet.

This is the same function that your home modem performs for free. You’re likely leveraging this NAT functionality as you read this post. Basically the NAT functionality on a NAT Gateway or your home modem allow devices on a private network (computers, phones, TVs, refrigerators, toothbrushes, etc. in the case of your home network) to access the Internet and receive responses but not allow devices on the public Internet to initiate connection into your private network. All traffic sent from the private network to the public Internet uses the modem’s public IP address.

NATe to the Rescue!

In response to direct requests by our customers, we created a low-cost, instance-based alternative to NAT Gateways – VNS3 NATe.

Available on AWS PM and Azure MP today:

* No subscription premium but total throughput limited to 50mbps

What is a NATe?

NATe instances are drop-in replacements from Cohesive Networks for NAT Gateways. Simply launch in a VPC/VNET subnet with an Internet Gateway associated, Stop Src/Dst checking (enable IP forwarding), and update the Route Tables associated with the private Subnets to point destinations at the NATe instance-id.


NATe provides all the functionality of a NAT Gateway plus enterprise grade security and controls at a fraction of the cost. Some of the functional highlights of NATe include:

  • High Performance – run on the smallest instance sizes to maximize value or larger instance for greater total throughput
  • Secure – access to a firewall to allow additional and orthogonal policy enforcement for traffic flows
  • Control – access logs, network tools like tcpdump, status information
  • Customize – leverage the Cohesive Networks Plugin system to add L4-L7 network services to the NATe instance like NIDs, WAF, Proxy, LB, etc.
  • Automate – fully automate the deployment of VNS3 NATe instances as part of your existing deployment framework leveraging the RESTful API to reduce implementation costs.
  • Failover – NATe can be configured in a number of HA architectures to provide the same level of insurance needed for critical infrastructure via instance auto recovery, auto scale groups, and Cohesive Networks’ own Peering and HA Container functionality
  • Upgrade – NATe is fully upgradeable to fully licensed VNS3 controllers deployed as a single application security controller or part of secure network edge mesh

Still Not Convinced?

Cohesive’s NATe offers a dramatically more cost-efficient solution to often critical NAT requirements in cloud deployments of all shapes and sizes. NATe is more flexible, more scalable, and easier to manage than first-party cloud NAT gateways that are charging you a premium for the functionality of a standard consumer modem. If you don’t believe us, we launched a free version of our NATe offering in both the AWS and Azure marketplaces so you can launch and configure them and see for yourself!

Have questions about set-up or pricing? Please to contact us.

Managing DNS for Remote VPN Users in AWS Route53 with VNS3

Managing DNS for Remote VPN Users in AWS Route53 with VNS3

Managing DNS can be a fairly complex and daunting task. Installing and configuring Bind takes time and knowledge and requires maintenance. Infoblox is expensive and likely overkill for smaller projects. Cloud vendors like AWS have simplified offerings that allow ease of use and scale with your needs. They offer public and private zone management with features like split horizon. Split horizon allows Domain Name Systems to provide different information based on the source address of the requestor. For example, if you are coming from the internet at large you would receive the public IP address of the named system you are looking up, but if you were in the same private subnet as that system you would receive it’s private IP address. This allows you to define the how users get to systems depending on where they are.

Let’s take the example of a remote VPN connection. With VNS3 People VPN you can easily connect your workforce to your cloud assets, be they across regions and or vendors. Giving you a secure entry point to your companies computational resources. VNS3 makes it easy to push DNS settings to connected clients so that they are told that their DNS server is the address of the VNS3 security controller. So now we have connected clients making DNS calls to VNS3. But hold on VNS3 isn’t a DNS server. Well it can be through it’s plugin system, but thats a different topic for another blog post. In this scenario we can divert all incoming DNS traffic through use of the VNS3 firewall.

Cohesive Networks VNS3 Controller Connectivity
Lets say that our VNS3 overlay address space is, this is what we are using for our remoteVPN users, and our VPC is In this case there are two addresses that we care about. is the Virtual IP of the VNS3 security controller and which is the AWS VPC Route53 Resolver or DNS endpoint. In AWS the DNS endpoint will always be the .2 for your VPC address space. So our firewall rules will look like this:

PREROUTING_CUST -i tun0 -p tcp -s –dport 53 -j DNAT –to
PREROUTING_CUST -i tun0 -p udp -s –dport 53 -j DNAT –to

Here we are saying that traffic coming in on the tun0 interface (overlay network) from (overlay address space) bound for UDP and TCP port 53 (DNS) should be forwarded to on UDP and TCP port 53 (AWS VPC DNS endpoint).

Ok so now that we have our remote VPN DNS requests being diverted to the VPC DNS endpoint we need to configure our responses. In Route53 you can configure any zone name you want so long as it isprivate. For public zones you will need to own the domain name. But for private zones you can do whatyou want. This can be very useful where you might have a secure IPSec connection to a partner network and want to use DNS names that reflect your partners name and configure addresses across your tunnels. You can set up as many private zones as you want. Once they have been setup it is now just a mater of associating them with the VPC that your VNS3 security controller resides in. you will now have custom DNS naming for your remote workforce.

Managing AWS Workspaces with VNS3

Cloud and network virtualization have created the opportunity to have virtual networks that transit your applications and staff to, through and across the clouds. These networks can stretch across the globe in multiple, to 10s of locations (points of presence) or more. In the case of Cohesive Networks our virtual networks are used to create cryptographically secure overlay networks in full mesh architectures. When implementing the cryptographic mesh (at scale machine-to-machine VPN) it is critical that the cryptographic credentials can be easily managed across the controller mesh. Our goal at Cohesive is to make managing the credentials straightforward and clear; associating credentials with users via tagging, enabling/disabling so that credentials can only be used when desired, checked out/in state to help manage via automation, check log information for specific credentials, and manage certificate revocation. Below is a short video showing the key elements of straightforward key state management in an N-way VNS3 controller mesh.

Hopefully the video highlights the essential key state management capabilities we have strived for. They are part of the foundation of the VNS3 Controllers which are used to build a wide array of service edge use cases. VNS3 encrypted topologies combined with our plug and play security system, you or your management service provider can achieve both Workload and Workforce mobility using secure network virtualization.

AWS re:Invent 2019 Recap

AWS re:Invent 2019 Recap

AWS Reinvent photo

Last week was AWS’s annual reinvent conference in the putatively beautiful and blissful Las Vegas. Andy Jassy, Amazon’s CEO, announced plenty of new products and features to excite and alarm the computing and soft-warring world. The conference also highlighted AWS’s leadership in highly resilient software architecture and design with their launch of the AWS Builders’ Library. Let’s run over some of the highlights.

Cloud Descending Back to Earth via New Edge Environments: AWS Local Zones, Outposts, and Wavelength

AWS launched two new environment types this year with AWS Local Zones and Wavelength. Local Zones was spurred by AWS customers requiring ultra-low latency for their compute, notably gaming companies based in L.A., where the first Local ZOne is now generally available. New zones will come online as customer demand in a city necessitates. Wavelength is an AWS environment colocated with telecom infrastructure, providing access to 5G endpoints. The general availability of AWS Outposts, a rack of AWS servers providing AWS on-premise, was also announced, enabling the rollout of Local Zones and Wavelength in fairly short order. AWS Outposts enable companies to test deployments in cloud-like environments without fully committing to the cloud, and give customers like Morningstar and Philips Healthcare ultra-low latency, hyper-local availability zones.

These environments showcase a new battle for the edge. AWS basically won the general compute cloud race, but we now find different telecommunication and networking competitors offering edge environments, with startups the likes of Packet and Vaper IO joining the race. As developers gain access to these new endpoints, along with increased networking capabilities and incredibly low hyper-local latencies, we are sure to see a revolutionary new age of applications and services.

We Have a Size for That: New Compute Instance Types

Amazon launched multiple new instance types including Graviton2 instances and EC2 Inf1 instances. The new Graviton2 boast a whopping 40% price performance improvement. They are based on the ARM architecture, effectively challenging Intel and AMD’s dominance in the chip space, and combined with the Nitro System security chip to support encrypted EBS storage volumes by default. The EC2 Inf1 instances are dedicated Machine Learning training instance types, effectively challenging Nvidia’s domination of the market with their GPUs. AWS promises that these chips provide a significant increase in throughput and price performance relative to Nvidia-powered instance types.

AWS Continues to March into SaaS Markets With New Machine Learning Services

Also announced were multiple ML based services including Code Guru for automated code reviews, Fraud Detector for automated fraud detection, Kendra for search indexing, Transcribe Medical for call transcription in the medical industry and Augmented AI for AI workflows requiring human intervention. You would be hard pressed to find a SaaS market Amazon isn’t capable of stepping into with their army of engineers and data scientists.

The release of the SageMaker IDE and SageMaker Debugger seems to be an attempt by AWS to capture the hearts and minds of data scientists with the promise of streamlining the building, training, debugging, deployment, and monitoring of Machine Learning models. This new IDE bypasses the need for users to understand and deploy a Python or R environment, enables progress reporting for long jobs, promises a simplified and automated debugging process, automates alerts about input data drift, and auto-trains your ML model from CSV data files. In early use, the IDE has proven to come with a steep learning curve and a high deal of complexity of use. The SSO feature, notably, only seems to work with newer AWS accounts. According to VentureBeat , the IDE provides “some features that appear to be just rebrandings of older products and some that solve new, legitimate customer pain points. Even the best new features are incremental improvements on existing products.”

Reducing Cloud Anxiety With New Security-Focused Services

It seems Amazon has heard the cries of its customers as they struggle to manage the complexity of their cloud environment’s security. They announced Amazon detective, Macie , and IAM Access Analyzer to review organizational security lattices and catch any potential privilege or access issues. IAM Access Analyzer helps to solve misconfiguration problems, one of the most common problems with AWS deployments, and can purportedly monitor and evaluate thousands of security policies across a deployment environment in seconds.

Thought Leadership in Designing Resilient Software Systems

Amazon showed some responsibility for their dominance of the cloud with their release of the AWS Builders’ Library. A number of sessions at re:Invent included references to their cell-based architecture approach and explained how AWS achieves high uptime numbers for their most important services.

Announcing AWS Quick Start Reference Deployment for VNS3

Announcing AWS Quick Start Reference Deployment for VNS3

Want a HIPAA/HITECH compliant application deployed to AWS in minutes? Read on!

We’re proud to announce the release of our first AWS Quick Start reference deployment for configuring and launching our VNS3 overlay network for your cloud application. Working closely with Amazon we’ve leveraged the proven power of AWS CloudFormation to take our secure and scalable solution and make it even more accessible. With our Quick Start deployment, VNS3 can easily secure your cloud application to HIPAA and HITECH standards in as few as fifteen minutes, supported by best practice tools and strategies for automating your infrastructure deployments.

Check out our Quick Start Guide here! Keep reading for more information about this release.

VNS3 AWS Quickstart Architecture

Save Time

Our Quick Start was built by AWS and Cohesive Networks solutions architects to help you automatically deploy a VNS3 topology quickly and easily. Don’t worry about high availability and security, we’ve included it for no extra charge! Build your production deployment fast and start using it now.

Reduce Complexity

Simple (not to be confused with simplistic) is secure. VNS3 provides a generalized approach to encryption across your cloud deployment. This enables you to field a clean VPC Route Table and Security Group configuration to reduce attack surface and minimize misconfigurations.

Control Encryption

AWS provided and controlled, symmetric encryption with common shared keys isn’t enough for regulated industries. Customer controlled encryption with VNS3 is essential to securing PII/PHI in order to pass HIPAA audits. VNS3 as demonstrated in this Quick Start Guide provides a simple and programmatic way for achieving HIPAA compliance.

Added Bonus

Do you use blocked protocols like UDP multicast? The VNS3 encrypted overlay network deployed by this guide allows you to redistribute UDP multicast within your AWS VPC deployment. Now you can apply the same design principles to your cloud applications, whether designing cloud native or lifting and shifting.

Moving Forward

Following the successful launch of our first AWS Quick Start Guide, we’re excited to move forward and create new reference deployments for all the various use cases VNS3 supports. We’re cooking up AWS Quick Start Guides that deal with more complex peered VNS3 topologies, demonstrating different High Availability and Network Federation capabilities. We are also working on an Azure QuickStart template for deploying the encrypted Overlay Network for Microsoft Windows VMs later this summer.

AWS re:Invent Recap

AWS re:Invent Recap

AWS REinvent 2018

We’ve been heads down working on the 3 P’s for a number of months (products, presence, and people). As a result we’ve all but stopped our social media and dynamic content. We’ll look to emerge from our cocoon in early 2019 but we had to pop out and do yet another re:Invent recap (YArIR!).

Cohesive Networks (and our parent company CohesiveFT) have attended/sponsored all AWS re:Invents. Each year the conference gets denser yet more spread out… think about that one. This year was no exception. Now that our “away team” is fully recovered from the ill effects of desert entertainment, had some time to reflect, and get our hand dirty trying out a few new services, we’re ready to state our opinion. That’s what the following is, the opinion of the smartest, coolest, and most experienced cloud networking experts in the game (see opinion).

Micro Blink Reaction – Crowd Sourcing the Self-driving Algos

AWS DeepRacer is awesome and the DeepRacer League is hilariously brilliant. I ordered my discounted DeepRacer a few seconds after it was announced during Andy Jassy’s keynote. The bummer is I won’t take delivery until March. Hopefully the simulation environment holds me over (request preview access).

Macro Blink Reaction – AWS appetite for its ecosystem grows

AWS continues to eat the ecosystem and this year they stepped up their game. Previous years had AWS entering markets and wiping out millions of $s in ecosystem players. This year we think the number is in the capital B BILLIONS.

As a member of the AWS Partner Network (Advanced Technology Partner), we, like all AWS partners, look to re:Invent every year with mixed feelings of excitement and dread. If you aren’t on the Customer Advisory Council, you never really know if this is the year AWS will announce a direct competitor to your business. We all know the risks, and the AWS “not built here” corp dev mentality that drives their roadmap, but there is too much opportunity not to participate. Multi-cloud helps, but AWS is still the King of Cloud both in usage and features/services. I won’t go into detail about what competes with whom, take a look at these other recap posts:

Specific Announcement Reactions

We also won’t cover all the announcements because of the number of announcements per service category.

  • App Integration – 2
  • Analytics – 4
  • Compute – 11
  • Databases – 6
  • Developer Tools – 2
  • IoT – 7
  • ML – 14
  • Management – 6
  • Marketplace – 3
  • Media – 1
  • Migration – 2
  • Mobile – 1
  • Networking – 6
  • Robotics – 1
  • Satellite – 1
  • Security/Identity – 2
  • Storage – 10

Below we’ll review the features and service announcements that piqued our interest from a security and networking perspective.

Transit Gateway (GA)

What is it?
An AWS managed gateway service that allows a hub-and-spoke network topology connecting VPCs in the same region (expect multi-region support in the future) owned by a single or multiple AWS accounts as well as remote networks. This offering replaces the multi-party solution that was previously being offered called the AWS Global Transit Network. Check out the Transit Gateway announcement blog or product home for more information.

Why it matters?
Transit gateway solves a significant number of issues around the need to be able to route between VPCs “in cloud” at AWS. The manner in which it has been solved creates an economic opportunity for AWS as well – charging $.05 per hour for each connection to the gateway.

For Cohesive Networks, we spend our days (and nights) helping customers Connect, Federate, and Secure. Just like the introduction of the VPC itself, Direct Connect, AZs, Regions, GovCloud, China, and all the related facets of AWS – this creates more demand for connecting, federating, and securing. “Transit” is a subset of the overall federation architecture, so definitely a feature – not a business, meaning this release is good news for Cohesive, and gives us parity with capability Azure and Google networking has had for some time (although they do it a bit differently).

The release of Transit Gateway lets us create some federation structures for customers that were previously too complex, and requiring, dare I say it, too many VNS3 controllers needed to complete the task, as a result of AWS networking limitations. Now our customers can spend a bit more money, reduce a little bit of complexity, and still get the attestable control they need as regulated or self-regulated businesses operating in 3rd party data centers over which they have no direct insight, visibility, or control (AKA “the cloud”).

AWS Security Hub (Preview)

What is it?
A monitoring platform service focused on security that aggregates security alerts and compliance status from native AWS services as well as from 3rd party services. Many security vendors announced initial support for Security Hub. Security Hub aims to create a single pane of glass for an organization’s security and compliance posture across all its AWS accounts. Check out the Security Hub announcement blo g or product home for more information.

Why it matters?
AWS Security Hub begins to solve the “feature glut” problem of the ever-growing Amazon services collection. One reason organizations suffer from data exploits is NOT because they lack monitoring information with events and alerts – it is because they have TOO many events and alerts. Security Hub appears that it will provide an encompassing overview of outputs coming from AWS GuardDuty, Inspector and Macie. Each of these has a rich set of features for your cloud deployments – running all three of them independently could be a bit overwhelming.

At Cohesive we have previously highlighted the world we are entering where the critical IT executive decision is “all-in vs. over-the-top”, meaning where on the spectrum of using cloud, AWS for example, do you position your organization? Do you go “all-in” on embedded AWS services which provide abstracted visibility and limited control – or do you go “over-the-top” and run many of your own layers of infrastructure and instrumentation, strung across AWS, Azure, Google, For the “all-in” crowd we think Security Hub may make consuming some of these services easier.

Global Accelerator (GA)

What is it?
A service to help customers easily route traffic across multiple regions to improve availability and performance of cloud-based applications/deployments. Global Accelerator provides an entry point to allow TCP or UDP traffic to use the AWS Global Network to reach AWS deployed application topologies instead of the Public Internet. Global Accelerator provides static Anycast IPs that serve as a fixed entry point for an AWS deployed application available in any number of the currently support regions (us-east-1, us-east-2, us-west-1, us-west-2, eu-west-1, eu-central-1, ap-northeast-1, and ap-southeast-1). The Anycast IPs are advertised from the supported AWS regions so traffic enters the global network as cloud to the uses as possible. Global Accelerator can then be associated with cloud-based applications via application load balancers, network load balancers, or Elastic IPs. In addition to data transfer fees Global Accelerator costs $0.025 per hour.

Why it matters?
Other than the obvious HA and performance benefits, the big theme from this and Transit Gateway is coalescence. Clouds and cloud regions were built to be isolated by design. Increasingly as companies a have grown in the cloud organically or via acquisition, organization cloud estates have experienced sprawl. Providing avenues to bring the regions “closer together” while maintaining the logical separation is a key value for many of AWS’ largest customers.

We continue to experiment how our customers might benefit from using the Anycast IPs as static global cloud endpoint IPs for VPN connections and well as distributed and encrypted overlay networks.

EC2 C5n (GA)

What is it?
A new generation instance family focused on super fast networks speeds up to 100 Gbps. These new instances use the latest nitro hardware and allow for some serious packets per second performance. The instances sizes are available now in us-east-1, us-east-2, us-east-2, eu-west-1, and govcloud. Prices start Read more about the C5n instance family.

Why it matters?
We are getting a glimpse of the future of cloud network performance and throughput. Eliminating the current VPC gateway throughput restrictions will open up more use-cases for the cloud. Total throughput for VNS3 controller just increased dramatically. Of course there are some restrictions (see placement groups) but it’s always exciting when you get a bandwidth upgrade. Maybe AWS will soon host the first cloud-based high speed low latency trading app?