A secure NAT gateway for AWS, Azure and Google Cloud: identity- and FQDN-based egress filtering with secure source-NAT on one appliance, at a flat per-firewall price and $0/GB. Replace the cloud-native NAT-plus-firewall stack — and the data-processing charges that come with it.
Since March 31, 2026, new Azure virtual networks default to private subnets — no implicit outbound internet access. Workloads created on the new default need an explicit egress method. Make it a secure one.
Microsoft has closed the implicit-egress door. For platform API versions released after March 31, 2026, a new virtual network's subnets are private by default: a VM with no explicit outbound configuration cannot reach the internet on its own, and the Azure portal already defaults new subnets to private. You add the path deliberately — a NAT gateway, load-balancer outbound rules, a public IP, or a network virtual appliance reached via a user-defined route.
That makes it the moment to add control, not just connectivity. Route the subnet through the Enforza NVA and a single step gives you secure source-NAT and identity-aware L7 egress filtering — so the new explicit path is also a governed one. Existing networks and VMs are unaffected; this applies to new virtual networks created with the newer API versions.
Microsoft documents four sanctioned ways to give a private subnet explicit outbound access. The fourth is exactly how Enforza runs — and it is the only one that filters egress in the same hop.
Source: Microsoft Learn — Default outbound access in Azure, retirement dated March 31, 2026. Existing networks are unaffected; this applies to new virtual networks created with API versions released after that date.
A plain NAT gateway only translates and forwards. A secure NAT gateway decides — by destination domain and identity — what outbound connections are allowed, before it translates them. Enforza does both on one appliance.
Write egress rules against the destination domain — read from the TLS SNI extension, the HTTP Host header or the DNS question — not a brittle wall of IPs. Allow tcp/443 to your package mirror and your APIs; deny everything else. No TLS decryption, no key custody.
Import AWS IP Ranges (S3 · eu-west-2) and Azure Service Tags (Storage.NorthEurope) as named, reusable network objects that refresh on their own when the provider catalogue moves. You write "egress to AWS S3" and mean it.
Source-NAT (masquerade) is configured per rule, beside the policy it belongs to — or globally in one toggle for the classic NAT-gateway role. One firewall instance does outbound translation and identity-aware L7 egress control together, in-kernel at line rate.
Each egress decision is logged with the matched rule, host and verdict, and streamed live to your browser or shipped straight to Azure Monitor / Sentinel, AWS S3 or Splunk — with your identity and your bill. The data plane never traverses Enforza's cloud.
To filter outbound traffic on a hyperscaler you stack a managed NAT gateway for connectivity and a firewall for inspection — each billing a per-hour fee AND a per-GB data-processing charge on every byte, forever. Enforza is one appliance at a flat per-firewall price, $0/GB.
Two products, each metered per hour AND per GB. The per-GB data-processing tax is the universal wedge — it never stops, and it grows with every byte you send.
Flat, per-firewall licence — £179/mo (£149 from your sixth), plus the Linux VM you already run.
AWS NAT Gateway ($0.045/GB) and Network Firewall ($0.065/GB) are separate products with separate rates — never merged. Azure Firewall performs its own source-NAT, so on Azure the wedge is the per-GB data-processing charge, not a separate NAT line; the same holds for Google Cloud's Cloud NAT plus Cloud NGFW. Rates VERIFIED us-east-1, dated 2026-06-14 — directional and subject to change. Savings of 60–80% are typical at modest egress; run your own numbers.
The same firewall instance enforces the same identity-aware egress policy on AWS, Azure, Google Cloud and on-prem — managed from one control plane. Migration is a route change, not a re-architecture.
Replace the NAT-Gateway-plus-Network-Firewall egress stack with one flat-priced appliance. Migration is a route-table change — point the route that currently exits via your NAT Gateway at the Enforza NVA instead.
Drops two metered products ($0.045/GB NAT + $0.065/GB firewall) for $0/GB.
Now that default outbound access is retired, every new private subnet needs an explicit egress path: route through the Enforza NVA with a user-defined route — one of Microsoft's own four sanctioned outbound methods. Identity-aware L7 egress filtering and source-NAT on the same box.
Azure Firewall does its own SNAT — here the wedge is the per-GB data-processing tax, not a separate NAT line.
Run filtered egress in place of Cloud NAT plus Cloud NGFW. Route your VPC's outbound through the Enforza NVA for FQDN allow-listing and secure source-NAT, under the same flat per-firewall licence.
Replaces a per-GB Cloud NAT line and per-GiB NGFW evaluation with $0/GB.
A NAT gateway gives private workloads a path to the internet by translating their source address. A secure NAT gateway adds policy to that path: it decides which outbound connections are allowed, by destination domain and identity, before translating and forwarding them. Enforza does both on one appliance — identity-aware L7 egress filtering and source-NAT together — so you control what leaves your network, not just connect it.
Since March 31, 2026 (for API versions released after that date), new Azure virtual networks default to private subnets with no implicit outbound internet access. Workloads that rely on that default need an explicit egress method — a NAT Gateway, load-balancer outbound rules, a public IP, or a network virtual appliance reached via a user-defined route. It is a good moment to add a secure, filtered egress path rather than just restoring connectivity: route the subnet through the Enforza NVA and you get both outbound translation and identity-aware L7 control in one step.
It can. A common pattern routes traffic to Azure Service Tags with a next hop of Internet to let workloads reach Azure services directly. Microsoft documents that, in a private subnet, those Service-Tag routes no longer provide outbound access on their own unless an explicit outbound method is also configured. Routing the subnet through the Enforza NVA restores that path and governs it: import Azure Service Tags (and AWS IP Ranges) as named objects in the object manager and write "egress to Azure Storage" as a rule that stays current on its own when the provider catalogue moves.
No. Destination domain is read from data already in clear text on the wire — the TLS SNI extension, the HTTP Host header and the DNS question name. There is no man-in-the-middle, no private CA to push to every endpoint, and no custody of your production TLS keys.
On AWS and Google Cloud, securing egress usually means stacking a managed NAT gateway for connectivity and a firewall for inspection — two metered products. Enforza does secure source-NAT and identity-aware L7 filtering in a single appliance, so you replace both. On Azure, the managed firewall already performs its own source translation; there the win is removing the per-GB data-processing charge, not a separate NAT line.
Enforza is a flat per-firewall licence — £179/month per firewall, dropping to £149 from your sixth — with $0/GB, plus the Linux VM you already run. The cloud-native stack bills a per-hour fee plus a per-GB data-processing charge on every byte, forever: AWS NAT Gateway at $0.045/GB and Network Firewall at $0.065/GB are two separate products with two separate rates. The flat line typically lands 60–80% below the cloud-native firewall plus data-processing charges at modest egress. Rates are directional and dated — run your own numbers in the savings calculator.
AWS, Azure, Google Cloud and on-prem VMs, under one control plane. The same firewall instance enforces the same identity-aware egress policy wherever it runs, so a multi-cloud estate is one fleet rather than three separate NAT-and-firewall products.
No. The firewall instance has no inbound management port and no admin UI to expose. Its control plane is outbound-only to the Enforza cloud — the instance manages up, never in — so there is no reachable management interface on the security device to find or harden.
Identity-aware L7 egress filtering and secure source-NAT in one appliance, on any cloud — at a flat per-firewall price with no per-GB data-processing charges. Start free, no card.
