Enforza - Cloud-Managed Firewall & Secure NAT Gateway

Cloud-managed egress firewall, secure NAT gateway and GWLB inspection appliance. FQDN/URL filtering at a flat per-firewall price - no per-GB data tax. Console or GitOps (GitHub).

View purchase options

Overview

Try agent mode

Create proposal

Ask question

Enforza is a cloud-managed network firewall and secure NAT gateway for AWS. It runs as a lightweight appliance on an instance in your own account, and registers to the Enforza control plane on first boot - giving you centrally managed outbound security without a management plane to babysit.

Why teams switch to Enforza:

Flat per-firewall pricing - no per-GB data-processing tax. Cloud-native firewalls and managed NAT gateways charge per gigabyte processed; Enforza doesn't. Most teams cut egress-security and NAT cost by 60-80%.
FQDN / URL egress filtering. Allow-list outbound traffic by domain, not just IP - the control a plain NAT gateway or NAT instance can't give you.
Secure NAT gateway. Replace your NAT gateway and your egress firewall with one appliance, instead of paying for and operating both.
Transparent GWLB inspection. Deploy Enforza behind an AWS Gateway Load Balancer (GWLB) for centralised, scalable, transparent traffic inspection across your VPCs - the architecture teams usually reach a mega-NGFW for, at flat per-firewall pricing.
Managed, with no exposed management plane. No SSH into boxes, no internet-facing admin interface. One console for your whole fleet, with managed high availability across AZs.
Two ways to run it. Drive it from the Cloud Controller console, or as GitOps policy-as-code via GitHub (pull-request review, guardrail checks, full audit trail) in your existing pipeline - your choice, same engine.
Compliance built in. Every firewall rule is checked against named frameworks (PCI DSS, CIS, NIST, ISO 27001 and more), advise-or-enforce, with audit-ready egress logs.

How it works: launch the appliance with the 1-click CloudFormation template (or the AMI directly). It self-registers to Enforza on first boot - there is no key to manage. In the Enforza console, open "Claim a firewall", enter your AWS account ID + EC2 instance ID, and it binds to your tenant. Apply a policy from the console or your GitOps (GitHub) pipeline; outbound traffic is filtered on standard Linux network primitives, with always-on hardening guardrails active from first boot. (Marketplace AMIs use signed-instance-identity self-registration - no registration key.)

Licensing (BYOL): the AMI is free to launch. Entitlement is granted by your Enforza plan (a free tier is available); paid licences are handled directly with Enforza, not through AWS billing.

Highlights

- **Up to 80% cheaper** than cloud-native firewalls and managed NAT gateways - flat per-firewall pricing, no per-GB data tax.
- **FQDN/URL egress filtering + secure NAT in one appliance**, managed centrally with no exposed management plane or SSH.
- **Transparent GWLB inspection:** run behind an AWS Gateway Load Balancer for centralised, scalable traffic inspection - without a mega-NGFW price tag.

Details

Sold by

enforza

Introducing multi-product solutions

You can now purchase comprehensive solutions tailored to use cases and industries.

Learn more

Explore multi-product solutions

Features and programs

Financing for AWS Marketplace purchases

AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.

View financing details

Pricing

Enforza - Cloud-Managed Firewall & Secure NAT Gateway

Info

View purchase options

Pricing and entitlements for this product are managed through an external billing relationship between you and the vendor. You activate the product by supplying a license purchased outside of AWS Marketplace, while AWS provides the infrastructure required to launch the product. AWS Subscriptions have no end date and may be canceled any time. However, the cancellation won't affect the status of the external license.

Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.

Vendor refund policy

Free through AWS Marketplace under a Bring Your Own License (BYOL) model: AWS does not charge for the software, so there are no AWS Marketplace charges to refund. You still pay AWS for the underlying resources (EC2, EBS, data transfer) at standard rates. Any paid Enforza licence is purchased directly from Synvu Limited, not via AWS, under your Enforza agreement. A free tier is available; for licence or billing questions email support@enforza.io .

How can we make this page better?

Tell us how we can improve this page, or report an issue with this product.

Legal

Vendor terms and conditions

Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .

Content disclaimer

Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.

Usage information

Info

Delivery method

Version

Delivery details

64-bit (x86) Amazon Machine Image (AMI)

Amazon Machine Image (AMI)

An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.

Version release notes

Enforza - a cloud-managed egress firewall and secure NAT gateway for AWS.

Included in this version:

FQDN / URL egress filtering: allow-list outbound traffic by domain, not just IP.
Secure NAT gateway: replace your egress firewall and NAT gateway with one appliance.
Flat per-firewall pricing with no per-GB data-processing charges.
Two ways to manage: the Cloud Controller console, or GitOps policy-as-code in your pipeline.
Rule-level compliance checks against named frameworks (PCI DSS, CIS, NIST, ISO 27001), advise-or-enforce, with audit-ready egress logs.
Zero-touch onboarding: the appliance self-registers on first boot (no key), then you claim it in the console with your AWS account ID and EC2 instance ID.
Self-maintaining: automatic OS security patching, a self-upgrading engine, and always-on hardening guardrails from first boot.
Hardened image: SSH disabled by default, IMDSv2 required, no baked credentials.

Deployment: launch with the included one-click CloudFormation template (recommended - it disables EC2 source/destination checking, which a forwarding firewall requires, and assigns a stable Elastic IP), or launch the AMI directly.

Base: Debian 12, x86-64 (amd64).

Additional details

Usage instructions

Enforza is a cloud-managed firewall and secure NAT gateway. You manage it from the Enforza console (or via GitOps) - there is nothing to configure on the instance itself.

Launch You launch the AMI directly, but you must then disable source/destination check on the instance yourself. Use a non-burstable instance type (e.g. c6i.large) for production - burstable (t-family) CPU credits throttle a firewall under sustained load.
First boot - automatic registration On first boot the appliance self-registers to the Enforza control plane using its AWS-signed instance identity document. There is no registration key to manage.
Claim it to your account Sign in to the Enforza console at https://console.enforza.io , open "Onboard Firewall", and enter your AWS Account ID and the launched EC2 Instance ID to bind the firewall to your Enforza tenant.
Apply a policy In the Enforza console, create or bind a policy - FQDN/URL egress rules, secure NAT, and compliance checks - or manage it as GitOps policy-as-code in your pipeline. Policy applies within seconds. Route your private subnets through the firewall's ENI.

Maintenance: the OS auto-applies security patches and the engine self-upgrades; the console shows a badge if a reboot is required. SSH is disabled by default.

Support: support@enforza.io - https://enforza.io

Support

Vendor support

Support email: support@enforza.io

Support URL: https://docs.enforza.io

Support description:

Enforza is supported by Synvu Limited. Email support is available during UK business hours (Monday to Friday, excluding UK public holidays) with a next-business-day response target. For setup, configuration, and operational questions, email support@enforza.io or see the documentation at https://docs.enforza.io .

Account, licensing, and billing queries are handled directly by the Enforza team (billing is managed through your Enforza account, not AWS, under the BYOL model). A free tier is available for evaluation; paid plans include the same support channel.

AWS infrastructure support

AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.

Get support

Customer reviews

Leave a review

Ratings and reviews

Info

0 ratings

5 star

4 star

3 star

2 star

1 star

0 reviews

No customer reviews yet

Be the first to review this product . We've partnered with PeerSpot to gather customer feedback. You can share your experience by writing or recording a review, or scheduling a call with a PeerSpot analyst.