Skip to content

AWS Marketplace

Listings

  • Commercial ARM64: Pelotech Secure AL2023 NAT Instance - ARM64 - CIS L2 & FIPS 140-3
  • Commercial x86_64: Pelotech Secure AL2023 NAT Instance - x86_64 - CIS L2 & FIPS 140-3
  • GovCloud ARM64: Pelotech Secure AL2023 NAT Instance - ARM64 - GovCloud CIS L2 & FIPS 140-3
  • GovCloud x86_64: Pelotech Secure AL2023 NAT Instance - x86_64 - GovCloud CIS L2 & FIPS 140-3

Each listing includes a CloudFormation template that supports both ARM64 (Graviton) and x86_64 instance types. The correct AMI is selected automatically based on the chosen instance type using CloudFormation mappings. AMI IDs are populated by CI at release time and cloned to all regions by AWS Marketplace during publishing.

Short Description

  • The short description can have up to 1,000 characters. Descriptions exceeding 188 characters require a ‘show more’ link to be viewed in full.

Drop-in NAT Gateway replacement built on Amazon Linux 2023. CIS Level 2 hardened, FIPS 140-3 compliant, Trivy & OpenSCAP scanned. Compatible with fck-nat Terraform module. Kernel live patching, nftables, CloudWatch, IMDSv2. Security reports (CIS 100/100, 0 CVEs at publish, SBOM) published with every release. Save up to 99% vs NAT Gateway. Separate listings available for ARM64 (Graviton) and x86_64 architectures, and for Commercial and GovCloud partitions. Currently available in US regions, with additional regions coming soon.

Long Description

  • The long description can have up to 5,000 characters.

Pelotech Secure NAT Instance is a production-ready, drop-in replacement for AWS NAT Gateway built on Amazon Linux 2023. It eliminates NAT Gateway's per-GB data processing charges, reducing NAT costs by up to 99% — a t4g.nano instance costs ~$3/month regardless of data volume, compared to thousands of dollars at scale with NAT Gateway. Separate listings are available for ARM64 (Graviton) and x86_64 architectures, as well as for Commercial and GovCloud partitions — select the listing that matches your target architecture and partition. AMIs are currently available in US regions, with additional regions being added soon.

Every AMI is hardened to the CIS Benchmark Level 2 server profile and ships with FIPS 140-3 cryptographic compliance enabled, meeting the security requirements for FedRAMP, PCI DSS, HIPAA, and DoD workloads. GovCloud AMIs use the FIPS-validated kernel (6.1) and automatically route API calls through AWS FIPS endpoints. Security artifacts — including OpenSCAP CIS L2 reports (100/100 pass rate), Trivy vulnerability scans (0 CVEs at publish), CycloneDX SBOMs, and Cosign image signatures — are published with every release for full audit traceability.

The AMI is fully compatible with the popular fck-nat Terraform module, so existing deployments can switch with no configuration changes. Operational features include kernel live patching (kpatch) for zero-downtime security updates, nftables masquerade rules for modern packet filtering, optional CloudWatch agent integration via SSM, IMDSv2 enforcement, dual-stack IPv4/IPv6 forwarding, and Elastic IP association. The minimal 6 GB root volume and single systemd oneshot service ensure fast boot times and a small attack surface.

Product Highlights

  1. CIS Level 2 hardened and FIPS 140-3 compliant -- meets FedRAMP, PCI DSS, and DoD compliance requirements
  2. Kernel live patching, nftables masquerade, CloudWatch integration, and IMDSv2 enforcement for production-grade operations
  3. Drop-in replacement for AWS NAT Gateway -- works with existing fck-nat Terraform module, saves up to 99% on NAT costs

Support

  • Email: support@pelo.tech
  • Docs: https://pelotech-nat.pelo.tech/

This software is provided as-is. Vendor support is available on a best-effort basis via email. For guaranteed response times, SLAs, or dedicated support plans, please contact support@pelo.tech to discuss available options.

Categories

  • Primary: Network infrastructure
  • Secondary: Security
  • Tertiary: Resource cost optimization

Keywords

Enter up to 15 keywords (single words or phrases) that customers might use when searching on AWS Marketplace website for your product. Each keyword can have up to 50 characters.

  • NAT instance, NAT gateway replacement, CIS hardened, FIPS 140-3, AL2023, Amazon Linux 2023, nftables, cost optimization, network address translation, Graviton, hardened AMI, GovCloud, FedRAMP, security compliance, VPC networking

Delivery Option: Amazon Machine Image

Usage Instructions

  • Usage instructions can have up to 2,000 characters.

Terraform: Use the terraform-aws-fck-nat module with the Marketplace AMI ID. Set the ami_id parameter to the Marketplace AMI and configure vpc_id, subnet_id, and instance_type as needed.

Manual launch: Launch the AMI directly from EC2. Assign an IAM role with ec2:ModifyNetworkInterfaceAttribute, ec2:AssociateAddress, ec2:AttachNetworkInterface, and SSM permissions (ssm:*, ssmmessages:*). Disable source/destination checks on the instance. Update private subnet route tables to point 0.0.0.0/0 at the instance.

Configuration: Pass settings via user data by writing to /etc/pelotech-nat.conf. Key variables: eip_id (Elastic IP allocation), eni_id (secondary ENI), cwagent_enabled / cwagent_cfg_param_name (CloudWatch agent), nf_conntrack_max, and ip_local_port_range.

Verification: SSH or SSM into the instance and run: systemctl status pelotech-nat to confirm the service is active, and journalctl -u pelotech-nat to review boot logs.

Security Group Recommendations

Ingress: Allow all traffic from VPC CIDR (private subnet traffic needing NAT).

Egress: Allow all outbound traffic (0.0.0.0/0).

Optional: Restrict SSH/SSM access to trusted IP ranges as needed.

Delivery Option: Amazon Machine Image with CloudFormation

Delivery Option Title

Pelotech Secure AL2023 NAT Instance - CloudFormation (Per-Subnet)

Short Description

One-click per-subnet NAT deployment via CloudFormation. Deploy one stack per public subnet — each provisions an IAM role, security group, Auto Scaling group, and routing automatically. Route up to 6 private subnet route tables through a single NAT instance.

Long Description

Each CloudFormation stack deploys a single NAT instance into one public subnet and can manage routing for up to 6 private subnet route tables. Deploy one stack per public subnet: use a single NAT instance to serve multiple private subnets (1:many), or deploy a dedicated NAT instance per private subnet for higher availability (1:1). The template handles all infrastructure setup: IAM role and instance profile, security group, launch template, Auto Scaling group (single instance), optional Elastic IP association, route table entries, and optional CloudWatch agent integration via SSM. The template auto-selects the correct ARM64 or x86_64 AMI based on the chosen instance type architecture using CloudFormation mappings — no AMI ID input is needed.

Usage Instructions

  • Usage instructions can have up to 4,000 characters.

Launch: Select the CloudFormation delivery option in AWS Marketplace and click "Continue to Launch". Fill in the required parameters: VpcId, SubnetId (the public subnet for this NAT instance), VpcCidr, and InstanceType (default t4g.micro).

Routing: Specify which private subnet route tables this NAT instance should serve using RouteTableId1 through RouteTableId6. For a 1:many setup, add multiple route table IDs to a single stack. For a 1:1 setup, deploy a separate stack per public subnet with one route table each.

Optional parameters: AssociateElasticIP (default true), EnableCloudWatch (default false), CloudWatchConfigParam (SSM parameter name for CloudWatch config), KeyPairName (for SSH access), ENIId (pre-existing ENI), ConntrackMax (connection tracking table size), and LocalPortRange (ephemeral port range).

Launch the stack. CloudFormation creates all resources. The NAT instance boots, configures nftables masquerade rules, disables source/destination checks, updates the specified route tables, and optionally associates an Elastic IP — all automatically.

AMI Parameter Name

The template does not expose an explicit AMI parameter. AMI IDs are embedded in Mappings.RegionAMI and auto-selected based on the instance type architecture (ARM64 vs x86_64) and the deployment region. Marketplace populates these mappings at publish time.

Security Documentation to Include

  • OpenSCAP CIS L2 report (from build artifacts)
  • Trivy vulnerability report (from build artifacts)
  • CycloneDX SBOM (from build artifacts)
  • 5 CIS exceptions (documented in SECURITY.md)
  • FIPS 140-3 posture (kernel 6.1 CMVP validated for all builds)