Book a demo Start free
AWS Marketplace · BYOL

Deploy Enforza from the AWS Marketplace.

A cloud-managed firewall and secure NAT gateway, delivered as an AMI you launch in your own AWS network. Bring-your-own-licence — $0 through AWS. One-click CloudFormation, self-registration, and a quick claim in the console. You can be filtering in minutes.

  • Server / AMI product
  • BYOL — $0 through AWS
  • Any x86_64 instance
Start free in the console Subscribe on AWS Marketplace

Questions? support@enforza.io.

What you get

A firewall you own, managed like a service.

The Marketplace AMI is the same Enforza firewall NVA used everywhere else — egress, ingress and east-west control with FQDN/SNI-based L7 and secure NAT — running on a VM in your account, managed from the Enforza console.

  • Firewall and secure NAT in one VM

    Egress, ingress and east-west control with FQDN/SNI-based L7 filtering and source NAT — a single lightweight Linux VM in your own AWS network, not a metered managed endpoint.

  • Bring-your-own-licence — $0 through AWS

    The Marketplace listing is BYOL: AWS charges you nothing for the software. You pay only for the EC2 instance you run it on, and your Enforza plan is handled in the Enforza console — including a genuine free tier.

  • Self-registering, no key to paste

    The image self-registers to your Enforza account using its AWS-signed Instance Identity Document. There is no registration key to copy — you simply claim the firewall in the console.

  • Managed from the console — nothing inbound

    The firewall connects outbound-only to the Enforza cloud. There is no inbound management port and no admin UI to expose, so the security device adds no attack surface of its own.

Before you start

Prerequisites

A short checklist. If you can launch an EC2 instance and create a CloudFormation stack, you have everything you need.

  • An AWS account with permission to launch EC2 and create a CloudFormation stack (the template uses a least-privilege role with SSM core only).
  • A target VPC (network) and subnet — typically a public subnet for the firewall's internet-facing interface, with the workloads you want to inspect routed through it.
  • An Enforza account to claim the firewall in. You can create one free at the console — no card required for the free tier.
  • A few minutes. The CloudFormation path sets everything up correctly for a forwarding firewall; the whole flow is launch → claim → push policy.
Step by step

Subscribe, launch, claim — in five steps.

The one-click CloudFormation path is the recommended route: it launches the appliance correctly so a forwarding firewall actually forwards. The bare-AMI alternative is supported, with two manual steps called out.

  1. Subscribe to the Enforza listing on AWS Marketplace

    Find "Enforza - Cloud-Managed Firewall & Secure NAT Gateway" on the AWS Marketplace and subscribe. It is a Server/AMI product on a bring-your-own-licence model, so AWS charges $0 for the software — you pay only for the EC2 instance you run it on.

  2. Launch the firewall

    Recommended Use the one-click CloudFormation template. You pick the VPC (network), subnet and instance type — and optionally paste an Enforza claim code — and the template stands the appliance up correctly. It:

    • Disables the EC2 source/destination check — mandatory for a forwarding firewall, or every forwarded packet is silently dropped.
    • Attaches a stable Elastic IP so the firewall keeps one address.
    • Enables IMDSv2 and instance metadata tags, so the box can self-claim.
    • Uses a least-privilege IAM role (SSM core only) — no broad permissions.

    Alternative Prefer to launch the bare AMI? Supported — but you must then do two things yourself that the template handles automatically: disable the EC2 source/destination check on the firewall's interface (without it, EC2 silently drops every forwarded packet) and enable instance metadata tags so the box can self-claim.

  3. It self-registers — no key needed

    On first boot the firewall registers itself to the Enforza control plane using its AWS-signed Instance Identity Document. There is no registration key to copy or paste. The connection is outbound-only — there is no inbound management port to open.

  4. Claim the firewall in the console

    In the Enforza console at console.enforza.io, open "Claim a firewall" and enter your AWS Account ID + EC2 Instance ID. The firewall binds to your account and appears in your fleet. To skip this step entirely, pre-set the enforza:claim tag at launch and it binds automatically.

  5. Build & push policy — done

    Author egress / NAT / L7 policy in the console (or through a GitHub pipeline) and push it to the firewall. Route the traffic you want inspected through the appliance and you're filtering. Rollback is a route change away.

Start free in the console See how it works
Instance sizing

Which EC2 instance type?

The Enforza licence is flat per firewall — never per vCPU or instance size — so size the VM for your throughput, not your bill.

Architecture
Any x86_64 (amd64) instance. The AMI is amd64, so ARM / Graviton and Mac instance families are excluded by architecture — pick an Intel or AMD instance type.
Production
Use a non-burstable family — c6i, m6i and similar. A firewall carries sustained load, and the price does not change with instance size, so size for your throughput, not your licence.
Evaluation
Burstable T-family (t3 / t4g-equivalent x86) is fine for a quick eval, but avoid it in production: CPU credits throttle the box under sustained traffic. (t4g is ARM — choose t3 for x86.)
Not size-metered
Enforza is licensed flat, per firewall — never by vCPU, instance size or throughput. Running a bigger instance costs you only the EC2 difference, never more Enforza.
Maintenance

Self-patching, on your schedule.

The image keeps its own OS security updates current — you don't patch it by hand. When an update needs a reboot to take effect, Enforza surfaces a "reboot pending" badge passively in the console.

Enforza never reboots your instance for you. You choose the change window.

FAQ & troubleshooting

Common questions

What does Enforza cost on the AWS Marketplace?

The Marketplace listing is bring-your-own-licence (BYOL), so AWS charges $0 for the Enforza software. You pay AWS only for the EC2 instance the firewall runs on. Your Enforza plan — including a genuine free tier — is handled in the Enforza console, separate from AWS billing.

Do I need a registration key or licence key to activate it?

No. The firewall self-registers to the Enforza control plane using its AWS-signed EC2 Instance Identity Document, so there is no key to copy or paste. After it registers, you claim it in the Enforza console by entering your AWS Account ID and the EC2 Instance ID — or pre-set the enforza:claim tag at launch so it binds automatically.

I launched the bare AMI and no traffic is being forwarded. What's wrong?

Almost always the EC2 source/destination check is still enabled. A forwarding firewall must have source/dest check DISABLED on its network interface, otherwise EC2 silently drops every packet that isn't addressed to the instance itself. The one-click CloudFormation template disables it for you; if you launch the bare AMI you must disable source/dest check yourself (and enable instance metadata tags so the box can self-claim).

The firewall registered, but I can't see it in the console.

A registered firewall still has to be CLAIMED into your account before it appears under your fleet. In the Enforza console open 'Claim a firewall' and enter the AWS Account ID plus the EC2 Instance ID of the firewall. If you set the enforza:claim tag at launch it binds automatically; otherwise the manual claim takes a few seconds.

Which EC2 instance types are supported?

Any x86_64 (amd64) instance — the AMI is amd64, so ARM/Graviton and Mac families are excluded by architecture. For production use a non-burstable family such as c6i or m6i; burstable T-family instances (t3) are fine for evaluation but their CPU credits will throttle a firewall under sustained load. The Enforza licence is flat per firewall, so a larger instance only costs you the EC2 difference.

Will Enforza reboot my instance to patch it?

No. The image self-patches its OS security updates. When an update needs a reboot to take effect, that is surfaced passively in the console as a 'reboot pending' badge — Enforza never reboots your instance for you. You choose when to reboot, on your own change window.

Where does the firewall send its management traffic and logs?

The control plane is outbound-only to the Enforza cloud — there is no inbound management port and no admin UI to expose. Log export streams to your own SIEM; logs never pass through Enforza's cloud.

BYOL · $0 through AWS

Launch the firewall. Claim it. Push policy.

Bring-your-own-licence on the AWS Marketplace, self-registering, managed from the console. Start free — no card — and be filtering in minutes.

Start free in the console See how it works