The fck-nat alternative for egress you have to secure.
fck-nat is excellent at one thing — cheap NAT — and like Enforza it kills the AWS NAT Gateway per-GB data-processing tax. On cost, we are on the same side. The difference is the job: fck-nat is pure source NAT, so it gives connectivity back and nothing more. Enforza is a managed egress firewall on the same escape from the meter — with FQDN egress control, managed multi-AZ HA, audit logs and a fleet console. The buyer test: do you need egress connectivity, or egress security and compliance?
Both kill the NAT Gateway tax — fck-nat is genuinely good
Before the differences, the honest part. fck-nat does exactly what it sets out to do, and it removes the per-GB data-processing fee that makes Managed NAT Gateway so expensive — and so does Enforza. The line everyone searches for is one we are on the same side of. What differs is the remit around the NAT.
-
Both kill the NAT Gateway tax
AWS Managed NAT Gateway charges a per-GB data-processing fee on every byte that crosses it — roughly $0.045/GB, on top of an hourly fee per Availability Zone. fck-nat removes that processing fee, and so does Enforza. On the line item everyone searches for, we are on the same side.
-
fck-nat is genuinely good
A well-maintained open-source NAT instance — a current Graviton/ARM image, a clean Terraform module and CDK construct, and a responsive maintainer. If all you need is cheap source NAT for dev or low-throughput workloads, fck-nat earns its reputation and we would tell you so.
-
Where we differ is the job
fck-nat gives you back exactly one thing: NAT. Enforza saves you the same tax and gives you a managed egress firewall around it — multi-AZ high availability, FQDN egress control, audit-ready logs and a fleet console. Same escape from the meter; a different remit.
Egress connectivity, or egress security?
The honest way to choose between fck-nat and Enforza is to ask what you actually need from egress. fck-nat forwards traffic; it does not police it. Enforza polices it — and proves it to an auditor.
- Need egress CONNECTIVITY — get private subnets to the internet, cheaply, for dev or low-throughput prod that tolerates a brief reconverge? fck-nat is a great answer, and we would point you to it.
- Need egress SECURITY or COMPLIANCE — control which destinations are allowed, prove it to an auditor, and not lose connections when a zone fails? That is a different product, and it is the one Enforza is built to be.
- fck-nat is pure source NAT: it forwards traffic, it does not police it. There is no allow-list, no per-flow egress log, no compliance evidence — by design. Managed NAT Gateway is the same; it is the premium NVAs that add those, at premium prices.
- Enforza adds exactly those controls — FQDN/SNI egress allow-listing, audit logs, managed HA and a fleet console — at a fraction of the Aviatrix / Palo Alto Cloud NGFW / AWS Network Firewall price.
What pure NAT can't do for you
fck-nat already removed the tax — so the difference isn't cost, it's capability. These are the things a NAT-only instance structurally cannot offer, because policing egress, surviving a zone failure cleanly and proving it to an auditor are a different product.
-
Managed multi-AZ high availability
fck-nat's high availability is active-passive: a single instance with route-table failover, so a failure means roughly two minutes of downtime and existing connections are severed. True active/active is on its roadmap, not shipped — its own docs say to use Managed NAT Gateway if you need five-nines. Enforza runs managed multi-AZ HA with no bespoke failover for you to own.
-
FQDN / SNI egress filtering
fck-nat cannot allow-list destinations — it is pure source NAT, so anything in a private subnet can reach anywhere on the internet. Enforza filters egress by SNI and FQDN, allow or deny, built into one policy, with no TLS decryption and no key custody. This is the one control fck-nat structurally cannot offer.
-
Audit-ready egress logs
fck-nat keeps no per-flow egress record you can hand an auditor. Enforza streams domain-level allow/deny logs to your own SIEM — the egress evidence SOC 2 CC6.6, ISO 27001 and PCI ask for — with no log pipeline for you to build, and never through Enforza's cloud.
-
One fleet console, not N images to babysit
fck-nat is one instance per network, per Availability Zone, per account — each its own image to deploy and watch. Enforza gives you one console across every network and account, with push-to-many policy and multi-firewall live log streaming, on AWS, Azure, Google Cloud and on-prem.
-
No exposed management-plane OS
A fck-nat instance lives in a public subnet with a public IP, and carries the agent and optional remote-shell access you administer it through — attack surface on the box itself. Enforza's control plane is outbound-only to the Enforza cloud: no inbound management port, no admin OS to expose. The firewall manages up, never in.
-
No per-VM patching or image treadmill
fck-nat is a VM you own and patch: its base images deprecate on a rolling cycle, forcing periodic image rebuilds and per-zone instance refreshes. Enforza self-upgrades with rollback and fails closed — the underlying image and CVE maintenance is ours, not a recurring task on your plate.
-
Built for throughput and connection scale
On the small instances fck-nat is usually run on, the connection-tracking table is finite — when it fills, new flows are silently dropped and look like client timeouts, and tuning it is the operator's job. Enforza is sized and tuned for cloud egress as a managed appliance, so connection scale is not a setting you discover the hard way.
-
A single-pass classification and verdict engine, purpose-built for cloud
On the same standard Linux network primitives every NAT box uses, Enforza runs its own single-pass packet classification and verdict engine: each flow is classified once, in microseconds (p99 ~49.5 µs, measured), then enforced in-kernel at line rate, 98.5% on the kernel fast path. Microsecond-class and built for cloud egress and east-west — not a box you tune to get there.
Enforza vs fck-nat — including where fck-nat wins
Row by row, including where fck-nat wins: 3 rows where we share the win or sit at parity, 9 where Enforza leads on egress security, HA and compliance, and 3 where fck-nat is genuinely the stronger choice.
- Shared / parity Shared win or parity
- Enforza advantage Enforza is the stronger choice
- fck-nat advantage fck-nat is the stronger choice
| Capability | Enforza | fck-nat | Verdict |
|---|---|---|---|
| NAT Gateway data-processing tax | Removed — flat per-firewall price, no per-GB processing fee | Removed — its whole reason to exist; no per-GB processing fee | Same |
| Source NAT for private subnets | Secure source NAT on the appliance, alongside egress filtering | Clean, reliable source NAT — exactly what it is built for | Same |
| Runs on a standard VM you provision | One Linux VM per firewall, any size, on any cloud | One EC2 instance per zone, typically a small ARM instance | Same |
| Egress filtering (FQDN / SNI allow-list) | SNI and FQDN allow- and deny-lists, no TLS decryption | None — pure source NAT, every destination is reachable | Enforza |
| Multi-AZ high availability | Managed multi-AZ HA — no bespoke route-table failover to own | Active-passive — ~2 min reconverge, connections severed | Enforza |
| Egress audit logs | Domain-level allow/deny logs streamed to your own SIEM | No per-flow egress record for audit | Enforza |
| Compliance frameworks | 25 framework packs / 210 controls — advise or enforce on publish | Not a compliance product — no controls catalogue | Enforza |
| Fleet management across accounts | One console across every network, account and cloud; push-to-many | One image per zone/account to deploy and watch individually | Enforza |
| Management-plane attack surface | Outbound-only control plane — no inbound port, no admin OS to expose | Public-subnet instance with a public IP and admin access | Enforza |
| Patching / image maintenance | Self-upgrade with rollback; image and CVE maintenance is ours | You own it — periodic image rebuilds and per-zone refresh | Enforza |
| Policy-as-code / GitOps | GitHub pipeline — every change a reviewed, version-controlled PR | Infra-as-code to deploy the box; no egress-policy surface | Enforza |
| Connection-scale and throughput headroom | Sized and tuned for cloud egress as a managed appliance | Finite conntrack on small instances; 5 Gbps egress ceiling | Enforza |
| Lowest possible cost floor | A free tier, then a flat per-firewall subscription | A few dollars a month per zone on a tiny instance — hard to beat | fck-nat |
| Open-source / fully self-hosted | Managed control plane; you own the data path, we run the plane | Open-source, entirely self-hosted — no SaaS in the loop | fck-nat |
| Simplicity for pure connectivity | An egress firewall — more capability than a NAT-only job needs | Does one thing — cheap NAT — with very little to operate | fck-nat |
Where each one fits
Where Enforza wins
- Egress security, not just connectivity — FQDN/SNI allow-listing decides which destinations are reachable; fck-nat lets everything out by design.
- Managed multi-AZ HA — no two-minute reconverge and no severed connections when a zone fails, and no failover plumbing for you to own.
- Audit-ready egress logs — domain-level allow/deny evidence to your own SIEM for SOC 2, ISO 27001 and PCI, with no log pipeline to build.
- One fleet console — every network, account and cloud in one pane with push-to-many policy and live logs, not N images to babysit.
- No exposed management plane — outbound-only control, no public admin OS to harden, a smaller attack surface than a public-subnet box.
- Managed for you — self-upgrade with rollback and no image-rebuild treadmill, plus compliance baked into every publish.
When fck-nat is the right call
- You need cheap egress connectivity for dev, test or low-throughput workloads, and the lowest possible cost floor is the goal.
- Your workloads tolerate a brief reconverge on failure, and you do not need connections to survive a zone failure.
- You do not need to control or audit which destinations are reachable — egress security and compliance evidence are not part of your remit.
- You want a simple, open-source, fully self-hosted box with no SaaS in the loop, and you are happy to own its patching and scaling.
fck-nat alternative — common questions
Is Enforza a drop-in replacement for fck-nat?
It can be, but they are built for different jobs. Both remove the AWS NAT Gateway per-GB data-processing tax and both provide source NAT for private subnets, so on cost and basic connectivity they line up. The difference is that fck-nat is pure NAT, while Enforza is a managed egress firewall: it adds FQDN/SNI egress allow-listing, managed multi-AZ HA, audit-ready egress logs and a fleet console on top of the same escape from the meter. If you only need cheap NAT, fck-nat is excellent; if egress is part of your security or compliance posture, Enforza is the fit.
Is fck-nat cheaper than Enforza?
On the raw instance cost, yes — fck-nat can run for a few dollars a month per Availability Zone on a tiny instance, and we will not pretend to beat that floor. Both products remove the NAT Gateway data-processing fee, which is the cost everyone is actually trying to escape. The question is what you get for the difference: with fck-nat you get NAT; with Enforza's flat per-firewall price you also get egress filtering, managed HA, audit logs, compliance packs and a fleet console — at a fraction of what the premium NVAs that offer those controls charge.
Can fck-nat filter or block egress traffic by domain?
No — and this is the core difference. fck-nat is pure source NAT: it forwards traffic from private subnets to the internet but does not police where that traffic goes, so anything in the subnet can reach any destination. There is no FQDN or SNI allow-list and no deny capability. Enforza filters egress by SNI and FQDN, allow or deny, built into one policy and with no TLS decryption, so you control which destinations your workloads can reach.
How does fck-nat handle high availability?
fck-nat's high availability is active-passive: a single instance with route-table failover. On a failure that means roughly two minutes of downtime, and existing connections are severed. True active/active is on its roadmap rather than shipped, and its own documentation suggests Managed NAT Gateway if you need five-nines. Enforza runs managed multi-AZ high availability, so there is no bespoke failover for you to build and operate.
Does fck-nat give me egress logs for compliance?
No. fck-nat keeps no per-flow egress record you can hand an auditor — it is a NAT instance, not a compliance product. Enforza streams domain-level allow/deny logs to your own SIEM, which is the egress evidence SOC 2 CC6.6, ISO 27001 and PCI ask for, and ships 25 compliance framework packs covering 210 controls that advise or enforce on every policy publish.
Is running fck-nat a security risk?
It is not inherently risky — it does its job well — but it does carry attack surface that a managed service does not. A fck-nat instance sits in a public subnet with a public IP and the administration access you manage it through, so the box itself is reachable and is yours to harden and patch. Enforza's control plane is outbound-only to the Enforza cloud: there is no inbound management port and no admin operating system to expose, so there is nothing on the device for an attacker to reach.
Do I have to patch and maintain fck-nat myself?
Yes. fck-nat is a VM you own, and its base images deprecate on a rolling cycle, which means periodic image rebuilds and per-zone instance refreshes are your responsibility, alongside tuning things like the connection-tracking table on small instances. Enforza self-upgrades with rollback and fails closed, and the underlying image and CVE maintenance is ours — it is not a recurring task on your plate.
When is fck-nat the better choice?
When you need cheap egress connectivity and nothing more. If you are running dev, test or low-throughput workloads, want the lowest possible cost floor, can tolerate a brief reconverge on failure, and do not need to control or audit which destinations are reachable, fck-nat is an excellent, well-maintained choice and we would happily point you to it. Enforza is the better fit the moment egress becomes part of your security or compliance posture.
Is there a free way to try Enforza?
Yes. Enforza has a genuine free tier — one firewall with L3/L4 policy and network objects, no card required. A 14-day trial unlocks the full feature set, including FQDN/SNI egress filtering, compliance packs, log export and live logs. The paid plan is £179/month per firewall, dropping to £149 from your sixth, plus the Linux VM you provision. fck-nat's instance cost is lower; the difference is the managed egress firewall, HA, audit logs and fleet console you get with Enforza, not just NAT.
Lose the NAT tax — without losing egress control.
fck-nat removes the NAT Gateway tax and gives you NAT. Enforza removes the same tax and gives you a managed egress firewall — FQDN filtering, multi-AZ HA, audit logs and a fleet console — at a fraction of the premium-NVA price. Start free, no card.