AI Gateway

One Gateway.
100+ Accounts.
Zero Per-GB Fees.

Replace $14,000/month in AWS managed networking with a single Cloud Spectra AI Gateway. Cross-account VPC mesh, multi-account Kubernetes, hub-spoke ECMP, and Suricata IDS/IPS -- all at flat EC2 cost.

Full-mesh VPC peering across all accounts Suricata IDS/IPS for all traffic -- $0/month AI semantic caching -- up to 50-70% cache hit rate Sub-10s HA recovery per availability zone
Schedule an AI Gateway Demo View Pricing
$0/GB
Data processing fees
100+
Accounts supported
<10s
HA recovery time
80%
Cost savings vs AWS
Built on deep networking credibility
20+ USPTO patents IETF RFC 6608 & 7606 author Open-source core on GitHub AWS Certified Cloud PractitionerAWS Certified Security & Trust Center

Early access -- design partners welcome. Talk to the founder →

Cost Comparison

The Enterprise Networking Bill at Scale

At 100 TB/month across a multi-account AWS organization. These are real AWS list prices -- no discounts applied.

AWS Managed Services at 100 TB/mo

NAT Gateway (data + hours)$4,533/mo
AWS Network Firewall (data + endpoints)$6,788/mo
Network Load Balancer$616/mo
Transit Gateway (attachments + data)$2,000/mo
Monthly total $13,937/mo
x 12 months =  $167,244/year

Cloud Spectra AI Gateway flat rate, any traffic volume

EC2 instance (c6in.xlarge)$397/mo
Cloud Spectra AI Gateway subscription$100/mo
Data transfer (NAT, peering, tunnels)$0/GB
Suricata IDS/IPS, VPC mesh, K8sIncluded
Monthly total $497/mo
x 12 months =  $5,964/year
$161,280
Saved per year at 100 TB/mo
80%
Total cost reduction
~$70,000
AWS cost at 500 TB/mo
$497
Cloud Spectra cost at 500 TB/mo
Cloud Spectra cost stays flat regardless of traffic volume. AWS costs grow linearly. The gap widens every month. Elastic right-sizing plus spot is what makes the gateway fleet cheaper than both an always-on fixed appliance and the managed cloud meter -- scale the fleet down off-peak, resize to the instance you actually need, and pay for the capacity you use.
AI Gateway Capabilities

Everything Enterprise Teams Need

A single CloudFormation deploy unlocks the full feature set. Manage everything via Terraform provider or REST API.

Cross-Account Transit Manager

Auto-discovers VPCs across all your AWS accounts and regions. Maintains a live inventory with real-time state. Creates and manages VPC peering connections automatically -- no manual click-ops or scripting.

AI Gateway

Full-Mesh VPC Peering

Auto-creates full-mesh peering topology with route propagation across all enrolled VPCs. Free VPC peering replaces Transit Gateway at $0/GB vs $0.02/GB. Supports 100+ VPCs across 3+ regions with zero manual route management.

AI Gateway

Hub-Spoke Agent (ECMP overlay)

Lightweight agent in spoke VPCs establishes GRE tunnels to the hub gateway. ECMP load balancing across multiple gateways for active-active throughput. (Remote-client WireGuard VPN is a Security-tier feature -- coming soon.)

AI Gateway

Multi-Account Kubernetes

K8s control plane in hub VPC. Worker nodes in spoke VPCs across 3 accounts, 3 regions, 8 VPCs -- joined via Calico IPIP overlay over VPC peering. Cloud Spectra Karpenter provider handles cross-account node provisioning automatically.

AI Gateway

Suricata IDS/IPS

30,000+ ET Open threat intelligence rules pre-cached in the AMI -- no download delay on boot. Syncs rules from your AWS Network Firewall policy with no $700/mo endpoint fees. Domain filtering, 5-tuple rules, and nftables stateless chain for high-throughput inspection.

AI Gateway

AI Semantic Cache

The AI Gateway tier adds embedding-similarity caching on top of exact-match. Similar-but-not-identical prompts hit cache -- achieving 50-70% hit rates across teams. Cost attribution per team for chargeback. Prompt content never stored.

AI Gateway

Terraform Provider

Complete IaC coverage via custom Terraform provider. Every feature -- peering groups, firewall rules, Kubernetes config, AI proxy routes, ACL policies -- managed declaratively. Same REST API powers both dashboard and provider.

AI Gateway

Compliance & Audit

All configuration in your SSM Parameter Store. All logs in your CloudWatch -- never ours. IAM is least-privilege, scoped by tag and ARN. Full prompt audit log with metadata (model, tokens, source IP, latency) -- content never stored. See Trust Center.

AI Gateway
Architecture

Centralized Control, Distributed Data Plane

The hub gateway owns the control plane -- transit manager, K8s control plane, Suricata, AI proxy. Spoke VPCs handle local traffic and join via peering or GRE tunnel. No cross-AZ tromboning, no managed service endpoints.
The gateway is a fleet, not a box. Per-AZ Auto Scaling Groups scale it horizontally -- out and in across availability zones -- and vertically -- up and down to larger instance types -- with warm pools keeping scale-out fast. Planned scaling is seamless: GWLB connection draining lets active flows finish before an instance is removed. A single native appliance -- one OPNsense/pfSense/NAT VM, or a fixed HA pair -- cannot do this. It caps at one box's NIC and cores; horizontal scale-out is the only way past that ceiling. It also cannot resize without downtime, and is a single point of failure. Unplanned instance loss still breaks the flows on that instance and recovers in a few seconds for new and reconnecting traffic.
                        +---------------------------------+
                        |  Hub VPC (Cloud Spectra Gateway)        |
                        |                                 |
                        |  +---------------------------+    |
                        |  | Cloud Spectra EC2 (c6in.xlarge) |    |
                        |  |                           |    |
                        |  |  Transit Manager          |    |
                        |  |  K8s Control Plane        |    |
                        |  |  Suricata IDS/IPS         |    |
                        |  |  AI Proxy + Semantic Cache|    |
                        |  |  sNAT / dNAT (nftables)   |    |
                        |  +---------------------------+    |
                        |         |         |             |
                        +---------|---------|-------------+
                                  |         |
        +-------------------------+         +---------------------------+
        |  VPC peering / GRE tunnel          VPC peering / GRE tunnel |
        |                                                              |
+-------+------------------+                      +-------------------+-------+
|  Spoke VPC A (Account 1)  |                      |  Spoke VPC B (Account 2)  |
|                          |                      |                           |
|  K8s workers (Karpenter)  |                      |  K8s workers (Karpenter)  |
|  App pods (Calico IPIP)   |                      |  App pods (Calico IPIP)   |
|                          |                      |                           |
+--------------------------+                      +---------------------------+
                                  |
                  +---------------+------------------+
                  |  Spoke VPC C (Account 3, us-west-2)  |
                  |                                   |
                  |  Hub-Spoke Agent (ECMP/GRE)          |
                  |  No VPC peering required             |
                  +-----------------------------------+
Hub control plane    Spoke VPCs    K8s overlay    Suricata IDS/IPS    Data plane (free)
Security
Built for Enterprise Security
Least-Privilege IAM
Every action scoped to your stack by tag and ARN. No wildcard permissions. Full policy published.
Zero Telemetry
No data ever sent to Cloud Spectra. Your traffic, prompts, and logs stay entirely in your AWS account.
Audit Logs in Your CloudWatch
All operational and compliance logs write to your CloudWatch Logs -- fully under your control.
Open-Source Data Plane
nftables, Suricata, IPVS, HAProxy, WireGuard. Auditable, battle-tested open-source components throughout.
Read the full Trust Center →
Honest about our lane
We replace the data plane -- not your FinOps scheduler

Cloud Spectra eliminates metered charges on the traffic that flows through it -- the per-GB tax on network bytes and the per-token tax on AI calls. It does not, and an inline appliance cannot, rightsize your instances, bid on spot for your fleet, or manage Savings Plans and Reserved Instances. We replace the data plane; we are not your compute cost optimizer. That focus is deliberate: it is why the networking savings are verifiable on your own AWS bill in minutes, not modeled in a slide.

Enterprise networking, simplified

Replace Your Managed Networking. Today.

One appliance handles networking for all your accounts. Flat cost regardless of traffic volume. No per-GB surprises, ever. Deploy in 10 minutes from AWS Marketplace.

Schedule an AI Gateway Demo View Pricing Contact Sales
Billed through AWS Marketplace | No long-term contracts | Cancel anytime