Cloud Spectra Gateway -- Quick Start Guide

Deploy in under 15 minutes. Replace AWS NAT Gateway, NLB, Firewall, and Transit Gateway.

1. Overview

Cloud Spectra Gateway is a single EC2 appliance that replaces multiple AWS managed networking services:

graph LR
    subgraph BEFORE["Before: AWS Managed Services"]
        NAT["NAT Gateway
$0.045/GB"]
        FW["Network Firewall
$0.065/GB + $0.395/hr"]
        NLB["NLB
$0.006/NLCU-hr"]
        TGW["Transit Gateway
$0.05/hr + $0.02/GB"]
    end
    subgraph AFTER["After: Cloud Spectra Gateway"]
        CG["Single EC2 Appliance
sNAT | Firewall | NLB | Transit
ZERO per-GB fees"]
    end
    BEFORE -->|"Replace with"| AFTER
    style NAT fill:#fecaca,stroke:#ef4444,color:#991b1b
    style FW fill:#fecaca,stroke:#ef4444,color:#991b1b
    style NLB fill:#fecaca,stroke:#ef4444,color:#991b1b
    style TGW fill:#fecaca,stroke:#ef4444,color:#991b1b
    style CG fill:#d1fae5,stroke:#10b981,color:#065f46
AWS ServiceCloud Spectra ReplacementSavings
NAT Gateway ($0.045/GB)sNAT (zero per-GB fees)Up to 95%
Network Firewall ($0.065/GB + $0.395/hr)Suricata IDS/IPS ($0 -- no endpoints)Up to 95%
Network Load Balancer ($0.006/NLCU-hr)IPVS L4 + HAProxy TLSUp to 90%
Transit Gateway ($0.05/hr + $0.02/GB)VPC Peering Mesh (free)Up to 99%

Deployed via a single CloudFormation stack. All configuration is managed through a web dashboard, REST API, or Terraform provider.

Choose Your Tier

Cloud Spectra ships as three tiers. Each is a complete Cloud Spectra Gateway, and each higher tier is a strict superset of the one below it -- so you only choose which feature set (and which Marketplace AMI) to launch. Pick the tier that matches what you need today; you can move up later by launching the higher tier's AMI.

Network

Network

1x software fee (base)

Min instance: 2 vCPU (t3.medium / t4g.medium)

For teams replacing NAT Gateway, NLB/ALB and Elastic IPs at a flat fee.

Includes:

  • Outbound NAT + inbound port forwarding
  • NLB (L4) + ALB (L7) load balancing
  • Elastic IP sub-second failover
  • TLS termination (ACM)
  • Forward web proxy: caching, ACLs, bandwidth, metrics
  • Cloud Spectra AI Gateway (Amazon Bedrock)
  • Per-AZ auto-scaling + built-in dashboard
  • Standalone -- no SSM required

Launch: Cloud Spectra Gateway -- Network (amd64 or arm64 AMI)

Security

Security

2x software fee

Min instance: 4+ vCPU (xlarge or larger)

For teams that also need inline IDS/IPS and content filtering.

Everything in Network, plus:

  • Inline Suricata IDS/IPS
  • Emerging Threats (ET Open) rule set
  • Firewall policy sync
  • Web proxy ACLs + content filtering
  • Threat dashboard
  • Site-to-site / hub-and-spoke VPN (WireGuard / GRE) (coming soon)

Launch: Cloud Spectra Gateway -- Security (amd64 or arm64 AMI)

Enterprise

Enterprise

4x software fee

Min instance: 4+ vCPU (xlarge or larger)

For multi-VPC, multi-account and multi-cloud connectivity at scale.

Everything in Security, plus:

  • Multi-VPC / cross-account connectivity
  • Centralized inspection for spoke VPCs (Hub-Spoke Agent ECMP overlay)
  • Kubernetes node provisioning across accounts and VPCs
  • Multi-cloud reach

Launch: Cloud Spectra Gateway -- Enterprise (amd64 or arm64 AMI)

Architecture (amd64 vs arm64): Every tier is published as both an amd64 (x86_64) AMI and an arm64 (Graviton) AMI. Choose the AMI that matches your instance family -- for example a t4g / c7g / m7g instance uses the arm64 AMI, while a t3 / c6in / m6i instance uses the amd64 AMI. Graviton (arm64) typically delivers the best price/performance.
Instance sizing: The Network tier runs from a 2 vCPU instance (t3.medium / t4g.medium). The Security and Enterprise tiers run inline inspection and require an instance with 4 or more vCPUs (xlarge or larger); their advanced services will not start on smaller instances.
Pricing model: The software fee is hourly, per running instance, in addition to the EC2 instance cost. The multipliers above (1x / 2x / 4x) are relative to the Network base fee. See the interactive pricing calculator for exact per-instance-type figures. A per-feature comparison matrix is in section 11, Product Tiers.

2. Prerequisites

  • An AWS account with permissions to create CloudFormation stacks, EC2 instances, IAM roles, VPCs
  • A region with network-optimized instances (all commercial regions)
  • A decision on which tier to launch -- see Choose Your Tier (Network, Security, or Enterprise)
  • A Cloud Spectra Gateway AMI for that tier and your CPU architecture (amd64 or arm64), provided via AWS Marketplace subscription
  • An EC2 key pair in the launch region -- used to SSH in (user admin) and retrieve the one-time dashboard init password
First boot at a glance: Launch the chosen tier's AMI into a VPC subnet, SSH in with your EC2 key pair (user admin; password authentication and root login are disabled), retrieve the one-time dashboard init password, open the dashboard on HTTPS port 9443, and set a permanent password. The steps below walk through this in detail.

3. Deploy via CloudFormation

Estimated time: 8-10 minutes

1Subscribe to your Cloud Spectra Gateway tier on AWS Marketplace

Visit the AWS Marketplace and subscribe to the listing for your chosen tier -- Network, Security, or Enterprise (see Choose Your Tier). Each listing offers both an amd64 (x86_64) and an arm64 (Graviton) AMI; pick the one matching your instance family. The AMI ID will be auto-injected into the CloudFormation template.

2Launch the CloudFormation Stack

Click Continue to Launch from the Marketplace listing, or deploy directly:

  1. Open the CloudFormation console
  2. Choose Create stack -- With new resources
  3. Enter the template URL provided by Cloud Spectra
  4. Fill in the parameters (see below)

3Configure Parameters

Most defaults are fine. Key parameters to review:

ParameterDefaultNotes
newOrExistingVpccreateNewUse selectExisting for production VPCs
availabilityZone1aRequired. Add AZ 2-6 for multi-AZ HA
instance0000typec6in.largeSee pricing page for all options
clientCidrBlock0.0.0.0/0Restrict to your office/VPN CIDR for security
adminPassword(auto-generated)Leave empty to auto-generate; retrieve via SSM after deploy
Tier sizing: The Network tier runs from a 2 vCPU instance (t3.medium / t4g.medium). The Security and Enterprise tiers run inline inspection and require 4+ vCPUs -- set instance0000type to an xlarge (or larger), e.g. c6in.xlarge (amd64) or c7g.xlarge (arm64). Match the instance architecture to the AMI architecture you subscribed to.

4Wait for Stack Creation

The stack takes 8-10 minutes. Watch for CREATE_COMPLETE status.

Note: The stack creates per-AZ resources: dedicated subnet, ENI, Auto Scaling Group, and route table for each enabled availability zone. Only AZ 1 is required; AZs 2-6 are optional for high availability.

4. Access the Dashboard

5Open the Dashboard

From the CloudFormation Outputs tab, click AccessElasticIp. This opens https://<EIP>:9443.

Login with:

  • Username: admin
  • Password: The password you set in the adminPassword parameter, or retrieve the auto-generated one:
# Option 1: Retrieve via SSH (from CloudFormation Outputs,
# copy the AccessInstancePrivateKeyCommand to download the SSH key).
# Log in as user "admin" with your EC2 key pair -- password
# authentication and root login are disabled on the appliance.
ssh -i ~/.ssh/cloudspectra-key admin@<EIP>
cat /opt/cloudspectra/conf/dashboard_init_pw

# Option 2: View directly in SSM Parameter Store
# Go to CloudFormation Outputs -- click SsmParameters to see all config

This one-time init password is only for first login. You will be prompted to set a permanent password immediately, after which the init password no longer works.

Note: The dashboard uses a self-signed TLS certificate by default. Your browser will display a certificate warning on first access. This is expected behavior.

5. Route Traffic Through Cloud Spectra

6Point Your Subnets to Cloud Spectra

For each private subnet that should use Cloud Spectra for NAT:

  1. Open the VPC Route Tables console
  2. Edit the route table for your private subnet
  3. Add route: 0.0.0.0/0 -- Cloud Spectra ENI (from Outputs: AccessPrivateId1)

Or set UpdateMainRoutingTable=true in the CF parameters to auto-route the VPC main table.

Tip: For multi-AZ deployments, point each AZ's subnets to that AZ's Cloud Spectra ENI to avoid cross-AZ data charges. ENI IDs are in the stack outputs (AccessPrivateId1 through AccessPrivateId6).

6. Verify NAT is Working

7Test from a Private Instance

SSH into any EC2 instance in a private subnet routed through Cloud Spectra:

# Verify internet access through Cloud Spectra NAT:
curl -s https://checkip.amazonaws.com

# Should return the Cloud Spectra Gateway's EIP address

The returned IP should match the AccessElasticIp from the stack outputs.

7. Enable HTTP Proxy Security Tier

Cloud Spectra includes a distributed L7 HTTP proxy (Squid) with authentication and per-AZ DNS routing.

8Enable the HTTP Proxy

Enable via the dashboard (Settings -- L7 HTTP Proxy) or the REST API:

# Authenticate and get a token
TOKEN=$(curl -sk https://<EIP>:9443/api/cloudspectra/auth/login \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"YOUR_PASSWORD"}' \
  | jq -r '.token')

# Enable the HTTP proxy
curl -sk -X PUT https://<EIP>:9443/api/cloudspectra/web-proxy-gateway \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "enable": true,
    "port": 1080,
    "username": "proxyuser",
    "password": "securepassword123"
  }'

9Configure Clients

On any EC2 instance in the VPC, set the proxy environment variables:

# Use per-AZ DNS names (recommended -- avoids cross-AZ charges)
export http_proxy=http://proxyuser:securepassword123@us-east-1a.gw.example.com:1080
export https_proxy=http://proxyuser:securepassword123@us-east-1a.gw.example.com:1080
export no_proxy=169.254.169.254,10.0.0.0/8

# Test
curl -s https://checkip.amazonaws.com

DNS names are shown in the dashboard after enabling the proxy. Replace us-east-1a.gw.example.com with your actual per-AZ DNS name.

8. Enable Firewall Security Tier

Cloud Spectra syncs rules from AWS Network Firewall policies and enforces them with Suricata IDS/IPS. No firewall endpoints are needed -- you only create policies and rule groups in the AWS console (which are free), saving over $850/month per 3 AZs compared to deploying actual firewall endpoints.

10Create a Firewall Policy in AWS

In the AWS Network Firewall console, create a firewall policy and attach rule groups. For example, create a stateful rule group that blocks a domain:

  1. Go to Network Firewall -- Rule groups -- Create rule group
  2. Choose Stateful, rule type Domain list
  3. Add domains to block (e.g., .example.com) and set action to Deny
  4. Create a firewall policy and attach this rule group

You do not need to create an actual AWS Network Firewall resource -- just the policy and rule groups.

11Point Cloud Spectra to the Policy

# Enable firewall and sync from your policy
curl -sk -X PUT https://<EIP>:9443/api/cloudspectra/firewall-gateway \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "enable": true,
    "firewallPolicies": ["my-fw-policy"]
  }'

Cloud Spectra will sync the rules within 60 seconds. Changes to the policy in the AWS console are automatically picked up -- no restart needed.

Cost breakdown: AWS Network Firewall policies and rule groups are free to create. You only pay when you deploy firewall endpoints ($0.395/hr per AZ). Cloud Spectra eliminates that cost entirely -- you get the same rule management experience at $0/month for the firewall component.

9. Enable Cloud Spectra AI Gateway Security Tier

The Cloud Spectra AI Gateway is a reverse proxy for LLM API calls. It provides centralized access control, response caching, token counting, and audit logging across OpenAI, Anthropic, and AWS Bedrock.

12Enable the AI Gateway

# Enable the AI Gateway (requires 4+ vCPUs -- c6in.xlarge or larger)
curl -sk -X PUT https://<EIP>:9443/api/cloudspectra/ai-gateway \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "enable": true,
    "port": 8080,
    "defaultProvider": "openai",
    "cacheEnabled": true,
    "auditLogEnabled": true
  }'

13Test with curl

Point your OpenAI SDK or any HTTP client at the gateway's per-AZ DNS name (shown in the dashboard) or the EIP:

# Send a chat completion request through the AI Gateway
curl -s http://<CLOUDSPECTRA_IP>:8080/v1/chat/completions \
  -H "Authorization: Bearer $OPENAI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "gpt-4o",
    "messages": [{"role": "user", "content": "Hello, world"}]
  }'

# For Anthropic models, just change the model name -- routing is automatic
curl -s http://<CLOUDSPECTRA_IP>:8080/v1/chat/completions \
  -H "Authorization: Bearer $ANTHROPIC_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "claude-sonnet-4-20250514",
    "messages": [{"role": "user", "content": "Hello, world"}]
  }'

# In your application code, set the base URL:
# export OPENAI_BASE_URL=http://us-east-1a.gw.example.com:8080/v1
Note: The AI Gateway requires an instance with 4+ vCPUs (c6in.xlarge or larger). The service will not start on smaller instance types. You can change instance type in the dashboard under Settings -- Scaling.

10. Terraform Quick Start

Deploy and configure Cloud Spectra Gateway entirely with Terraform using the Cloud Spectra Terraform provider.

14Deploy with Terraform

terraform {
  required_providers {
    aws     = { source = "hashicorp/aws", version = ">= 5.0" }
    cloudspectra = { source = "cloudspectra/cloudspectra" }
  }
}

provider "aws" { region = "us-east-1" }

# Deploy the CloudFormation stack
resource "aws_cloudformation_stack" "cloudspectra" {
  name         = "cloudspectra-gateway"
  template_url = "TEMPLATE_URL_FROM_MARKETPLACE"
  capabilities = ["CAPABILITY_IAM", "CAPABILITY_NAMED_IAM"]

  parameters = {
    newOrExistingVpc   = "selectExisting"
    existingVpcId      = "vpc-0123456789abcdef0"
    availabilityZone1  = "a"
    instance0000type   = "c6in.large"
    clientCidrBlock    = "10.0.0.0/8"
  }
}

# Configure the gateway via the Cloud Spectra provider
provider "cloudspectra" {
  gateway_url    = aws_cloudformation_stack.cloudspectra.outputs["AccessElasticIp"]
  admin_password = var.cloudspectra_admin_password
}

# Enable NAT with port forwarding
resource "cloudspectra_nat_gateway" "main" {
  enable = true
}

# Enable firewall (Security tier)
resource "cloudspectra_firewall_gateway" "main" {
  enable            = true
  firewall_policies = ["my-fw-policy"]
}
Tip: The Cloud Spectra provider supports all configuration sections: cloudspectra_nat_gateway, cloudspectra_firewall_gateway, cloudspectra_web_proxy_gateway, cloudspectra_ai_gateway, cloudspectra_nlb_gateway, cloudspectra_dns, cloudspectra_transit_gateway, and more. See the provider documentation for the full resource reference.

11. Product Tiers

FeatureNetworkSecurityEnterprise
sNAT + dNAT
NLB (IPVS L4) + TLS termination
EIP failover + Per-AZ DNS
Vertical + Horizontal scaling
Suricata IDS/IPS + nftables
Domain filtering
L7 HTTP Proxy (Squid)
ET Open Threat Detection
Cloud Spectra AI Gateway (LLM proxy)
AI Assistant (Beta)
Cross-account Transit Manager
VPC Peering Mesh
Premium multiplier1x2x4x
Min instance sizeAny4 vCPU (xlarge+)4 vCPU (xlarge+)

See the interactive pricing calculator for per-instance-type pricing and savings estimates.

12. Estimated Costs

Monthly cost estimates for typical deployments. All figures assume us-east-1 on-demand pricing. Cloud Spectra software fees are in addition to EC2 instance costs.

Single-AZ (Development / Small Production)

ComponentCloud SpectraAWS NativeSavings
NAT (500 GB/month egress)$0$22.50$22.50
Network Firewall (1 AZ)$0$288.00$288.00
EC2 instance (c6in.large)$97.00----
Cloud Spectra software (Gateway tier)~$50.00----
Total~$147.00$310.50~$163/mo

Multi-AZ (Production -- 3 AZs)

ComponentCloud SpectraAWS NativeSavings
NAT (5 TB/month egress)$0$225.00$225.00
Network Firewall (3 AZs)$0$864.00$864.00
NLB (2 NLCU avg)$0$48.00$48.00
EC2 instances (3x c6in.xlarge)$582.00----
Cloud Spectra software (Security tier)~$300.00----
Total~$882.00$1,137.00~$255/mo

High-Traffic (Production -- 3 AZs, heavy egress)

ComponentCloud SpectraAWS NativeSavings
NAT (50 TB/month egress)$0$2,250.00$2,250.00
Network Firewall (3 AZs + 50 TB)$0$4,114.00$4,114.00
Transit Gateway (3 attachments + 10 TB)$0$308.00$308.00
EC2 instances (3x c6in.2xlarge)$1,164.00----
Cloud Spectra software (Security tier)~$600.00----
Total~$1,764.00$6,672.00~$4,908/mo
Tip: Savings increase with traffic volume because Cloud Spectra has zero per-GB fees. At 50 TB/month egress, Cloud Spectra costs roughly 75% less than the equivalent AWS managed services. Use the interactive pricing calculator for exact figures with your workload.

13. Try the AI Assistant Beta

Cloud Spectra Gateway includes a built-in AI Assistant powered by Amazon Bedrock (Claude). Look for the floating chat button in the bottom-right corner of the dashboard. It can answer questions about your gateway status, help diagnose issues, and provide step-by-step configuration guidance. The assistant costs approximately $0.01 per question, billed to your AWS account via Bedrock -- there is no additional Cloud Spectra fee.

Beta: The AI Assistant is in beta. Responses are AI-generated and should be verified before applying critical changes.

14. What's Next

This quick start covers the basics. The Cloud Spectra Gateway User Guide has detailed documentation for each feature:

TopicUser Guide Section
NAT, dNAT, port forwardingNAT Gateway
NLB replacement (IPVS + TLS)NLB Replacement
Firewall, domain filtering, IDS/IPSFirewall
L7 HTTP Proxy (Squid)HTTP Proxy
AI LLM Gateway (caching, audit)Cloud Spectra AI Gateway
AI Assistant (Beta)AI Assistant
VPC Transit ManagerTransit Manager
Multi-AZ, scaling, EIP failoverScaling
REST API referenceAPI Reference
Terraform provider resourcesTerraform Registry

15. Cleanup

To remove Cloud Spectra Gateway, delete the CloudFormation stack. All resources (VPC if created, ENIs, ASGs, IAM roles) are cleaned up automatically.

Note: If you pointed existing route tables to Cloud Spectra ENIs, revert those routes before deleting the stack to avoid connectivity loss.