Cloud Spectra Gateway -- Quick Start v1.0.0

Deploy Cloud Spectra Gateway into your own AWS account in under 15 minutes.

1. Overview

Cloud Spectra Gateway is an AWS networking appliance that deploys entirely into your own AWS account. It replaces metered AWS networking and LLM-API spend with a fixed EC2 cost -- your cloud, off the meter. All traffic and configuration stay inside your account: there is no vendor control plane and no data leaves your boundary.

You subscribe on the AWS Marketplace, launch a CloudFormation stack, and within minutes you have a running gateway with a management dashboard. Outbound NAT works immediately; you turn on additional features from the dashboard as you need them.

Cloud Spectra Gateway replaces the AWS services you are currently metered on with in-appliance equivalents:

What AWS metersCloud Spectra Gateway equivalentTier
NAT Gateway (hourly + per-GB)Source NAT (sNAT) on the applianceNetwork
Inbound forwardingDestination NAT / port forwarding (dNAT)Network
Network Load Balancer (L4)In-appliance Linux IPVS L4 load balancingNetwork
TLS terminationHAProxy + ACM certificate on port 443Network
Inline inspection / IDS-IPSSuricata IDS/IPS + nftables firewallSecurity
Forward web proxySquid proxy with caching and filteringNetwork
LLM API spendOpenAI-compatible AI Gateway with response cachingAI Gateway

Cloud Spectra ships as three stacking tiers -- Network, Security, and AI Gateway -- where each higher tier includes everything in the one below it. For the full breakdown of every feature and how it works, see the User Guide; for how the appliance is assembled internally, see the Architecture guide.

Deployment flow at a glance

graph TD
    MP["AWS Marketplace
subscribe to a tier"] --> CF["CloudFormation stack
new-VPC or existing/BYO-VPC"]
    CF --> ASG["Per-AZ Auto Scaling Group
one ASG per Availability Zone"]
    ASG --> GWLB["Gateway Load Balancer (GENEVE)
horizontal scale"]
    GWLB --> EIP["Elastic IP
stable endpoint"]
    EIP --> DASH["HTTPS dashboard
port 443 (HAProxy + ACM)"]
    DASH --> DONE["Login & configure"]
    style MP fill:#dbeafe,stroke:#3b82f6,color:#1e3a8a
    style CF fill:#dbeafe,stroke:#3b82f6,color:#1e3a8a
    style DONE fill:#d1fae5,stroke:#10b981,color:#065f46

2. Prerequisites

To complete this quick start you need:

  • An AWS account where you can subscribe on the Marketplace and create resources.
  • A chosen AWS Region to deploy into (any commercial region works).
  • Permissions to create CloudFormation stacks and the resources they create: EC2 instances, VPC networking, IAM roles, Auto Scaling groups, and an Elastic IP.
  • An EC2 key pair in the launch Region (used for SSH access and to retrieve the one-time dashboard password).
  • Optional: an AWS Certificate Manager (ACM) certificate if you want the dashboard and TLS termination to serve a trusted certificate instead of the default self-signed one.
Enable most features -- deploy the operational IAM role. The base CloudFormation template is intentionally minimal: the gateway boots and outbound NAT works from it, but most other features -- the full per-AZ NAT data plane for your private subnets, Gateway Load Balancer, EIP-pool DNS, flow logs, EventBridge, vertical/horizontal scaling, the AI Gateway, teardown, and cross-account management -- require a separately deployed operational IAM role (the cross-account / home-account role). You deploy it once in this account, and once per additional account you manage, from a CloudFormation stack the dashboard hands you with every permission pre-filled. Without it, most features will not work. See Cross-account / home-account IAM role in the User Guide for the full setup.
Where configuration lives: All gateway configuration is stored in AWS SSM Parameter Store inside your account. There is no external database and no vendor-hosted state.

3. Choose a deployment

Cloud Spectra Gateway supports three deployment methods. This quick start focuses on the Marketplace 1-click CloudFormation path; the other two are covered in detail in the User Guide.

MethodBest forHow
Marketplace + CloudFormationThe fastest, recommended path for most customers1-click from the listing into a CloudFormation stack
TerraformTeams managing infrastructure as codeThe cloudspectra/cloudspectra provider + AWS modules
Standalone AMIQuick trials or non-CloudFormation environmentsLaunch the AMI directly; boots with NAT + dashboard

CloudFormation: new VPC vs existing/BYO VPC

The Marketplace listing offers two CloudFormation templates. Pick the one that matches your environment:

  • New-VPC template -- Cloud Spectra creates a fresh VPC, subnets, route tables, and an internet gateway for you. This is the simplest starting point and is the default.
  • Existing / BYO-VPC template -- Cloud Spectra deploys into a VPC and subnets you already operate. Use this for production accounts where the network is already established.
Terraform path: If you prefer infrastructure as code, install the Terraform provider cloudspectra/cloudspectra via a one-time network mirror block in ~/.terraformrc, then drive both deployment and feature configuration with the provider's resources. Full instructions are in the User Guide.
Standalone AMI path: You can also launch the Cloud Spectra AMI directly from the EC2 console with no CloudFormation at all. It boots with sNAT and the dashboard already running. See the standalone walkthrough in the User Guide.

4. Deploy via CloudFormation

Estimated time: 8-10 minutes

1Subscribe on AWS Marketplace

Visit the AWS Marketplace and subscribe to the Cloud Spectra Gateway listing for the tier you want -- Network, Security, or AI Gateway. Each higher tier includes everything in the tiers below it, so choose the feature set you need today. Subscribing entitles your account to launch the gateway's AMI.

2Launch the CloudFormation stack

From the listing, choose Continue to Launch. This opens the CloudFormation console with the Cloud Spectra template pre-loaded. Confirm your launch Region in the top-right of the console before continuing.

3Pick a template: new-VPC or existing/BYO-VPC

Select the new-VPC template to have Cloud Spectra build the network for you, or the existing/BYO-VPC template to deploy into a VPC and subnets you already run (see section 3). When in doubt, start with the new-VPC template.

4Set parameters

Most defaults are sensible. The key parameters to review:

ParameterWhat it controls
VPC selectionNew VPC (created for you) vs an existing VPC ID + subnets you provide.
Availability ZonesThe list of AZs to deploy into. One ASG is created per AZ; AZ 1 is required, additional AZs add high availability.
Instance typeThe EC2 instance type for gateway nodes. Can be changed live later.
Admin access CIDRThe source CIDR allowed to reach the dashboard. Restrict to your office or VPN range.
ACM certificate (optional)An ACM certificate ARN to serve trusted TLS on port 443.
Security and AI features need more vCPUs: The Network tier runs on small instances. The Security and AI Gateway tiers run inline inspection and AI services and need a larger instance type. Match the instance architecture to the AMI you subscribed to.

5Wait for CREATE_COMPLETE

Acknowledge the IAM capability prompt and create the stack. Provisioning takes roughly 8-10 minutes. Watch the stack Events until the status reads CREATE_COMPLETE.

What the stack builds: a per-AZ Auto Scaling Group (one ASG per Availability Zone, each egressing through its own ENI to avoid cross-AZ data charges), a Gateway Load Balancer (GWLB, GENEVE) for horizontal scale, and an Elastic IP for a stable endpoint. The internals are described in the Architecture guide.

5. First login

6Find the dashboard URL in stack Outputs

Open the stack's Outputs tab in the CloudFormation console. The output for the gateway's Elastic IP is your stable dashboard endpoint. Open it over HTTPS on port 443 (TLS is terminated by HAProxy using your ACM certificate, or a self-signed certificate if you did not supply one).

7Retrieve the initial admin password

Log in as user admin. Retrieve the one-time initial password using your EC2 key pair (the stack Outputs include the command to fetch the SSH key). Password authentication and root login are disabled on the appliance, so you authenticate with the key pair:

# SSH in as user "admin" with your EC2 key pair
ssh -i ~/.ssh/your-key.pem admin@<ELASTIC_IP>

# Read the one-time dashboard init password
cat /opt/cloudspectra/conf/dashboard_init_pw

The initial password is also written to SSM Parameter Store in your account.

8Set a permanent password

The dashboard forces a password change on first login. After you set your own password, the one-time init password stops working. Keep your new password somewhere safe -- the gateway has no vendor-side recovery path because there is no vendor control plane.

Certificate warning: If you did not supply an ACM certificate, the dashboard serves a self-signed certificate and your browser will show a warning on first access. This is expected. Supply an ACM certificate parameter to serve trusted TLS.

6. NAT works out of the box

As soon as the stack reaches CREATE_COMPLETE, source NAT is already running on the appliance -- no configuration step is required. Private instances whose route tables point default traffic at the Cloud Spectra ENI immediately reach the internet through the gateway's Elastic IP.

graph LR
    subgraph VPC["Your VPC"]
        PRIV["Private subnet instances
(no public IP)"]
        GW["Cloud Spectra Gateway
sNAT on per-AZ ENI"]
    end
    EIP["Elastic IP
(stable egress)"]
    NET["Internet"]
    PRIV -->|"0.0.0.0/0 route"| GW
    GW --> EIP
    EIP --> NET
    style GW fill:#d1fae5,stroke:#10b981,color:#065f46
    style EIP fill:#dbeafe,stroke:#3b82f6,color:#1e3a8a

9Verify outbound from a private instance

SSH into any EC2 instance in a private subnet that routes through the gateway, and confirm it can reach the internet:

# From a private instance routed through Cloud Spectra:
curl -s https://checkip.amazonaws.com

# The returned IP should match the gateway's Elastic IP
# (the AccessElasticIp value from the stack Outputs).
Multi-AZ tip: Point each AZ's private subnets at that same AZ's Cloud Spectra ENI. Because each AZ egresses through its own ENI, keeping traffic within the AZ avoids cross-AZ data transfer charges. The route-table details are in the User Guide.

7. Enable a feature

Every additional capability is turned on the same way: from the dashboard (or the config API on port 8080, or the Terraform provider). Per-feature configuration reference -- including firewall rules, the Squid proxy, TLS termination, the AI Gateway, and local vLLM inference -- lives in the User Guide. Here is the pattern using one Network-tier feature, the forward HTTP proxy.

flowchart LR
    A["Dashboard (HTTPS 443)"] --> B["Toggle a feature on"]
    B --> C["Config saved to
SSM Parameter Store"]
    C --> D["Gateway nodes reconcile
and apply the change"]
    D --> E["Feature live
on all AZs"]
    style A fill:#dbeafe,stroke:#3b82f6,color:#1e3a8a
    style E fill:#d1fae5,stroke:#10b981,color:#065f46

10Enable the forward HTTP proxy (Squid)

  1. Open the dashboard over HTTPS and sign in.
  2. Go to the Forward Proxy settings.
  3. Enable the proxy, set the listening port, and optionally set a username/password, response caching, domain filtering, and bandwidth limits.
  4. Save. The change is written to SSM Parameter Store and the gateway nodes apply it automatically.

Then point a client at the proxy:

# Send outbound traffic through the Cloud Spectra forward proxy
export http_proxy=http://proxyuser:secret@<GATEWAY>:<PROXY_PORT>
export https_proxy=$http_proxy
curl -s https://checkip.amazonaws.com
The same pattern applies to every feature. TLS termination (ACM), the IPVS L4 load balancer, the Suricata IDS/IPS, nftables firewall rules, domain/URL filtering, and the AI Gateway are each enabled from the dashboard with their own settings. See the User Guide for the full per-feature reference.

Key ports

PortService
443HTTPS management dashboard (HAProxy + ACM TLS)
8080Configuration API
8090AI Gateway, OpenAI-compatible endpoint AI Gateway
configurableSquid forward proxy port
80HTTP redirect to HTTPS

8. Verify

A quick end-to-end check confirms the gateway is healthy and routing correctly.

CheckHowExpected result
Outbound NATcurl -s https://checkip.amazonaws.com from a private instanceReturns the gateway's Elastic IP
Dashboard reachableOpen the Elastic IP over HTTPS (port 443)Login page loads
Status panelsSign in and open the dashboard overviewPer-AZ instances healthy; enabled features show active
Forward proxy (if enabled)curl through the proxy portRequest succeeds via the proxy

If outbound traffic does not return the gateway's Elastic IP, confirm the private subnet's route table sends 0.0.0.0/0 to the Cloud Spectra ENI for that AZ. Common questions and troubleshooting are collected in the FAQ.

Before tearing down: If you pointed existing route tables at Cloud Spectra ENIs, revert those routes before deleting the CloudFormation stack to avoid losing connectivity for instances that depend on the gateway.

9. Next steps

You now have a running Cloud Spectra Gateway with NAT live and a feature enabled. Where to go from here:

DocumentWhat it covers
User GuidePer-feature configuration for all three tiers: sNAT/dNAT, IPVS L4 load balancing, TLS termination (ACM), per-AZ Auto Scaling, GWLB scaling, the Squid forward proxy, Suricata IDS/IPS and nftables firewall, domain/URL filtering, and the AI Gateway with response caching, local vLLM inference, and the semantic cache. Also the full Terraform and standalone-AMI walkthroughs.
ArchitectureHow the appliance is assembled: the per-AZ ASG model, GWLB/GENEVE data path, Elastic IP endpoint, SSM-backed configuration, the in-account data-plane design, and why there is no vendor control plane.
FAQCommon questions on cost, data residency, security, deployment options, scaling, and troubleshooting.
Recommended reading order: Start with the User Guide to configure the features you need, skim the Architecture guide to understand how it all fits together, and keep the FAQ handy for quick answers.