Book a demo Start free
Cloud firewall · NAT · egress control

The built-for-cloud firewall that costs 60-80% less than the cloud-native one.

Same egress filtering, same identity-aware L7 inspection, better fleet visibility than AWS Network Firewall, Azure Firewall or Google Cloud NGFW — on a VM you already operate.

No per-hour endpoint charges. No per-GB data-processing tax.

Start free Compare to AWS Network Firewall

Deploy in minutes on any cloud.

  • L7 firewall and secure NAT gateway in one — on AWS and GCP that's two separate products.
  • One firewall for egress, ingress and east-west — control VPC-to-VPC traffic, not just outbound.
  • Identity-aware L7 — SNI and FQDN egress filtering, no TLS decryption.
  • A lightweight appliance in your own cloud network — flat per-firewall price.
  • 25 compliance frameworks — advise or enforce on every policy push.
The Enforza Cloud Controller dashboard — firewall fleet overview with a live map of locations, health counters and license usage.

Trusted by cloud teams worldwide

30+

Cloud regions covered

500+

Gateways provisioned

~$1.2M

Estimated customer savings

Why Enforza

The same firewall capability — and more — without the cost model.

Lead with the bill, prove with the capability. Every pillar is one outcome, scannable in seconds.

  • Cut the cloud-firewall bill 60–80%

    Flat, per-firewall licensing — no per-hour endpoint fee and no per-GB data-processing tax. The cloud-native stack meters egress twice and forever; Enforza is one line item that does not move with traffic.

  • Firewall and secure NAT in one appliance

    On AWS and GCP, filtered egress means stacking two metered products — a managed firewall plus a NAT gateway. Enforza is a single NVA in your own network: identity-aware L7 filtering and source NAT together, on a VM you already operate.

  • North-south and east-west, in one firewall

    SNI and FQDN filtering, network and VM objects, AWS IP-range and Azure Service-Tag imports — applied to egress, ingress and east-west VPC-to-VPC traffic. The same control as the cloud-native firewall on AWS, Azure or GCP, with no TLS decryption and no key custody, ever.

  • Compliance baked in

    25 framework packs and 210 firewall-applicable controls — PCI DSS, ISO 27001, FedRAMP, DORA, CMMC, HIPAA and more. Advise or enforce on every policy push, so non-compliant rules are caught before they ship.

  • One pane of glass for the fleet

    Manage every firewall from a single console, push policy to many at once, and stream live logs from multiple firewalls in real time. Log export goes to your own SIEM — never through Enforza's cloud.

  • Your team's workflow — GitOps or console

    Run policy-as-code through a GitHub pipeline, or drive the Cloud Controller console by hand. Same firewall NVA underneath; the choice is your team's. Drop-in deploy in minutes, self-upgrade with rollback, on any cloud.

How it works

Two ways to run it. One firewall underneath.

Pick the workflow your team already lives in. The same firewall NVA runs the policy either way — there is no second-class mode.

A single console for the whole fleet — author policy, push to many firewalls at once, and watch live logs stream from multiple firewalls in real time, with the same advise-or-enforce guardrails.

Policy-as-code in your repo, reviewed and merged like any other change. Compliance runs in the pipeline, so non-compliant rules are caught on the pull request — before they ever reach a firewall.

Preview coming

Available now as a workflow · a self-serve portal walk-through is on the way.

Start free See how it works
Deploy in minutes

Up and filtering in three steps

Launch one VM, bind a policy, point traffic at it. No appliances to rack, no agents on every host — and because the last step is just a route change, rollback is instant.

  1. Launch

    Spin up one Linux VM in your own network — on any cloud — and enrol it with one command using a deployment key.

    curl -fsSL https://dl.enforza.io/install.sh | sudo bash -s -- --regkey=EFZ-XXXXXXXX

    A single-use key binds one firewall; a fleet (provisioning) key is reusable across Terraform, Ansible or CI.

  2. Bind a policy

    Attach a policy from your GitHub pipeline or the console.

    Policy
    Enforza

  3. Point traffic at it

    One route-table / UDR change sends egress, ingress or east-west through the VM. Filtered in minutes — and because it is only a route change, rollback is instant: revert the route and you are back exactly as before.

    Route table
    Enforza
    Old firewall
Start free See how it works
Vs the cloud-native firewall · worked example — AWS

Replace the cloud-native firewall. Drop the per-GB tax.

Every cloud-native firewall — AWS Network Firewall, Azure Firewall, Google Cloud NGFW — meters you per GB of data processed, a tax that grows with every byte, on top of a per-hour fee. On AWS and GCP, filtered egress also means running a separate NAT gateway with its own per-GB charge — a second meter. Take AWS as the worked example. Enforza is a drop-in replacement: one appliance, flat per-firewall, $0/GB.

Example: AWS Secure egress on AWS
AWS NAT Gateway Egress plumbing — no filtering
Per hour
$0.045 / gateway-hr
Per GB
$0.045 / GB
AWS Network Firewall L7 inspection & filtering
Per hour
$0.395 / endpoint-hr (~$288/mo/AZ)
Per GB
$0.065 / GB

Two products · two per-hour fees · two per-GB meters — forever, growing with traffic.

With Enforza
Enforza NVA Secure NAT + identity-aware L7, in one
Per hour
$0
Per GB
$0 / GB

Flat, per-firewall licence — plus the Linux VM you already run.

AWS rates VERIFIED us-east-1, dated 2026-06-14 — directional and subject to change.
NAT Gateway and Network Firewall are separate products with separate rates.
Savings of 60–80% are typical at modest egress; run your own numbers.

  • Not CPU or instance-size limited
  • Not IP or object limited
  • Not protected-device limited
  • Not complicated metered pricing
See your savings See the full comparison
Vs the enterprise security vendors

Enterprise control, without the enterprise sprawl — or the invoice.

This is the other axis — and a different story to the cloud-native cost wedge above. The mega-NGFW vendors — Palo Alto, Fortinet, Check Point — ship hundreds of features at a six-figure price, most never switched on. Enforza covers the ~98% of use cases most teams actually need, and does it well: the right tool for the job, not a platform you grow into and never fill. We are honest about scope — we do not match their breadth, and most teams never need it.

Where Enforza sits A two-circle Venn diagram. On the left, the cloud-native firewall from AWS, Azure or GCP is managed but limited and metered by a per-gigabyte tax. On the right, an enterprise NGFW from Palo Alto, Fortinet or Check Point has deep control but is expensive and over-built for cloud. Enforza sits in the overlap: the real control of an NGFW with cloud-native simplicity and a flat, fair price — neither the per-gigabyte tax nor the six-figure bloat. Cloud-native firewall Enterprise NGFW Limited & metered Costly & over-built Enforza Real control, flat fair price
  • Cloud-native firewall — managed, but limited and metered by the per-GB tax.
  • Enterprise NGFW — deep control, but costly and over-built for cloud.
  • Enforza — the overlap: real control at a flat, fair price.
“Half used, fully paid for.”
The mega-NGFW platform you grow into and never fill. Enforza is the ~98% you actually use — on a VM you already run, at a flat per-firewall price.
Under the hood

Single-pass. Microsecond. Built for the cloud.

The single-pass packet classification and verdict engine inspects each flow once, reaches a verdict in microseconds — not milliseconds — then enforces every following packet in-kernel at line rate. It is a purpose-built cloud NVA: engineered for the cloud, not an on-prem box bolted onto it.

  • ~49.5 µs

    p99 first-packet classification (measured, c6i.xlarge — CPU 99% idle)

  • 98.5 %

    of packets decided in-kernel at line rate — only the first hits userspace

  • 0

    dropped packets across the throughput run — queue depth peaked at zero

Measured on standard VM sizes (t3.micro / c6i.xlarge) — conservative floors, not ceilings. A single-stream 4.35 Gbps sustained on a t3.micro at 97.4% idle, with zero dropped packets.

See how it works Book a demo
Compliance

Compliance, checked on every policy push.

25 framework packs and 210 firewall-applicable controls. On every policy push, Enforza can advise or enforce — so a rule that would break a control is flagged or blocked before it reaches a firewall.

25 framework packs
210 firewall-applicable controls
2 modes — advise or enforce
  • PCI DSS
  • ISO 27001
  • FedRAMP
  • DORA
  • CMMC
  • HIPAA
  • + 19 more
Explore compliance Book a demo
FAQ

Frequently asked questions

How does Enforza cost 60–80% less than a cloud-native firewall?

Enforza is a flat, per-firewall subscription with no per-hour endpoint fee and no per-GB data-processing tax. Cloud-native firewalls charge both — and securing egress also means running a separate NAT gateway with its own per-GB rate. Because Enforza's price does not move with traffic, the gap widens as your egress grows. The 60–80% figure is directional and dated 2026-06-14; use the savings calculator for your own numbers.

Why is securing egress on AWS or GCP two products?

On AWS and GCP, the managed NAT gives outbound connectivity but does no filtering, and the managed firewall provides the inspection — so to get filtered egress you stack both, each with its own per-hour fee and its own per-GB charge. As a worked example on AWS: $0.045/GB for the NAT Gateway and $0.065/GB for Network Firewall (us-east-1, 2026-06-14). Either way, every cloud-native firewall — Azure Firewall included — charges a per-GB data-processing fee on top of its per-hour rate. Enforza does secure NAT and identity-aware L7 filtering in one appliance at $0/GB.

Does Enforza only filter outbound (egress) traffic?

No. Enforza is one firewall for north-south and east-west traffic. It controls egress to the internet, ingress into your network, and east-west VPC-to-VPC (lateral) traffic between your own networks. You route the traffic you want inspected through the appliance and apply the same identity-aware L7 and L3/L4 policy to all of it — so lateral movement between workloads is governed, not just the outbound path.

Does Enforza decrypt TLS to filter by hostname?

No. Enforza filters egress by SNI and FQDN without decrypting TLS and without holding your keys. You get identity-aware L7 control over where workloads can talk, with no man-in-the-middle and no key custody.

Where does Enforza run, and where do logs go?

Enforza runs as a single lightweight Linux VM in your own cloud network — AWS, Azure, Google Cloud or on-prem. Log export streams to your own SIEM; logs never pass through Enforza's cloud.

What are the two ways to run it?

Policy-as-code through a GitHub pipeline (GitOps, for platform-engineering teams) or the Cloud Controller console (GUI-driven, for network-operations teams). The same firewall NVA runs underneath either workflow — the choice is your team's.

Is the free tier real, or a teaser?

Free is a genuine self-serve tier: one firewall with L3/L4 policy and network objects, no card required. A 14-day trial unlocks the full feature set — L7/FQDN filtering, compliance packs, log export and live logs — and the paid plan is £179/month per firewall, dropping to £149 from your sixth, plus the Linux VM you already run.

How is compliance handled?

Enforza ships 25 framework packs covering 210 firewall-applicable controls — including PCI DSS, ISO 27001, FedRAMP, DORA, CMMC and HIPAA. On every policy push it can advise or enforce, so rules that would break a control are flagged or blocked before they reach a firewall.

Same features. Without the cost.

Ditch the data-processing charges.

Flat, per-firewall pricing — and no per-GB data-processing charges, ever. The same egress filtering, identity-aware L7 and NAT, in any cloud or on-prem. Start free, no card.

Start free See your savings