🗺️ Network Topology
An interactive map of your entire AWS network, updated daily.
| Feature | Description |
|---|---|
| Interactive graph | Force-directed D3.js graph. VPCs, TGWs, Internet Gateways, NAT Gateways shown as AWS icons. Click any node to inspect it. |
| Environment groups | VPCs automatically grouped by environment tag (production, staging, development, cde). Colour-coded rings show compliance status. |
| Reachability query | The graph shows which VPCs can reach each other. Click any VPC node to see its reachable peers highlighted. |
| Reachability matrix | Full N×N matrix of all VPC pairs. Download as CSV. |
| CIDR map | All CIDR blocks across all VPCs, with overlap detection highlighted. |
| Topology diff | Banner shows what changed since the last scan — new peerings, new VPCs, changed tags. |
| Snapshot history | Browse past topology snapshots. Compare any two snapshots. |
| Compute instances | Click a VPC to see EC2 instances within each subnet — instance type, state, private IP. |
🛡️ Compliance
Daily isolation monitoring with 365-day audit history and one-click compliance report.
| Feature | Description |
|---|---|
| Isolation rules | Select two environment groups (e.g. production and staging) — Netway evaluates whether any network path exists between them on every scan. |
| Rule history | 365 days of pass/fail results per rule. Immutable audit log. |
| Topology detectors | CIDR conflict, orphaned VPC, CDE internet exposure, missing TGW propagation, and more. |
| Compliance report | Signed HTML or PDF evidence report. Sections covering PCI-DSS 1.2.3, 1.2.4, 1.3.x, 1.4.1, 11.4.5 and SOC2 CC6.x, CC7.2, CC8.1. |
| Network diagram | Auto-generated network diagram (PNG + SVG) using AWS Architecture Icons. Embedded in the compliance report. |
| Report signing | HMAC-SHA256 signature on every report — proves integrity and origin. |
| Slack alerts | Immediate alert when an isolation rule violation is detected. |
| Environment group inference | Automatically infers environment groups from VPC tags. Manual override available. |
| Requirement | Coverage |
|---|---|
| PCI-DSS 1.2.3 | Auto-generated network diagram |
| PCI-DSS 1.2.4 | Flow log traffic overlay on topology |
| PCI-DSS 1.3.1 / 1.3.2 | Routing + traffic plane isolation evidence |
| PCI-DSS 1.4.1 | CDE exposure detector |
| PCI-DSS 11.4.5 | 365-day daily scan log |
| SOC2 CC6.1 | Environment group isolation rules |
| SOC2 CC6.6 | Internet exposure detection |
| SOC2 CC7.2 | Topology change detection |
| SOC2 CC8.1 | Change log in compliance report |
💰 Cost Optimisation
Detects avoidable AWS network spend from VPC flow logs.
Note: Netway detects multiple categories of avoidable network spend. Each finding includes the source resource, estimated monthly savings, and exact CLI fix command.
| Pattern | Typical Saving |
|---|---|
| S3 via NAT Gateway | $200–500/mo |
| Avoidable Internet Egress | $500–8,000/mo |
| Cross-Region S3 Access | $200–1,000/mo |
| Cross-AZ Database Traffic | $50–200/mo |
| AWS APIs via NAT | $30–150/mo |
| NAT Gateway in Wrong AZ | $20–100/mo |
| ML Checkpoint via NAT | $300–2,000/mo |
| GPU Cross-AZ Gradient Sync | $100–800/mo |
| Inference Cold Start S3 | $50–400/mo |
| + more patterns | — |
🌍 Multi-Region Deployment
Deploy and manage Netway stacks across multiple AWS regions with a single script. All regions report into one dashboard.
| Feature | Description |
|---|---|
| One-command deploy | netway-deploy.sh deploy deploys the CloudFormation stack in parallel across all specified regions. Progress is shown per region. |
| Lifecycle management | Single script for the full stack lifecycle: deploy, status, update, delete. All commands operate across all deployed regions at once. |
| Cross-region scan | netway-deploy.sh scan triggers a Lambda scan in every deployed region in parallel. Use --wait to block until all scans complete. |
| State file | Deployed regions, stack name, and VPC config saved to ~/.netway/regions — no need to re-specify on each command. |
| Auto template update | netway-deploy.sh update downloads the latest CloudFormation template from the Netway releases bucket and applies it to all regions. |
| Unified dashboard | Topology, findings, and compliance results from all regions appear in one dashboard. The topology graph labels each VPC by region. |
🏢 Multi-Account Support
Monitor VPCs across multiple AWS accounts under one Netway subscription. One API key, one dashboard, unified topology and compliance.
| Feature | Description |
|---|---|
| Account allow-list | Link additional AWS accounts from the dashboard. Only explicitly approved accounts can post findings — a stolen API key from an unknown account is rejected. |
| Same API key | Deploy the Netway Lambda into each account using the same API key. No cross-account IAM trust or management account access required. |
| Unified topology graph | VPCs from all accounts appear in one topology graph, labelled by account ID. Filter the graph by account using the account dropdown. |
| Cross-account compliance | Isolation rules and compliance reports span all linked accounts. A rule can reference environment groups from different AWS accounts. |
| Multi-account scan | netway-deploy.sh scan --profile prod-account --profile staging-account triggers scans across multiple accounts in parallel using AWS CLI profiles. |
| Per-account scan tracking | Dashboard shows each linked account's label and last scan time. Know at a glance which accounts are reporting fresh data. |
📦 Tiers
All plans start with a 14-day Enterprise trial. No credit card required.
| Feature | Starter | Standard | Enterprise |
|---|---|---|---|
| VPCs monitored | Up to 3 | Up to 15 | No enforced limit |
| AWS accounts | 1 | Up to 3 | No enforced limit |
| Regions | 1 | No enforced limit | No enforced limit |
| Multi-region deploy script | ✅ | ✅ | ✅ |
| Scan frequency | Weekly | Daily | Every 6 hours |
| Topology graph | ✅ basic isolation monitoring | ✅ Full | ✅ Full |
| Reachability query | ✅ | ✅ | ✅ |
| Reachability matrix | — | ✅ | ✅ |
| CIDR map | ✅ | ✅ | ✅ |
| Topology diff | Last 2 snapshots | Last 30 | All |
| Compliance report (HTML) | — | ✅ | ✅ |
| Compliance report (PDF, HMAC-signed, QSA-ready) | — | — | ✅ |
| Network diagram (PNG) | — | ✅ | ✅ |
| Network diagram (SVG) | — | — | ✅ |
| Audit history | 30 days | 180 days | 365 days |
| Isolation rules | 2 max | 5 max | No enforced limit |
| Cost anomaly detection | 2 (top patterns) | Full | Full |
| Topology detectors | 2 (CIDR, orphan) | All 9 | All 9 |
| Slack alerts | ✅ | ✅ | ✅ |
| Email digest | ✅ | ✅ | ✅ |
| Trial | 14-day Enterprise trial on signup | ||