Overview
What is Netway? How it works What it detects
Getting Started
1. Register 2. Install 3. Run a scan 4. View findings
Help
Support
DOCUMENTATION

Netway - AWS Network Cost Analyzer

Netway scans your VPC Flow Logs, identifies traffic patterns that generate unnecessary AWS data transfer costs, and tells you exactly how to fix them.

What is Netway?

Netway is a lightweight AWS Lambda function that runs inside your own AWS account. It reads your VPC Flow Logs from S3 using Athena, maps traffic to your actual AWS resources, and ships aggregated flow summaries to the Netway service. Detection runs server-side — 14 pattern detectors analyse your traffic and generate findings.

Findings appear in your Netway dashboard with a prioritised list of issues, estimated monthly savings, and one-command fixes. Your raw VPC Flow Log data never leaves your AWS account — only aggregated traffic summaries are transmitted.

Key facts

• Deploys in 3–5 minutes via a single CloudFormation command — works in any AWS region
• You choose which VPCs to monitor — no surprises, no implicit permissions creep
• Runs on a schedule (weekly by default) and on new resource creation
• Costs ~$0.02 per scan in Athena + Lambda fees
• Read-only access to EC2, RDS, and S3 — no write permissions to your infrastructure
• Raw network data never leaves your AWS account
• 14-day free trial, no credit card required

How it works

Each scan follows these steps inside your account:

  1. At deploy time, enable VPC Flow Logs on your specified VPCs → S3 bucket in your region
  2. On each scan, query flow logs from S3 using Athena (data never leaves your account)
  3. Map IP addresses to your AWS resources (EC2, RDS, SageMaker, NAT Gateways)
  4. Classify each flow by traffic type (S3, internet, cross-AZ, ML, etc.)
  5. Aggregate flows into compact summaries and ship them to the Netway service (raw logs stay in your account)
  6. 14 pattern detectors run server-side to identify wasteful patterns and estimate monthly cost
  7. Findings appear in your Netway dashboard with one-command remediation steps

What it detects

Netway currently detects 14 egress cost patterns across general infrastructure and ML workloads:

📡 Internet Egress

Large outbound flows to the internet. Identifies top spenders.

MED

🤖 ML Checkpoint via NAT

GPU jobs writing checkpoints to S3 through NAT. Free endpoint fixes this.

HIGH

🌍 Cross-Region S3

Reading S3 data from a different region. Replication saves $0.09/GB.

MED

⚡ ML Gradient Sync Cross-AZ

Distributed training nodes in different AZs syncing gradients.

HIGH

🪣 S3 via NAT Gateway

S3 traffic routed through NAT. A free S3 Gateway Endpoint eliminates this.

HIGH

🗄️ Cross-AZ RDS

App servers querying RDS in a different AZ. $0.01/GB each way.

MED

🌐 AWS API via NAT

Calls to AWS APIs (STS, CloudWatch) through NAT. Interface endpoints fix this.

HIGH

🔄 NAT in Wrong AZ

Instances using a NAT Gateway in a different AZ, doubling transfer costs.

HIGH

Step 1 — Register

Register to get your API key. You can do this from the homepage or via curl.

1

Get your AWS account ID

You'll need this so Netway can grant your account access to pull the Lambda package during deployment.

aws sts get-caller-identity --query Account --output text
2

Register via the homepage or curl

Submit your email and AWS account ID. Your API key is returned immediately.

curl -X POST https://netway.basavytix.com/api/v1/register \
  -H 'Content-Type: application/json' \
  -d '{"email": "you@company.com", "aws_account_id": "123456789012"}'

Save the api_key from the response — you'll need it for the deploy command and dashboard.

Step 2 — Install

Netway deploys into your AWS account via a single CloudFormation command. Deploy it in the same region as the VPCs you want to scan — Netway creates its own S3 bucket and Athena workgroup there, and enables VPC Flow Logs on exactly the VPCs you specify.

Region note: Deploy the stack in the same AWS region as your VPCs. Netway scans the region it is deployed in. For multiple regions, deploy one stack per region — each posts findings to the same dashboard.
1

Find the VPC IDs you want to monitor

aws ec2 describe-vpcs \
  --query 'Vpcs[*].{Id:VpcId,Name:Tags[?Key==`Name`].Value|[0],CIDR:CidrBlock}' \
  --output table \
  --region YOUR_REGION

Note the VPC IDs you want Netway to monitor (e.g. vpc-0abc1234,vpc-0def5678). Use ALL to monitor every VPC in the region.

2

Get your personalised deploy command

curl https://netway.basavytix.com/api/v1/install \
  -H 'x-api-key: YOUR_API_KEY'

This returns a deploy_command pre-filled with your API key and tier settings.

3

Run the deploy command

CloudFormation creates the Lambda, IAM role, S3 bucket, Athena workgroup, and EventBridge schedule — and enables VPC Flow Logs on the VPCs you specify. The Lambda zip is automatically copied to your deployment region at stack-create time.

aws cloudformation create-stack \
  --stack-name netway-v1 \
  --template-url https://netway-public-releases.s3.amazonaws.com/cloudformation/netway-deploy.yml \
  --parameters \
    ParameterKey=NetwayApiKey,ParameterValue=YOUR_API_KEY \
    ParameterKey=NetwayApiUrl,ParameterValue=https://netway.basavytix.com \
    ParameterKey=VpcIds,ParameterValue=ALL \
  --capabilities CAPABILITY_NAMED_IAM \
  --region YOUR_REGION

Replace YOUR_REGION with your AWS region (e.g. us-east-1, eu-west-1). Replace ALL with a comma-separated list of VPC IDs to monitor specific VPCs only.

4

Wait for the stack to complete (~3–5 min)

aws cloudformation wait stack-create-complete --stack-name netway-v1 --region YOUR_REGION

Stack creation takes slightly longer than before because the bootstrap step copies the Lambda zip to your region. This is a one-time cost.

5

Wait 10–15 minutes for first flow logs

VPC Flow Logs are delivered to S3 in 60-second batches, then S3 delivery adds ~10 minutes. After the stack is created, wait 10–15 minutes before triggering your first scan so there is data to analyse.

Flow log behaviour: Netway only enables flow logs on VPCs that don't already have S3 flow logs. Existing flow logs are never modified or deleted. On stack deletion, only the flow logs created by Netway are removed — any you had before are left untouched. Set VpcIds to an empty string to skip automatic flow log setup entirely and configure them yourself.

Step 3 — Run a scan

Netway scans automatically every 7 days and whenever a new EC2 instance, VPC, or NAT Gateway is created. To trigger a scan manually:

1

Invoke the Lambda

aws lambda invoke \
  --function-name netway-analyzer \
  --region YOUR_REGION \
  /tmp/out.json && cat /tmp/out.json

A successful scan returns {"statusCode": 200, "message": "Scan complete. Findings will appear in your dashboard shortly."}. Findings are processed server-side — check your dashboard or wait for an email notification.

2

Check the logs if something looks wrong

aws logs tail /aws/lambda/netway-analyzer --region YOUR_REGION --since 1h
First scan tip: Flow logs take 10–15 minutes to land in S3 after traffic occurs. If you just enabled flow logs, wait a few minutes before triggering a scan.

Step 4 — View findings

Once a scan completes, findings appear in your dashboard and can also be fetched via the API.

1

Open the dashboard

Go to netway.basavytix.com/dashboard and enter your API key to view findings, estimated savings, and recommended fixes.

2

Or fetch via the API

curl https://netway.basavytix.com/api/v1/dashboard \
  -H 'x-api-key: YOUR_API_KEY'

Uninstall

To remove Netway from your AWS account completely, delete the CloudFormation stack. This removes the Lambda, S3 buckets, VPC Flow Logs created by Netway, IAM role, Athena workgroup, and EventBridge rules.

1

Delete the stack

aws cloudformation delete-stack --stack-name netway-v1 --region YOUR_REGION
2

Wait for deletion to complete (~3 min)

aws cloudformation wait stack-delete-complete --stack-name netway-v1 --region YOUR_REGION
Note: The S3 buckets and their contents (flow logs, Lambda zip, Athena results) are deleted automatically as part of the stack deletion. Only VPC Flow Logs created by Netway are removed — any flow logs you had before installing Netway are left untouched. If you deployed stacks in multiple regions, delete each one separately.