πΊοΈ Network Topology
An interactive map of your entire AWS network, updated daily.
| Feature | Description |
|---|---|
| Interactive graph | Force-directed D3.js graph. VPCs, TGWs, Internet Gateways, NAT Gateways shown as AWS icons. Click any node to inspect it. |
| Environment groups | VPCs automatically grouped by environment tag (production, staging, development, cde). Colour-coded rings show compliance status. |
| Reachability query | The graph shows which VPCs can reach each other. Click any VPC node to see its reachable peers highlighted. |
| Reachability matrix | Full NΓN matrix of all VPC pairs. Download as CSV. |
| CIDR map | All CIDR blocks across all VPCs, with overlap detection highlighted. |
| Topology diff | Banner shows what changed since the last scan β new peerings, new VPCs, changed tags. |
| Snapshot history | Browse past topology snapshots. Compare any two snapshots. |
| Compute instances | Click a VPC to see EC2 instances within each subnet β instance type, state, private IP. |
π‘οΈ Compliance
Daily isolation monitoring with 365-day audit history and one-click compliance report.
| Feature | Description |
|---|---|
| Isolation rules | Select two environment groups (e.g. production and staging) β Netway evaluates whether any network path exists between them on every scan. |
| Rule history | 365 days of pass/fail results per rule. Immutable audit log. |
| Topology detectors | CIDR conflict, orphaned VPC, CDE internet exposure, missing TGW propagation, and more. |
| Compliance report | Signed HTML or PDF evidence report. Sections covering PCI-DSS 1.2.3, 1.2.4, 1.3.x, 1.4.1, 11.4.5 and SOC2 CC6.x, CC7.2, CC8.1. |
| Network diagram | Auto-generated network diagram (PNG + SVG) using AWS Architecture Icons. Embedded in the compliance report. |
| Report signing | HMAC-SHA256 signature on every report β proves integrity and origin. |
| Slack alerts | Immediate alert when an isolation rule violation is detected. |
| Environment group inference | Automatically infers environment groups from VPC tags. Manual override available. |
| Requirement | Coverage |
|---|---|
| PCI-DSS 1.2.3 | Auto-generated network diagram |
| PCI-DSS 1.2.4 | Flow log traffic overlay on topology |
| PCI-DSS 1.3.1 / 1.3.2 | Routing + traffic plane isolation evidence |
| PCI-DSS 1.4.1 | CDE exposure detector |
| PCI-DSS 11.4.5 | 365-day daily scan log |
| SOC2 CC6.1 | Environment group isolation rules |
| SOC2 CC6.6 | Internet exposure detection |
| SOC2 CC7.2 | Topology change detection |
| SOC2 CC8.1 | Change log in compliance report |
π° Cost Optimisation
Detects avoidable AWS network spend from VPC flow logs.
Note: Netway detects multiple categories of avoidable network spend. Each finding includes the source resource, estimated monthly savings, and exact CLI fix command.
| Pattern | Typical Saving |
|---|---|
| S3 via NAT Gateway | $200β500/mo |
| Avoidable Internet Egress | $500β8,000/mo |
| Cross-Region S3 Access | $200β1,000/mo |
| Cross-AZ Database Traffic | $50β200/mo |
| AWS APIs via NAT | $30β150/mo |
| NAT Gateway in Wrong AZ | $20β100/mo |
| ML Checkpoint via NAT | $300β2,000/mo |
| GPU Cross-AZ Gradient Sync | $100β800/mo |
| Inference Cold Start S3 | $50β400/mo |
| + more patterns | β |
π¦ Tiers
All plans start with a 14-day Enterprise trial. No credit card required.
| Feature | Starter | Standard | Enterprise |
|---|---|---|---|
| Topology graph | β read-only, 10 VPC max | β Full | β Full |
| Reachability query | β | β | β |
| Reachability matrix | β | β | β |
| CIDR map | β | β | β |
| Topology diff | Last 2 snapshots | Last 30 | All |
| Compliance report (HTML) | β | β | β |
| Compliance report (PDF) | β | β | β |
| Network diagram (PNG) | β | β | β |
| Network diagram (SVG) | β | β | β |
| Snapshot history | 2 days | 180 days | 365 days |
| Isolation rules | 2 max | 5 max | No enforced limit |
| Cost detectors | 2 (top patterns) | All | All |
| Topology detectors | 2 (CIDR, orphan) | All 9 | All 9 |
| Slack alerts | β | β | β |
| Email digest | β | β | β |
| Trial | 14-day Enterprise trial on signup | ||