Securing Gateway Server

As the gateway, there is couple scenarios to take since it is tasked to be the security egress and ingress to internet

- Web exchanges : allow only HTTPS or TLS traffic, this requires you to filter based on port and  service

- Domain name services : allow secure DNS discovery, not open relay exposed for other to query.

- Reverse Proxy : normally to block malicious web attack as well as check against remote services like RDP, so there is need to have content inspection. For HTTPS, there is need for SSL decryption before inspection. It would be using a WAF and doing ICAP for AV scanning..

- Forward proxy : mainly more of data leakage checks and detecting unknown callbacks from internal. Malicious or suspicious URL should trigger blocks so likely a content filter is required. There can be strict policy rules from visiting certain sites too.

- Remote access : more for remote connection which is mainly for IPSEC VPN or remote user having SSL VPN to access intranet services.

A quick sum up seems to suggest the perimeter with gateway to cover those above is sufficient since the internet use case is alot. You may want to create a DMZ and consider only necessary services exposed for public access and the remaining like database behind into the intranet.

Cloud DDOS and WAF is worthy to consider like Cloudflare, Akamai. There are managed services too using Cloud native services like AWS WAF etc.

Ultimately, even layer defence will still require hardening to be done and close all unnecessary ports and services. And consider doing a vulnerability scanning from external and internal to surface any inadvertent settings done wrong...

If you are looking for only safer internet gateway, better use AWS NAT Gateway. It is aws managed service and you no need to worry about the scalability of internet pipe.

I would probably use one of the linux gateway/router distros out there... Easy to configure, and usually pretty safe...