Getting started with Gateway Load Balancers using the AWS CLI - Elastic Load Balancing

Getting started with Gateway Load Balancers using the AWS CLI

Gateway Load Balancers make it easy to deploy, scale, and manage third-party virtual appliances, such as security appliances.

In this tutorial, we'll implement an inspection system using a Gateway Load Balancer and a Gateway Load Balancer endpoint.

Overview

A Gateway Load Balancer endpoint is a VPC endpoint that provides private connectivity between virtual appliances in the service provider VPC, and application servers in the the service consumer VPC. The Gateway Load Balancer is deployed in the same VPC as that of the virtual appliances. These appliances are registered as a target group of the Gateway Load Balancer.

The application servers run in one subnet (destination subnet) in the service consumer VPC, while the Gateway Load Balancer endpoint is in another subnet of the same VPC. All traffic entering the service consumer VPC through the internet gateway is first routed to the Gateway Load Balancer endpoint for inspection and then routed to the destination subnet.

Similarly, all traffic leaving the application servers (destination subnet) is routed to the Gateway Load Balancer endpoint for inspection before it is routed back to the internet. The following network diagram is a visual representation of how a Gateway Load Balancer endpoint is used to access an endpoint service.


    Using a Gateway Load Balancer endpoint to access an endpoint service

The numbered items that follow, highlight and explain elements shown in the preceding image.

Traffic from the internet to the application (blue arrows):

  1. Traffic enters the service consumer VPC through the internet gateway.

  2. Traffic is sent to the Gateway Load Balancer endpoint, as a result of ingress routing.

  3. Traffic is sent to the Gateway Load Balancer for inspection through the security appliance.

  4. Traffic is sent back to the Gateway Load Balancer endpoint after inspection.

  5. Traffic is sent to the application servers (destination subnet).

Traffic from the application to the internet (orange arrows):

  1. Traffic is sent to the Gateway Load Balancer endpoint as a result of the default route configured on the application server subnet.

  2. Traffic is sent to the Gateway Load Balancer for inspection through the security appliance.

  3. Traffic is sent back to the Gateway Load Balancer endpoint after inspection.

  4. Traffic is sent to the internet gateway based on the route table configuration.

  5. Traffic is routed back to the internet.

Routing

The route table for the internet gateway must have an entry that routes traffic destined for the application servers to the Gateway Load Balancer endpoint. To specify the Gateway Load Balancer endpoint, use the ID of the VPC endpoint.

Destination Target
10.0.0.0/16 Local
10.0.1.0/24 vpc-endpoint-id

The route table for the subnet with the application servers must have an entry that routes all traffic (0.0.0.0/0) from the application servers to the Gateway Load Balancer endpoint.

Destination Target
10.0.0.0/16 Local
0.0.0.0/0 vpc-endpoint-id

The route table for the subnet with the Gateway Load Balancer endpoint must route traffic that returns from inspection to its final destination. For traffic that originated from the internet, the local route ensures that it reaches the application servers. For traffic that originated from the application servers, add an entry that routes all traffic (0.0.0.0/0) to the internet gateway.

Destination Target
10.0.0.0/16 Local
0.0.0.0/0 internet-gateway-id

Prerequisites

  • Install the AWS CLI or update to the current version of the AWS CLI if you are using a version that does not support Gateway Load Balancers. For more information, see Installing the AWS Command Line Interface in the AWS Command Line Interface User Guide.

  • Ensure that the service consumer VPC has at least two subnets for each Availability Zone that contains application servers. One subnet is for the Gateway Load Balancer endpoint, and the other is for the application servers.

  • Ensure that the service provider VPC has at least two subnets for each Availability Zone that contains security appliance instances. One subnet is for the Gateway Load Balancer, and the other is for the instances.

  • Launch at least one security appliance instance in each security appliance subnet in the service provider VPC. The security groups for these instances must allow UDP traffic on port 6081.

Step 1: Create a Gateway Load Balancer and register targets

Use the following procedure to create your load balancer, listener, and target groups, and to register your security appliance instances as targets.

To create a Gateway Load Balancer and register targets

  1. Use the create-load-balancer command to create a load balancer of type gateway. You can specify one subnet for each Availability Zone in which you launched security appliance instances.

    aws elbv2 create-load-balancer --name my-load-balancer --type gateway --subnets provider-subnet-id

    The output includes the Amazon Resource Name (ARN) of the load balancer, with the format shown in the following example.

    arn:aws:elasticloadbalancing:us-east-2:123456789012:loadbalancer/gwy/my-load-balancer/1234567890123456
  2. Use the create-target-group command to create a target group, specifying the service provider VPC in which you launched your instances.

    aws elbv2 create-target-group --name my-targets --protocol GENEVE --port 6081 --vpc-id provider-vpc-id

    The output includes the ARN of the target group, with the following format.

    arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/0123456789012345
  3. Use the register-targets command to register your instances with your target group.

    aws elbv2 register-targets --target-group-arn targetgroup-arn --targets Id=i-1234567890abcdef0 Id=i-0abcdef1234567890
  4. Use the create-listener command to create a listener for your load balancer with a default rule that forwards requests to your target group.

    aws elbv2 create-listener --load-balancer-arn loadbalancer-arn --default-actions Type=forward,TargetGroupArn=targetgroup-arn

    The output contains the ARN of the listener, with the following format.

    arn:aws:elasticloadbalancing:us-east-2:123456789012:listener/gwy/my-load-balancer/1234567890123456/abc1234567890123
  5. (Optional) You can verify the health of the registered targets for your target group using the following describe-target-health command.

    aws elbv2 describe-target-health --target-group-arn targetgroup-arn

Step 2: Create a Gateway Load Balancer endpoint

Use the following procedure to create a Gateway Load Balancer endpoint. Gateway Load Balancer endpoints are zonal. We recommend that you create one Gateway Load Balancer endpoint per zone. For more information, see Gateway Load Balancer endpoints (AWS PrivateLink).

To create a Gateway Load Balancer endpoint

  1. Use the create-vpc-endpoint-service-configuration command to create an endpoint service configuration using your Gateway Load Balancer.

    aws ec2 create-vpc-endpoint-service-configuration --gateway-load-balancer-arns loadbalancer-arn --no-acceptance-required

    The output contains the service ID (for example, vpce-svc-12345678901234567) and the service name (for example, com.amazonaws.vpce.us-east-2.vpce-svc-12345678901234567).

  2. Use the modify-vpc-endpoint-service-permissions command to allow service consumers to create an endpoint to your service. A service consumer can be an IAM user, IAM role, or AWS account. The following example adds permission for the specified AWS account.

    aws ec2 modify-vpc-endpoint-service-permissions --service-id vpce-svc-12345678901234567 --add-allowed-principals arn:aws:iam::123456789012:root
  3. Use the create-vpc-endpoint command to create the Gateway Load Balancer endpoint for your service.

    aws ec2 create-vpc-endpoint --vpc-endpoint-type GatewayLoadBalancer --service-name com.amazonaws.vpce.us-east-2.vpce-svc-12345678901234567 --vpc-id consumer-vpc-id --subnet-ids consumer-subnet-id

    The output contains the ID of the Gateway Load Balancer endpoint (for example, vpce-01234567890abcdef).

Step 3: Configure routing

Configure the route tables for the service consumer VPC as follows. This allows the security appliances to perform security inspection on inbound traffic that's destined for the application servers.

To configure routing

  1. Use the create-route command to add an entry to the route table for the internet gateway that routes traffic that's destined for the application servers to the Gateway Load Balancer endpoint.

    aws ec2 create-route --route-table-id gateway-rtb --destination-cidr-block 10.0.1.0/24 --vpc-endpoint-id vpce-01234567890abcdef
  2. Use the create-route command to add an entry to the route table for the subnet with the application servers that routes all traffic from the application servers to the Gateway Load Balancer endpoint.

    aws ec2 create-route --route-table-id application-rtb --destination-cidr-block 0.0.0.0/0 --vpc-endpoint-id vpce-01234567890abcdef
  3. Use the create-route command to add an entry to the route table for the subnet with the Gateway Load Balancer endpoint that routes all traffic that originated from the application servers to the internet gateway.

    aws ec2 create-route --route-table-id endpoint-rtb --destination-cidr-block 0.0.0.0/0 --gateway-id igw-01234567890abcdef
  4. Repeat for each application subnet route table in each zone.