Getting started with Gateway Load Balancers - Elastic Load Balancing

Getting started with Gateway Load Balancers

Gateway Load Balancers make it easy to deploy, scale, and manage third-party virtual appliances, such as security appliances.

In this tutorial, we'll implement an inspection system using a Gateway Load Balancer and a Gateway Load Balancer endpoint.

Overview

A Gateway Load Balancer endpoint is a VPC endpoint that provides private connectivity between virtual appliances in the service provider VPC, and application servers in the service consumer VPC. The Gateway Load Balancer is deployed in the same VPC as that of the virtual appliances. These appliances are registered as a target group of the Gateway Load Balancer.

The application servers run in one subnet (destination subnet) in the service consumer VPC, while the Gateway Load Balancer endpoint is in another subnet of the same VPC. All traffic entering the service consumer VPC through the internet gateway is first routed to the Gateway Load Balancer endpoint for inspection and then routed to the destination subnet.

Similarly, all traffic leaving the application servers (destination subnet) is routed to the Gateway Load Balancer endpoint for inspection before it is routed back to the internet. The following network diagram is a visual representation of how a Gateway Load Balancer endpoint is used to access an endpoint service.


    Using a Gateway Load Balancer endpoint to access an endpoint service

The numbered items that follow, highlight and explain elements shown in the preceding image.

Traffic from the internet to the application (blue arrows):

  1. Traffic enters the service consumer VPC through the internet gateway.

  2. Traffic is sent to the Gateway Load Balancer endpoint, as a result of ingress routing.

  3. Traffic is sent to the Gateway Load Balancer for inspection through the security appliance.

  4. Traffic is sent back to the Gateway Load Balancer endpoint after inspection.

  5. Traffic is sent to the application servers (destination subnet).

Traffic from the application to the internet (orange arrows):

  1. Traffic is sent to the Gateway Load Balancer endpoint as a result of the default route configured on the application server subnet.

  2. Traffic is sent to the Gateway Load Balancer for inspection through the security appliance.

  3. Traffic is sent back to the Gateway Load Balancer endpoint after inspection.

  4. Traffic is sent to the internet gateway based on the route table configuration.

  5. Traffic is routed back to the internet.

Routing

The route table for the internet gateway must have an entry that routes traffic destined for the application servers to the Gateway Load Balancer endpoint. To specify the Gateway Load Balancer endpoint, use the ID of the VPC endpoint.

Destination Target
10.0.0.0/16 Local
10.0.1.0/24 vpc-endpoint-id

The route table for the subnet with the application servers must have an entry that routes all traffic (0.0.0.0/0) from the application servers to the Gateway Load Balancer endpoint.

Destination Target
10.0.0.0/16 Local
0.0.0.0/0 vpc-endpoint-id

The route table for the subnet with the Gateway Load Balancer endpoint must route traffic that returns from inspection to its final destination. For traffic that originated from the internet, the local route ensures that it reaches the application servers. For traffic that originated from the application servers, add an entry that routes all traffic (0.0.0.0/0) to the internet gateway.

Destination Target
10.0.0.0/16 Local
0.0.0.0/0 internet-gateway-id

Prerequisites

  • Ensure that the service consumer VPC has at least two subnets for each Availability Zone that contains application servers. One subnet is for the Gateway Load Balancer endpoint, and the other is for the application servers.

  • The Gateway Load Balancer and the targets can be in the same subnet.

  • You cannot use a subnet that is shared from another account to deploy the Gateway Load Balancer.

  • Launch at least one security appliance instance in each security appliance subnet in the service provider VPC. The security groups for these instances must allow UDP traffic on port 6081.

Step 1: Register targets and create a Gateway Load Balancer

Use the following procedure to create your target group, register your security appliance instances as targets, and then create your load balancer and listener.

To create a target group and register targets

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. On the navigation pane, under Load Balancing, choose Target Groups.

  3. For Choose a target type, select Instances to specify targets by instance ID, or IP addresses to specify targets by IP address.

  4. For Target group name, enter a name for your target group. For example, my-targets.

  5. Protocol must be GENEVE, and Port must be 6081. No other values for Protocol and port are supported.

  6. For VPC, select a virtual private cloud (VPC) with the instances that you want to include in the target group.

  7. For Health checks (optional), modify the health check settings as needed.

  8. Expand Tags and add tags (optional).

  9. Choose Next.

  10. Add one or more targets as follows:

    • If the target type is Instances, select one or more instances, enter one or more ports, and then choose Include as pending below.

    • If the target type is IP addresses, select the network, enter the IP address and ports, and then choose Include as pending below.

  11. Choose Create target group.

To create a Gateway Load Balancer

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, under Load Balancing, choose Load Balancers.

  3. Choose Create Load Balancer.

  4. Under Gateway Load Balancer, choose Create.

  5. For Load balancer name, enter a name for your load balancer. For example, my-glb.

  6. For IP address type, you must choose IPv4, because your clients can only use IPv4 addresses to communicate with the load balancer.

  7. For VPC, select the service provider VPC. Only VPCs with an internet gateway are available for selection.

  8. For Mappings, select all of the Availability Zones in which you launched security appliance instances, and the corresponding public subnets.

  9. For Default action, select a target group to forward traffic to. If you don't have a default target group, create a target group first. Only target groups with GENEVE protocol are available for use with the Gateway Load Balancer.

  10. Expand Tags and add tags (optional).

  11. Review your configuration, and choose Create load balancer.

Step 2: Create a Gateway Load Balancer endpoint

Use the following procedure to create a Gateway Load Balancer endpoint. Gateway Load Balancer endpoints are zonal. We recommend that you create one Gateway Load Balancer endpoint per zone. For more information, see Gateway Load Balancer endpoints (AWS PrivateLink).

To create a Gateway Load Balancer endpoint

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Endpoint Services.

  3. Choose Create Endpoint Service and do the following:

    1. For Associate Load Balancers, select your Gateway Load Balancer.

    2. For Require acceptance for endpoint, select Acceptance required to accept connection requests to your service manually. Otherwise, endpoint connections are automatically accepted.

    3. To add a tag (optional), choose Add tag and then specify the key and value for the tag.

    4. Choose Create service. Choose the service ID. Save the service name from the Details tab; you'll need it when you create the endpoint.

    5. Choose Actions, Add principals to whitelist. Enter the ARNs of the service consumers that are allowed to create an endpoint to your service. A service consumer can be an IAM user, IAM role, or AWS account.

  4. In the navigation pane, choose Endpoints.

  5. Choose Create Endpoint and do the following:

    1. For Service category, choose Find service by name.

    2. For Service name, enter the service name that you saved earlier, and then choose Verify. If the name is found, proceed to the next step. Otherwise, be sure that you used the correct service name.

    3. For VPC, select the service consumer VPC.

    4. For Subnets, select a subnet for the Gateway Load Balancer endpoint.

    5. (Optional) To add a tag, choose Add tag and specify the key and value for the tag.

    6. Choose Create endpoint. The initial status is pending acceptance.

Step 3: Configure routing

Configure the route tables for the service consumer VPC as follows. This allows the security appliances to perform security inspection on inbound traffic that's destined for the application servers.

To configure routing

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Route Tables.

  3. Select the route table for the internet gateway and do the following:

    1. Choose Actions, Edit routes.

    2. Choose Add route. For Destination, enter the CIDR block of the subnet for the application servers (for example, 10.0.1.0/24). For Target, select the VPC endpoint.

    3. Choose Save routes.

  4. Select the route table for the subnet with the application servers and do the following:

    1. Choose Actions, Edit routes.

    2. Choose Add route. For Destination, enter 0.0.0.0/0. For Target, select the VPC endpoint.

    3. Choose Save routes.

  5. Select the route table for the subnet with the Gateway Load Balancer endpoint, and do the following:

    1. Choose Actions, Edit routes.

    2. Choose Add route. For Destination, enter 0.0.0.0/0. For Target, select the internet gateway.

    3. Choose Save routes.