Access virtual appliances through AWS PrivateLink

You can use a Gateway Load Balancer to distribute traffic to a fleet of network virtual appliances. The appliances can be used for security inspection, compliance, policy controls, and other networking services. You specify the Gateway Load Balancer when you create a VPC endpoint service. Other AWS principals access the endpoint service by creating a Gateway Load Balancer endpoint.

For more information, see Gateway Load Balancers.

Contents

Overview

The following diagram shows how application servers access security appliances through AWS PrivateLink. The application servers run in a subnet of the service consumer VPC. You create a Gateway Load Balancer endpoint in another subnet of the same VPC. All traffic entering the service consumer VPC through the internet gateway is first routed to the Gateway Load Balancer endpoint for inspection and then routed to the destination subnet. Similarly, all traffic leaving the application servers is routed to the Gateway Load Balancer endpoint for inspection before it is routed back through the internet gateway.

Using a Gateway Load Balancer endpoint to access security appliances.

Traffic from the internet to the application servers (blue arrows):

Traffic enters the service consumer VPC through the internet gateway.
Traffic is sent to the Gateway Load Balancer endpoint, based on route table configuration.
Traffic is sent to the Gateway Load Balancer for inspection through the security appliance.
Traffic is sent back to the Gateway Load Balancer endpoint after inspection.
Traffic is sent to the application servers, based on route table configuration.

Traffic from the application servers to the internet (orange arrows):

Traffic is sent to the Gateway Load Balancer endpoint, based on route table configuration.
Traffic is sent to the Gateway Load Balancer for inspection through the security appliance.
Traffic is sent back to the Gateway Load Balancer endpoint after inspection.
Traffic is sent to the internet gateway based on the route table configuration.
Traffic is routed back to the internet.

Routing

To route traffic to the endpoint service, specify the Gateway Load Balancer endpoint as a target in your route tables, using its ID. For the diagram above, add routes to the route tables as follows.

Route table for the internet gateway

This route table must have a route that sends traffic destined for the application servers to the Gateway Load Balancer endpoint.

Destination	Target
`vpc-cidr`	Local
`application-subnet-cidr`	`vpc-endpoint-id`

Route table for the subnet with the application servers

This route table must have a route that sends all traffic (0.0.0.0/0) from the application servers to the Gateway Load Balancer endpoint.

Destination	Target
`vpc-cidr`	Local
0.0.0.0/0	`vpc-endpoint-id`

Route table for the subnet with the Gateway Load Balancer endpoint

This route table must send traffic that is returned from inspection to its final destination. For traffic that originated from the internet, the local route sends the traffic to the application servers. For traffic that originated from the application servers, add a route that sends all traffic (0.0.0.0/0) to the internet gateway.

Destination	Target
`vpc-cidr`	Local
0.0.0.0/0	`internet-gateway-id`

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Access SaaS products

Create a Gateway Load Balancer endpoint service