Everything About AWS Gateway Load Balancer

AWS Load Balancer family has a member called Gateway Load Balancer. The following section will look at the functionalities, benefits, limitations, use cases of Gateway Load Balancer, and much more.

1. Highlights

• AWS Gateway Load Balancer is a managed service from AWS
• It enables clients to create and maintain multiple inline virtual network appliances scalably.
• It operates at the third layer of the OSI model, the network layer.
• It listens for all IP packets on all ports and sends traffic to the listener rule’s defined target group.
• It has a unique component called Gateway Load Balancer Endpoint (GWLBE). It is a data plane component of GWLB and provides a way for customers to flexibly place interface VPC endpoints in both centralized and distributed deployments.
• A GWLBE is like AWS PrivateLink, which allows you to place your service across many accounts and VPCs without losing centralized control and administration.
• GWLBE is a VPC endpoint that allows virtual appliances in the service provider VPC to communicate with application servers in the service consumer VPC.

2. Before and After Gateway Load Balancer

Let us consider a scenario where users are used to accessing your applications. We know that users can access your applications directly utilizing a load balancer, such as the Application load balancer. The traffic goes directly from the users to the ALB and ALB to the application (fig.1). But what if you wanted all that network traffic to be inspected first before being sent to your application. You must deploy many third-party virtual appliances, for example, EC2 instances that you want all traffic to go through before the traffic reaches your application. As a result, it used to be quite challenging to do so. But now, with a gateway load balancer (fig.2).

Fig 1: Application Load Balancer

The gateway load balancer can be used to implement intrusion detection and prevention systems and deep packet inspection. To get started, one must create a gateway load balancer; what is going to happen is that behind the scenes, route tables have to be updated in the VPC. As a result, the route tables have been altered, and now what happens is that users’ traffic first goes through a gateway load balancer. The gateway load balancer will then spread that traffic across a target group of your virtual appliances. So, all the traffic will reach these appliances, where the traffic will be analyzed. Then, based on decisions made by appliances, traffic will be dropped or forwarded to the VPC endpoint.

Fig 2: Gateway Load Balancer

3. Benefits

• The GENEVE protocol is used by the Gateway load balancer and its registered virtual appliance instances to exchange application traffic on port 6081.
• It provides horizontal scaling and fault tolerance to the appliances.
• It is transparent to network traffic as there is no change to source traffic.
• separate security and user admin domains shared across different VPCs, and AWS accounts
• provide the appliance-as-a-service facility (e.g., firewall-as-a-service)

4. Limitation

• Endpoints can be created between VPCs and services in the same region but not between VPCs and services in separate regions
• Endpoint support IPV4 traffic only
• Security groups are not supported
• The gateway load balancer endpoint supports a maximum bandwidth of 40 Gbps.

5. Use Cases

Use cases in security

• N-S inspection (VPC to/from Internet) using Internet Gateway
• N-S inspection (VPC to/from Internet) using Transit Gateway
• Inter-VPC traffic inspection using Transit Gateway

Other use cases

• Deploying third-party appliances became faster
• Scale virtual appliances while managing costs
• Improve virtual appliance availability

6. Table Of Comparision

Common Configurations and Characteristics

Logging and Monitoring

Security

7. Pricing

The AWS Gateway Load Balancer is billed hourly in addition to the number of Gateway Load Balancer Capacity Units consumed, a metric determined by new and active connections or flows per second and the processed bytes.

Region: Asia Pacific (Mumbai)

$0.0133 per Gateway Load Balancer-hour (or partial hour)

$0.004 per GLCU (Gateway Load Balancer Capacity Units)-hour (or partial hour)

8. Conclusion

The AWS Gateway Load Balancer is massive, bringing to the cloud a capability that has never existed in traditional/legacy data center networks. However, as we have seen, Gateway Load Balancer is not the only load balancer; there are many other load balancers offered by AWS, such as Classic Load Balancer, Application Load Balancer, and Network Load Balancer.

About CloudThat