Bron: AWS News Blog –
Last year, we launched Virtual Private Cloud (VPC) Ingress Routing to allow routing of all incoming and outgoing traffic to/from an Internet Gateway (IGW) or Virtual Private Gateway (VGW) to the Elastic Network Interface of a specific Amazon Elastic Compute Cloud (EC2) instance. With VPC Ingress Routing, you can now configure your VPC to send all traffic to an EC2 instance that typically runs network security tools to inspect or to block suspicious network traffic or to perform any other network traffic inspection before relaying the traffic to other EC2 instances.
While that makes it easy to add an appliance into the network, ensuring high availability and scalability remains a challenge. Customers have to either over-provision appliances to handle peak load and high availability, or they have to manually scale up and down the appliances based on traffic, or use other ancillary tools – all of which increases operational overhead and costs.
Today, we are announcing the general availability of AWS Gateway Load Balancer (GWLB), a service that makes it easy and cost-effective to deploy, scale and manage the availability of third-party virtual appliances such as firewalls, intrusion detection and prevention systems, and deep packet inspection systems in the cloud. In addition to security appliances, GWLB also provides the same benefits to data analytics, telecom, Internet of Things (IoT), and custom appliances. AWS Partner Network and AWS Marketplace partners can also offer their virtual appliances as-a-service to AWS customers without having to solve the complex problems of scale, availability and service delivery.
Gateway Load Balancer – How It Works
Gateway Load Balancer combines a transparent network gateway (that is, a single entry and exit point for all traffic) and a load balancer that distributes traffic and scales your virtual appliances with the demand.
You can send traffic to GWLB by making simple configuration updates in your VPCs’ route tables. With GWLB, customers can scale their virtual appliances elastically by load balancing traffic across a fleet of virtual appliances. GWLB improves availability by routing traffic flows through healthy virtual appliances, and reroutes flows when an appliance becomes unhealthy.
With GWLB, you can use your own appliances of choice in AWS and rely on GWLB to manage their scale and availability needs, while retaining skillsets and existing processes. You can also scale your virtual appliances elastically by load balancing traffic across a fleet of virtual appliances. The scaling up and down of appliances reduces costs. GWLB sends both directions of the traffic flow to the same appliance, thereby allowing the appliance to perform stateful traffic processing.
GWLB and the virtual appliances exchange application traffic with each other using GENEVE encapsulation, which allows GWLB to preserve the content of the original traffic. GWLB uses Gateway Load Balancer Endpoint (GWLBe), a new type of VPC Endpoint powered by AWS PrivateLink, can be a next-hop in the route table. This simplifies insertion of appliance services across VPC boundaries.
For example, you can make a Customer VPC where the customer workloads will sit, which will be the VPC where the GWLB Endpoint is deployed. AWS Partner’s appliances will be deployed in the Partner VPC.
The appliance providers and consumers can reside in different AWS accounts and VPCs. GWLBe enables consolidation of appliances, consistency of security policies, reduction in operator errors, and seamless inspection of traffic without having to change the traffic source or destination and requiring NAT translations.
To ensure high availability, you can use the advanced routing capabilities of GWLB to direct traffic to only healthy appliances, and reroute traffic when an appliance becomes unhealthy due to faults. GWLB works across VPCs and user accounts, giving you the option to centralize virtual appliance fleets. The ability to use GWLB across user accounts enables partners to offer their virtual appliances as an AWS-hosted service that customers access from their VPCs. This reduces complexity and improves security.
Gateway Load Balancer – Getting Started
To create GWLB, choose Create button of a Gateway Load Balancer in Load Balancer Wizard of Load Balancing menu in EC2 console.
To configure your GWLB, provide a name and confirm your VPC and subnet selections, and specify the Availability Zones to enable for your load balancer. Choose Next: Configure Routing.
Your GWLB routes requests to the targets in this target group using the GENEVE protocol and 6081 port in default. Choose Next: Register Targets.
Register your EC2 instance(s) located in Partner VPC and choose Next: Review and Create in the next step.
When you configure the security group of your EC2 instances with virtual appliance software, you can add GENEVE port – 6081 to get traffic from GWLB, and HTTP port – 80 for health checks.
In order to direct traffic to and from the client to your appliances behind GWLB, you can set up the GWLB Endpoint (GWLBe). You will require a minimum of two subnets per Availability Zone – one each for the GWLBe and Application subnets, two routing tables per AZ – one each for the GWLBe and Application subnets, and one Ingress route table associated to the IGW in the VPC.
To create a Gateway Load Balancer Endpoint via AWS Command Line Interface (CLI), use the
create-vpc-endpoint-service-configuration command to create an endpoint service configuration using your Gateway Load Balancer.
$ aws ec2 create-vpc-endpoint-service-configuration --gateway-load-balancer-arns
create-vpc-endpoint command to create the Gateway Load Balancer endpoint for your service.
$ aws ec2 create-vpc-endpoint --vpc-endpoint-type GatewayLoadBalancer --vpc-id
Next, edit the route tables to add GWLBe as next hops in
customer-gwlbe-rtb-id in Application/Instance and Internet Gateway. Repeat for each application subnet route table in each zone.
$ aws ec2 create-route --route-table-id
--destination-cidr-block 0.0.0.0/0 --vpc-endpoint-id $ aws ec2 create-route --route-table-id --destination-cidr-block 10.0.0.32/28 --vpc-endpoint-id $ aws ec2 create-route --route-table-id --destination-cidr-block 10.0.0.64/28 --vpc-endpoint-id
For more information in setting up, please watch a demo video as following full steps:
- Locate the partner’s virtual appliance software in AWS Marketplace
- Launch the appliance instances in your VPC
- Create GWLB and target group with appliance instances
- Create GWLB endpoints where the traffic needs to be inspected
- Update route table to make GWLB endpoint as next-hop
At this launch, AWS GWLB integrates with a number of industry-leading partners, including Aviatrix, Check Point, Cisco Systems, cPacket, Glasnostic, Fortinet, HashiCorp, NETSCOUT, Palo Alto Networks, Radware, Trend Micro, and Valtix. They provided us with tons of helpful feedback. Here are some of the blog posts that they wrote in order to share their experiences (I am updating this article with links as they are published).
Using GWLB, AWS partners can offer a number of managed services using virtual appliances as a Software as a Service (SaaS) to AWS customers without having to separately solve for the availability, load balancing and cloud scaling of their solution. You can integrate to GWLB by supporting GENEVE protocol in your appliance, implementing software to decode/encode GWLB metadata, and performing interoperability testing of your appliances in the AWS environment. For more information, please get in touch with your AWS partner team.
AWS Gateway Load Balancer is available in US East (N. Virginia), US West (Oregon), Europe (Ireland), South America (São Paulo), and Asia Pacific (Sydney) regions and you can locate the AWS partners’ virtual appliances in AWS Marketplace. Please send feedback to the AWS forum for Amazon EC2 or through your usual AWS support contacts. To learn more, visit the documentation.
Get started with AWS Gateway Load Balancer today.