• Step 2: Create a Gateway Load Balancer endpoint (p. 10)
• Step 3: Configure routing (p. 11)
Overview
A Gateway Load Balancer endpoint is a VPC endpoint that provides private connectivity between virtual appliances in the service provider VPC, and application servers in the the service consumer VPC. The Gateway Load Balancer is deployed in the same VPC as that of the virtual appliances. These appliances are registered as a target group of the Gateway Load Balancer.
The application servers run in one subnet (destination subnet) in the service consumer VPC, while the Gateway Load Balancer endpoint is in another subnet of the same VPC. All traffic entering the service consumer VPC through the internet gateway is first routed to the Gateway Load Balancer endpoint for inspection and then routed to the destination subnet.
Similarly, all traffic leaving the application servers (destination subnet) is routed to the Gateway Load Balancer endpoint for inspection before it is routed back to the internet. The following network diagram is a visual representation of how a Gateway Load Balancer endpoint is used to access an endpoint service.
Routing
The numbered items that follow, highlight and explain elements shown in the preceding image.
Traffic from the internet to the application (blue arrows):
1. Traffic enters the service consumer VPC through the internet gateway.
2. Traffic is sent to the Gateway Load Balancer endpoint, as a result of ingress routing.
3. Traffic is sent to the Gateway Load Balancer for inspection through the security appliance.
4. Traffic is sent back to the Gateway Load Balancer endpoint after inspection.
5. Traffic is sent to the application servers (destination subnet).
Traffic from the application to the internet (orange arrows):
1. Traffic is sent to the Gateway Load Balancer endpoint as a result of the default route configured on the application server subnet.
2. Traffic is sent to the Gateway Load Balancer for inspection through the security appliance.
3. Traffic is sent back to the Gateway Load Balancer endpoint after inspection.
4. Traffic is sent to the internet gateway based on the route table configuration.
5. Traffic is routed back to the internet.
Routing
The route table for the internet gateway must have an entry that routes traffic destined for the application servers to the Gateway Load Balancer endpoint. To specify the Gateway Load Balancer endpoint, use the ID of the VPC endpoint.
Destination Target
10.0.0.0/16 Local
Prerequisites
Destination Target
10.0.1.0/24 vpc-endpoint-id
The route table for the subnet with the application servers must have an entry that routes all traffic (0.0.0.0/0) from the application servers to the Gateway Load Balancer endpoint.
Destination Target
10.0.0.0/16 Local
0.0.0.0/0 vpc-endpoint-id
The route table for the subnet with the Gateway Load Balancer endpoint must route traffic that returns from inspection to its final destination. For traffic that originated from the internet, the local route ensures that it reaches the application servers. For traffic that originated from the application servers, add an entry that routes all traffic (0.0.0.0/0) to the internet gateway.
Destination Target
10.0.0.0/16 Local
0.0.0.0/0 internet-gateway-id
Prerequisites
• Install the AWS CLI or update to the current version of the AWS CLI if you are using a version that does not support Gateway Load Balancers. For more information, see Installing the AWS Command Line Interface in the AWS Command Line Interface User Guide.
• Ensure that the service consumer VPC has at least two subnets for each Availability Zone that contains application servers. One subnet is for the Gateway Load Balancer endpoint, and the other is for the application servers.
• Ensure that the service provider VPC has at least two subnets for each Availability Zone that contains security appliance instances. One subnet is for the Gateway Load Balancer, and the other is for the instances.
• Launch at least one security appliance instance in each security appliance subnet in the service provider VPC. The security groups for these instances must allow UDP traffic on port 6081.
Step 1: Create a Gateway Load Balancer and register targets
Use the following procedure to create your load balancer, listener, and target groups, and to register your security appliance instances as targets.
To create a Gateway Load Balancer and register targets
1. Use the create-load-balancer command to create a load balancer of type gateway. You can specify one subnet for each Availability Zone in which you launched security appliance instances.
Step 2: Create a Gateway Load Balancer endpoint
aws elbv2 create-load-balancer name my-load-balancer type gateway --subnets provider-subnet-id
The output includes the Amazon Resource Name (ARN) of the load balancer, with the format shown in the following example.
arn:aws:elasticloadbalancing:us-east-2:123456789012:loadbalancer/gwy/my-load-balancer/1234567890123456
2. Use the create-target-group command to create a target group, specifying the service provider VPC in which you launched your instances.
aws elbv2 create-target-group --name my-targets --protocol GENEVE --port 6081 --vpc-id prov--vpc-ider-vpc---vpc-id
The output includes the ARN of the target group, with the following format.
arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/0123456789012345
3. Use the register-targets command to register your instances with your target group.
aws elbv2 register-targets --target-group-arn targetgroup-arn --targets Id=i-1234567890abcdef0 Id=i-0abcdef1234567890
4. Use the create-listener command to create a listener for your load balancer with a default rule that forwards requests to your target group.
aws elbv2 create-listener --load-balancer-arn loadbalancer-arn --default-actions Type=forward,TargetGroupArn=targetgroup-arn
The output contains the ARN of the listener, with the following format.
arn:aws:elasticloadbalancing:us-east-2:123456789012:listener/gwy/my-load-balancer/1234567890123456/abc1234567890123
5. (Optional) You can verify the health of the registered targets for your target group using the following describe-target-health command.
aws elbv2 describe-target-health --target-group-arn targetgroup-arn
Step 2: Create a Gateway Load Balancer endpoint
Use the following procedure to create a Gateway Load Balancer endpoint. Gateway Load Balancer endpoints are zonal. We recommend that you create one Gateway Load Balancer endpoint per zone. For more information, see Gateway Load Balancer endpoints (AWS PrivateLink).
To create a Gateway Load Balancer endpoint
1. Use the create-vpc-endpoint-service-configuration command to create an endpoint service configuration using your Gateway Load Balancer.
Step 3: Configure routing
aws ec2 create-vpc-endpoint-service-configuration --gateway-load-balancer-arns loadbalancer-arn --no-acceptance-required
The output contains the service ID (for example, vpce-svc-12345678901234567) and the service name (for example, com.amazonaws.vpce.us-east-2.vpce-svc-12345678901234567).
2. Use the modify-vpc-endpoint-service-permissions command to allow service consumers to create an endpoint to your service. A service consumer can be an IAM user, IAM role, or AWS account. The following example adds permission for the specified AWS account.
aws ec2 modify-vpc-endpoint-service-permissions --service-id vpce-svc-12345678901234567 --add-allowed-principals arn:aws:iam::123456789012:root
3. Use the create-vpc-endpoint command to create the Gateway Load Balancer endpoint for your service.
aws ec2 create-vpc-endpoint --vpc-endpoint-type GatewayLoadBalancer --service-name com.amazonaws.vpce.us-east-2.vpce-svc-12345678901234567 --vpc-id consumer-vpc-id --subnet-ids consumer-subnet-id
The output contains the ID of the Gateway Load Balancer endpoint (for example, vpce-01234567890abcdef).
Step 3: Configure routing
Configure the route tables for the service consumer VPC as follows. This allows the security appliances to perform security inspection on inbound traffic that's destined for the application servers.
To configure routing
1. Use the create-route command to add an entry to the route table for the internet gateway that routes traffic that's destined for the application servers to the Gateway Load Balancer endpoint.
aws ec2 create-route --route-table-id gateway-rtb --destination-cidr-block 10.0.1.0/24 --vpc-endpoint-id vpce-01234567890abcdef
2. Use the create-route command to add an entry to the route table for the subnet with the
application servers that routes all traffic from the application servers to the Gateway Load Balancer endpoint.
aws ec2 create-route --route-table-id application-rtb --destination-cidr-block 0.0.0.0/0 --vpc-endpoint-id vpce-01234567890abcdef
3. Use the create-route command to add an entry to the route table for the subnet with the Gateway Load Balancer endpoint that routes all traffic that originated from the application servers to the internet gateway.
aws ec2 create-route --route-table-id endpoint-rtb --destination-cidr-block 0.0.0.0/0 --gateway-id igw-01234567890abcdef
4. Repeat for each application subnet route table in each zone.
Load balancer state
Gateway Load Balancers
Use a Gateway Load Balancer to deploy and manage a fleet of virtual appliances that support the GENEVE protocol.
A Gateway Load Balancer operates at the third layer of the Open Systems Interconnection (OSI) model.
It listens for all IP packets across all ports and forwards traffic to the target group that's specified in the listener rule, using the GENEVE protocol on port 6081.
You can add or remove targets from your load balancer as your needs change, without disrupting the overall flow of requests. Elastic Load Balancing scales your load balancer as traffic to your application changes over time. Elastic Load Balancing can scale to the vast majority of workloads automatically.
Contents
• Load balancer state (p. 12)
• Load balancer attributes (p. 12)
• Availability Zones (p. 13)
• Deletion protection (p. 13)
• Cross-zone load balancing (p. 13)
• Create a Gateway Load Balancer (p. 14)
• Tags for your Gateway Load Balancer (p. 16)
• Delete a Gateway Load Balancer (p. 17)
Load balancer state
A Gateway Load Balancer can be in one of the following states:
provisioning
The Gateway Load Balancer is being set up.
active
The Gateway Load Balancer is fully set up and ready to route traffic.
failed
The Gateway Load Balancer could not be set up.
Load balancer attributes
The following are the load balancer attributes for Gateway Load Balancers:
deletion_protection.enabled
Indicates whether deletion protection (p. 13) is enabled. The default is false.
load_balancing.cross_zone.enabled
Indicates whether cross-zone load balancing (p. 13) is enabled. The default is false.
Availability Zones
Availability Zones
When you create a Gateway Load Balancer, you enable one or more Availability Zones, and specify the subnet that corresponds to each zone. When you enable multiple Availability Zones, it ensures that the load balancer can continue to route traffic even if an Availability Zone becomes unavailable. The subnets that you specify must each have at least 8 available IP addresses. Subnets cannot be added or removed after the load balancer is created. To add or remove a subnet, you must create a new load balancer.
Deletion protection
To prevent your Gateway Load Balancer from being deleted accidentally, you can enable deletion protection. By default, deletion protection is disabled.
If you enable deletion protection for your Gateway Load Balancer, you must disable it before you can delete the Gateway Load Balancer.
To enable deletion protection using the console
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, under LOAD BALANCING, choose Load Balancers.
3. Select the Gateway Load Balancer.
4. Choose Actions, Edit attributes.
5. On the Edit load balancer attributes page, select Enable for Delete Protection, and then choose Save.
To disable deletion protection using the console
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, under LOAD BALANCING, choose Load Balancers.
3. Select the Gateway Load Balancer.
4. Choose Actions, Edit attributes.
5. On the Edit load balancer attributes page, clear Enable for Delete Protection, and then choose Save.
To enable or disable deletion protection using the AWS CLI
Use the modify-load-balancer-attributes command with the deletion_protection.enabled attribute.
Cross-zone load balancing
By default, each load balancer node distributes traffic across the registered targets in its Availability Zone only. If you enable cross-zone load balancing, each Gateway Load Balancer node distributes traffic across the registered targets in all enabled Availability Zones. For more information, see Cross-zone load balancing in the Elastic Load Balancing User Guide.
To enable cross-zone load balancing using the console
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, under LOAD BALANCING, choose Load Balancers.
Create a load balancer
3. Select the Gateway Load Balancer.
4. Choose Actions, Edit attributes.
5. On the Edit load balancer attributes page, select Enable for Cross-Zone Load Balancing, and then choose Save.
To enable cross-zone load balancing using the AWS CLI
Use the modify-load-balancer-attributes command with the load_balancing.cross_zone.enabled attribute.
Create a Gateway Load Balancer
A Gateway Load Balancer takes requests from clients and distributes them across targets in a target group, such as EC2 instances.
Before you begin, ensure that the virtual private cloud (VPC) for your Gateway Load Balancer has at least one subnet in each Availability Zone where you have targets.
To create a Gateway Load Balancer using the AWS CLI, see Getting started using the CLI (p. 7).
To create a Gateway Load Balancer using the AWS Management Console, complete the following tasks.
Tasks