Elastic Load Balancing

(1)

Elastic Load Balancing

Gateway Load Balancers

(2)

Elastic Load Balancing: Gateway Load Balancers

Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be aﬃliated with, connected to, or sponsored by Amazon.

(3)

What is a Gateway Load Balancer?

Gateway Load Balancers enable you to deploy, scale, and manage virtual appliances, such as firewalls, intrusion detection and prevention systems, and deep packet inspection systems. It combines a transparent network gateway (that is, a single entry and exit point for all traffic) and distributes traffic while scaling your virtual appliances with the demand.

A Gateway Load Balancer operates at the third layer of the Open Systems Interconnection (OSI) model, the network layer. It listens for all IP packets across all ports and forwards traffic to the target group that's specified in the listener rule. It maintains stickiness of flows to a specific target appliance using 5-tuple (for TCP/UDP flows) or 3-tuple (for non-TCP/UDP flows). The Gateway Load Balancer and its registered virtual appliance instances exchange application traffic using the GENEVE protocol on port 6081. It supports a maximum transmission unit (MTU) size of 8500 bytes.

Gateway Load Balancers use Gateway Load Balancer endpoints to securely exchange traﬃc across VPC boundaries. A Gateway Load Balancer endpoint is a VPC endpoint that provides private connectivity between virtual appliances in the service provider VPC and application servers in the service consumer VPC. You deploy the Gateway Load Balancer in the same VPC as the virtual appliances. You register the virtual appliances with a target group for the Gateway Load Balancer.

Traffic to and from a Gateway Load Balancer endpoint is configured using route tables. Traffic flows from the service consumer VPC over the Gateway Load Balancer endpoint to the Gateway Load Balancer in the service provider VPC, and then returns to the service consumer VPC. You must create the Gateway Load Balancer endpoint and the application servers in different subnets. This enables you to configure the Gateway Load Balancer endpoint as the next hop in the route table for the application subnet.

For more information, see Gateway Load Balancer endpoints (AWS PrivateLink) in the Amazon VPC User Guide.

Appliance vendors

You are responsible for choosing and qualifying software from appliance vendors. You must trust the appliance software to inspect or modify traﬃc from the load balancer. The appliance vendors listed as Elastic Load Balancing Partners have integrated and qualiﬁed their appliance software with AWS. You can place a higher degree of trust in the appliance software from vendors in this list. However, AWS does not guarantee the security or reliability of software from these vendors.

Getting started

To create a Gateway Load Balancer using the AWS Management Console, see Getting started (p. 2).

To create a Gateway Load Balancer using the AWS Command Line Interface, see Getting started using the CLI (p. 7).

Pricing

With your load balancer, you pay only for what you use. For more information, see Elastic Load Balancing pricing.

(6)

Overview

Getting started with Gateway Load Balancers

Gateway Load Balancers make it easy to deploy, scale, and manage third-party virtual appliances, such as security appliances.

In this tutorial, we'll implement an inspection system using a Gateway Load Balancer and a Gateway Load Balancer endpoint.

Contents

• Overview (p. 2)

• Prerequisites (p. 4)

• Step 1: Register targets and create a Gateway Load Balancer (p. 4)

• Step 2: Create a Gateway Load Balancer endpoint (p. 5)

• Step 3: Conﬁgure routing (p. 6)

Overview

A Gateway Load Balancer endpoint is a VPC endpoint that provides private connectivity between virtual appliances in the service provider VPC, and application servers in the service consumer VPC. The Gateway Load Balancer is deployed in the same VPC as that of the virtual appliances. These appliances are

registered as a target group of the Gateway Load Balancer.

The application servers run in one subnet (destination subnet) in the service consumer VPC, while the Gateway Load Balancer endpoint is in another subnet of the same VPC. All traﬃc entering the service consumer VPC through the internet gateway is ﬁrst routed to the Gateway Load Balancer endpoint for inspection and then routed to the destination subnet.

Similarly, all traﬃc leaving the application servers (destination subnet) is routed to the Gateway Load Balancer endpoint for inspection before it is routed back to the internet. The following network diagram is a visual representation of how a Gateway Load Balancer endpoint is used to access an endpoint service.

(7)

Routing

The numbered items that follow, highlight and explain elements shown in the preceding image.

Traﬃc from the internet to the application (blue arrows):

1. Traﬃc enters the service consumer VPC through the internet gateway.

2. Traﬃc is sent to the Gateway Load Balancer endpoint, as a result of ingress routing.

3. Traﬃc is sent to the Gateway Load Balancer for inspection through the security appliance.

4. Traﬃc is sent back to the Gateway Load Balancer endpoint after inspection.

5. Traﬃc is sent to the application servers (destination subnet).

Traﬃc from the application to the internet (orange arrows):

1. Traﬃc is sent to the Gateway Load Balancer endpoint as a result of the default route conﬁgured on the application server subnet.

4. Traﬃc is sent to the internet gateway based on the route table conﬁguration.

5. Traﬃc is routed back to the internet.

Routing

The route table for the internet gateway must have an entry that routes traﬃc destined for the application servers to the Gateway Load Balancer endpoint. To specify the Gateway Load Balancer endpoint, use the ID of the VPC endpoint.

Destination Target

10.0.0.0/16 Local

(8)

Prerequisites

10.0.1.0/24 vpc-endpoint-id

The route table for the subnet with the application servers must have an entry that routes all traﬃc (0.0.0.0/0) from the application servers to the Gateway Load Balancer endpoint.

10.0.0.0/16 Local

The route table for the subnet with the Gateway Load Balancer endpoint must route traffic that returns from inspection to its final destination. For traffic that originated from the internet, the local route ensures that it reaches the application servers. For traffic that originated from the application servers, add an entry that routes all traffic (0.0.0.0/0) to the internet gateway.

10.0.0.0/16 Local

0.0.0.0/0 internet-gateway-id

Prerequisites

• Ensure that the service consumer VPC has at least two subnets for each Availability Zone that contains application servers. One subnet is for the Gateway Load Balancer endpoint, and the other is for the application servers.

• The Gateway Load Balancer and the targets can be in the same subnet.

• You cannot use a subnet that is shared from another account to deploy the Gateway Load Balancer.

• Launch at least one security appliance instance in each security appliance subnet in the service provider VPC. The security groups for these instances must allow UDP traﬃc on port 6081.

Step 1: Register targets and create a Gateway Load Balancer

Use the following procedure to create your target group, register your security appliance instances as targets, and then create your load balancer and listener.

To create a target group and register targets

1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

2. On the navigation pane, under Load Balancing, choose Target Groups.

3. For Choose a target type, select Instances to specify targets by instance ID, or IP addresses to specify targets by IP address.

4. For Target group name, enter a name for your target group. For example, my-targets.

(9)

Step 2: Create a Gateway Load Balancer endpoint

5. Protocol must be GENEVE, and Port must be 6081. No other values for Protocol and port are supported.

6. For VPC, select a virtual private cloud (VPC) with the instances that you want to include in the target group.

7. For Health checks (optional), modify the health check settings as needed.

8. Expand Tags and add tags (optional).

9. Choose Next.

10. Add one or more targets as follows:

• If the target type is Instances, select one or more instances, enter one or more ports, and then choose Include as pending below.

• If the target type is IP addresses, select the network, enter the IP address and ports, and then choose Include as pending below.

11. Choose Create target group.

To create a Gateway Load Balancer

2. In the navigation pane, under Load Balancing, choose Load Balancers.

3. Choose Create Load Balancer.

4. Under Gateway Load Balancer, choose Create.

5. For Load balancer name, enter a name for your load balancer. For example, my-glb.

6. For IP address type, you must choose IPv4, because your clients can only use IPv4 addresses to communicate with the load balancer.

7. For VPC, select the service provider VPC. Only VPCs with an internet gateway are available for selection.

8. For Mappings, select all of the Availability Zones in which you launched security appliance instances, and the corresponding public subnets.

9. For Default action, select a target group to forward traﬃc to. If you don't have a default target group, create a target group ﬁrst. Only target groups with GENEVE protocol are available for use with the Gateway Load Balancer.

10. Expand Tags and add tags (optional).

11. Review your conﬁguration, and choose Create load balancer.

Step 2: Create a Gateway Load Balancer endpoint

Use the following procedure to create a Gateway Load Balancer endpoint. Gateway Load Balancer endpoints are zonal. We recommend that you create one Gateway Load Balancer endpoint per zone. For more information, see Gateway Load Balancer endpoints (AWS PrivateLink).

To create a Gateway Load Balancer endpoint

1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

2. In the navigation pane, choose Endpoint Services.

3. Choose Create Endpoint Service and do the following:

a. For Associate Load Balancers, select your Gateway Load Balancer.

b. For Require acceptance for endpoint, select Acceptance required to accept connection requests to your service manually. Otherwise, endpoint connections are automatically accepted.

c. To add a tag (optional), choose Add tag and then specify the key and value for the tag.

(10)

Step 3: Conﬁgure routing

d. Choose Create service. Choose the service ID. Save the service name from the Details tab; you'll need it when you create the endpoint.

e. Choose Actions, Add principals to whitelist. Enter the ARNs of the service consumers that are allowed to create an endpoint to your service. A service consumer can be an IAM user, IAM role, or AWS account.

4. In the navigation pane, choose Endpoints.

5. Choose Create Endpoint and do the following:

a. For Service category, choose Find service by name.

b. For Service name, enter the service name that you saved earlier, and then choose Verify. If the name is found, proceed to the next step. Otherwise, be sure that you used the correct service name.

c. For VPC, select the service consumer VPC.

d. For Subnets, select a subnet for the Gateway Load Balancer endpoint.

e. (Optional) To add a tag, choose Add tag and specify the key and value for the tag.

f. Choose Create endpoint. The initial status is pending acceptance.

Step 3: Conﬁgure routing

Conﬁgure the route tables for the service consumer VPC as follows. This allows the security appliances to perform security inspection on inbound traﬃc that's destined for the application servers.

To conﬁgure routing

1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

2. In the navigation pane, choose Route Tables.

3. Select the route table for the internet gateway and do the following:

a. Choose Actions, Edit routes.

b. Choose Add route. For Destination, enter the CIDR block of the subnet for the application servers (for example, 10.0.1.0/24). For Target, select the VPC endpoint.

c. Choose Save routes.

4. Select the route table for the subnet with the application servers and do the following:

b. Choose Add route. For Destination, enter 0.0.0.0/0. For Target, select the VPC endpoint.

5. Select the route table for the subnet with the Gateway Load Balancer endpoint, and do the following:

b. Choose Add route. For Destination, enter 0.0.0.0/0. For Target, select the internet gateway.

(11)

Overview

Getting started with Gateway Load Balancers using the AWS CLI

Gateway Load Balancers make it easy to deploy, scale, and manage third-party virtual appliances, such as security appliances.

In this tutorial, we'll implement an inspection system using a Gateway Load Balancer and a Gateway Load Balancer endpoint.

Contents

• Overview (p. 7)

• Prerequisites (p. 9)

• Step 1: Create a Gateway Load Balancer and register targets (p. 9)

• Step 2: Create a Gateway Load Balancer endpoint (p. 10)

• Step 3: Conﬁgure routing (p. 11)

Overview

A Gateway Load Balancer endpoint is a VPC endpoint that provides private connectivity between virtual appliances in the service provider VPC, and application servers in the the service consumer VPC. The Gateway Load Balancer is deployed in the same VPC as that of the virtual appliances. These appliances are registered as a target group of the Gateway Load Balancer.

The application servers run in one subnet (destination subnet) in the service consumer VPC, while the Gateway Load Balancer endpoint is in another subnet of the same VPC. All traﬃc entering the service consumer VPC through the internet gateway is ﬁrst routed to the Gateway Load Balancer endpoint for inspection and then routed to the destination subnet.

Similarly, all traﬃc leaving the application servers (destination subnet) is routed to the Gateway Load Balancer endpoint for inspection before it is routed back to the internet. The following network diagram is a visual representation of how a Gateway Load Balancer endpoint is used to access an endpoint service.

(12)

Routing

The numbered items that follow, highlight and explain elements shown in the preceding image.

Traﬃc from the internet to the application (blue arrows):

1. Traﬃc enters the service consumer VPC through the internet gateway.

2. Traﬃc is sent to the Gateway Load Balancer endpoint, as a result of ingress routing.

5. Traﬃc is sent to the application servers (destination subnet).

Traﬃc from the application to the internet (orange arrows):

1. Traﬃc is sent to the Gateway Load Balancer endpoint as a result of the default route conﬁgured on the application server subnet.

4. Traﬃc is sent to the internet gateway based on the route table conﬁguration.

5. Traﬃc is routed back to the internet.

Routing

The route table for the internet gateway must have an entry that routes traﬃc destined for the application servers to the Gateway Load Balancer endpoint. To specify the Gateway Load Balancer endpoint, use the ID of the VPC endpoint.

10.0.0.0/16 Local

(13)

Prerequisites

The route table for the subnet with the application servers must have an entry that routes all traﬃc (0.0.0.0/0) from the application servers to the Gateway Load Balancer endpoint.

10.0.0.0/16 Local

The route table for the subnet with the Gateway Load Balancer endpoint must route traffic that returns from inspection to its final destination. For traffic that originated from the internet, the local route ensures that it reaches the application servers. For traffic that originated from the application servers, add an entry that routes all traffic (0.0.0.0/0) to the internet gateway.

10.0.0.0/16 Local

0.0.0.0/0 internet-gateway-id

Prerequisites

• Install the AWS CLI or update to the current version of the AWS CLI if you are using a version that does not support Gateway Load Balancers. For more information, see Installing the AWS Command Line Interface in the AWS Command Line Interface User Guide.

• Ensure that the service consumer VPC has at least two subnets for each Availability Zone that contains application servers. One subnet is for the Gateway Load Balancer endpoint, and the other is for the application servers.

• Ensure that the service provider VPC has at least two subnets for each Availability Zone that contains security appliance instances. One subnet is for the Gateway Load Balancer, and the other is for the instances.

• Launch at least one security appliance instance in each security appliance subnet in the service provider VPC. The security groups for these instances must allow UDP traﬃc on port 6081.

Step 1: Create a Gateway Load Balancer and register targets

Use the following procedure to create your load balancer, listener, and target groups, and to register your security appliance instances as targets.

To create a Gateway Load Balancer and register targets

1. Use the create-load-balancer command to create a load balancer of type gateway. You can specify one subnet for each Availability Zone in which you launched security appliance instances.

(14)

Step 2: Create a Gateway Load Balancer endpoint

aws elbv2 create-load-balancer --name my-load-balancer --type gateway -- subnets provider-subnet-id

The output includes the Amazon Resource Name (ARN) of the load balancer, with the format shown in the following example.

arn:aws:elasticloadbalancing:us-east-2:123456789012:loadbalancer/gwy/my-load- balancer/1234567890123456

2. Use the create-target-group command to create a target group, specifying the service provider VPC in which you launched your instances.

aws elbv2 create-target-group --name my-targets --protocol GENEVE --port 6081 --vpc- id provider-vpc-id

The output includes the ARN of the target group, with the following format.

arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my- targets/0123456789012345

3. Use the register-targets command to register your instances with your target group.

aws elbv2 register-targets --target-group-arn targetgroup-arn --targets Id=i-1234567890abcdef0 Id=i-0abcdef1234567890

4. Use the create-listener command to create a listener for your load balancer with a default rule that forwards requests to your target group.

aws elbv2 create-listener --load-balancer-arn loadbalancer-arn --default-actions Type=forward,TargetGroupArn=targetgroup-arn

The output contains the ARN of the listener, with the following format.

arn:aws:elasticloadbalancing:us-east-2:123456789012:listener/gwy/my-load- balancer/1234567890123456/abc1234567890123

5. (Optional) You can verify the health of the registered targets for your target group using the following describe-target-health command.

aws elbv2 describe-target-health --target-group-arn targetgroup-arn

Step 2: Create a Gateway Load Balancer endpoint

Use the following procedure to create a Gateway Load Balancer endpoint. Gateway Load Balancer endpoints are zonal. We recommend that you create one Gateway Load Balancer endpoint per zone. For more information, see Gateway Load Balancer endpoints (AWS PrivateLink).

To create a Gateway Load Balancer endpoint

1. Use the create-vpc-endpoint-service-conﬁguration command to create an endpoint service conﬁguration using your Gateway Load Balancer.

(15)

Step 3: Conﬁgure routing

aws ec2 create-vpc-endpoint-service-configuration --gateway-load-balancer- arns loadbalancer-arn --no-acceptance-required

The output contains the service ID (for example, vpce-svc-12345678901234567) and the service name (for example, com.amazonaws.vpce.us-east-2.vpce-svc-12345678901234567).

2. Use the modify-vpc-endpoint-service-permissions command to allow service consumers to create an endpoint to your service. A service consumer can be an IAM user, IAM role, or AWS account. The following example adds permission for the speciﬁed AWS account.

aws ec2 modify-vpc-endpoint-service-permissions --service-id vpce-svc-12345678901234567 --add-allowed-principals arn:aws:iam::123456789012:root

3. Use the create-vpc-endpoint command to create the Gateway Load Balancer endpoint for your service.

aws ec2 create-vpc-endpoint --vpc-endpoint-type GatewayLoadBalancer --service- name com.amazonaws.vpce.us-east-2.vpce-svc-12345678901234567 --vpc-id consumer-vpc-id --subnet-ids consumer-subnet-id

The output contains the ID of the Gateway Load Balancer endpoint (for example, vpce-01234567890abcdef).

Step 3: Conﬁgure routing

Conﬁgure the route tables for the service consumer VPC as follows. This allows the security appliances to perform security inspection on inbound traﬃc that's destined for the application servers.

To conﬁgure routing

1. Use the create-route command to add an entry to the route table for the internet gateway that routes traﬃc that's destined for the application servers to the Gateway Load Balancer endpoint.

aws ec2 create-route --route-table-id gateway-rtb --destination-cidr-block 10.0.1.0/24 --vpc-endpoint-id vpce-01234567890abcdef

2. Use the create-route command to add an entry to the route table for the subnet with the

application servers that routes all traﬃc from the application servers to the Gateway Load Balancer endpoint.

aws ec2 create-route --route-table-id application-rtb --destination-cidr-block 0.0.0.0/0 --vpc-endpoint-id vpce-01234567890abcdef

3. Use the create-route command to add an entry to the route table for the subnet with the Gateway Load Balancer endpoint that routes all traﬃc that originated from the application servers to the internet gateway.

aws ec2 create-route --route-table-id endpoint-rtb --destination-cidr-block 0.0.0.0/0 --gateway-id igw-01234567890abcdef

4. Repeat for each application subnet route table in each zone.

(16)

Load balancer state

Gateway Load Balancers

Use a Gateway Load Balancer to deploy and manage a ﬂeet of virtual appliances that support the GENEVE protocol.

A Gateway Load Balancer operates at the third layer of the Open Systems Interconnection (OSI) model.

It listens for all IP packets across all ports and forwards traﬃc to the target group that's speciﬁed in the listener rule, using the GENEVE protocol on port 6081.

You can add or remove targets from your load balancer as your needs change, without disrupting the overall ﬂow of requests. Elastic Load Balancing scales your load balancer as traﬃc to your application changes over time. Elastic Load Balancing can scale to the vast majority of workloads automatically.

Contents

• Load balancer state (p. 12)

• Load balancer attributes (p. 12)

• Availability Zones (p. 13)

• Deletion protection (p. 13)

• Cross-zone load balancing (p. 13)

• Create a Gateway Load Balancer (p. 14)

• Tags for your Gateway Load Balancer (p. 16)

• Delete a Gateway Load Balancer (p. 17)

Load balancer state

A Gateway Load Balancer can be in one of the following states:

provisioning

The Gateway Load Balancer is being set up.

active

The Gateway Load Balancer is fully set up and ready to route traﬃc.

failed

The Gateway Load Balancer could not be set up.

Load balancer attributes

The following are the load balancer attributes for Gateway Load Balancers:

deletion_protection.enabled

Indicates whether deletion protection (p. 13) is enabled. The default is false.

load_balancing.cross_zone.enabled

Indicates whether cross-zone load balancing (p. 13) is enabled. The default is false.

(17)

Availability Zones

When you create a Gateway Load Balancer, you enable one or more Availability Zones, and specify the subnet that corresponds to each zone. When you enable multiple Availability Zones, it ensures that the load balancer can continue to route traﬃc even if an Availability Zone becomes unavailable. The subnets that you specify must each have at least 8 available IP addresses. Subnets cannot be added or removed after the load balancer is created. To add or remove a subnet, you must create a new load balancer.

Deletion protection

To prevent your Gateway Load Balancer from being deleted accidentally, you can enable deletion protection. By default, deletion protection is disabled.

If you enable deletion protection for your Gateway Load Balancer, you must disable it before you can delete the Gateway Load Balancer.

To enable deletion protection using the console

2. In the navigation pane, under LOAD BALANCING, choose Load Balancers.

3. Select the Gateway Load Balancer.

4. Choose Actions, Edit attributes.

5. On the Edit load balancer attributes page, select Enable for Delete Protection, and then choose Save.

To disable deletion protection using the console

5. On the Edit load balancer attributes page, clear Enable for Delete Protection, and then choose Save.

To enable or disable deletion protection using the AWS CLI

Use the modify-load-balancer-attributes command with the deletion_protection.enabled attribute.

Cross-zone load balancing

By default, each load balancer node distributes traﬃc across the registered targets in its Availability Zone only. If you enable cross-zone load balancing, each Gateway Load Balancer node distributes traﬃc across the registered targets in all enabled Availability Zones. For more information, see Cross-zone load balancing in the Elastic Load Balancing User Guide.

To enable cross-zone load balancing using the console

(18)

Create a load balancer

5. On the Edit load balancer attributes page, select Enable for Cross-Zone Load Balancing, and then choose Save.

To enable cross-zone load balancing using the AWS CLI

Use the modify-load-balancer-attributes command with the load_balancing.cross_zone.enabled attribute.

Create a Gateway Load Balancer

A Gateway Load Balancer takes requests from clients and distributes them across targets in a target group, such as EC2 instances.

Before you begin, ensure that the virtual private cloud (VPC) for your Gateway Load Balancer has at least one subnet in each Availability Zone where you have targets.

To create a Gateway Load Balancer using the AWS CLI, see Getting started using the CLI (p. 7).

To create a Gateway Load Balancer using the AWS Management Console, complete the following tasks.

Tasks

• Step 1: Conﬁgure your target group and register targets (p. 14)

• Step 2: Conﬁgure the load balancer and listener (p. 15)

• Important next steps (p. 16)

Step 1: Conﬁgure your target group and register targets

You can register targets, such as EC2 instances, with a target group. The target group that you conﬁgure in this step is used as the target group in the lP listener routing section, when you conﬁgure your load balancer. For more information, see Target groups (p. 19).

To conﬁgure your target group

2. In the navigation pane, under Load Balancing, choose Target Groups.

4. Basic conﬁguration

a. For Choose a target type, select Instances to specify targets by instance ID, or select IP addresses to specify targets by IP address.

b. For Target group name, enter a name for the target group.

c. Verify that Protocol is set to GENEVE, and the Port is set to 6081. No other values for Protocol and port are supported.

d. For VPC, select a virtual private cloud (VPC) with the instances that you want to include in your target group.

5. In the Health checks section (optional), modify the default settings as needed. For Advanced health check settings, choose the health check port, count, timeout, and interval, and then specify success

(19)

Step 2: Conﬁgure the load balancer and listener

codes. If health checks consecutively exceed the Unhealthy threshold count, the load balancer takes the target out of service. If health checks consecutively exceed the Healthy threshold count, the load balancer puts the target back in service. For more information, see Health checks for your target groups (p. 23).

6. For Tags (optional), add one or more tags as follows:

a. Expand the Tags section.

b. Choose Add tag.

c. Enter the tag Key and tag Value. Allowed characters are letters, spaces, numbers (in UTF-8), and the following special characters: + - = . _ : / @. Do not use leading or trailing spaces. Tag values are case-sensitive.

7. Choose Next

8. In the Register targets page, add one or more targets as follows:

Step 2: Conﬁgure the load balancer and listener

Use the following procedure to create your Gateway Load Balancer. Provide basic conﬁguration information for your load balancer, such as a name and IP address type (currently only IPv4 is

supported). Then provide information about your network, and the IP listener that routes traﬃc to your target groups. Only target groups with GENEVE are available for use with the Gateway Load Balancer.

To create a Gateway Load Balancer

2. In the navigation pane, under Load Balancing, choose Load Balancers.

3. Choose Create Load Balancer.

4. Under Gateway Load Balancer, choose Create.

5. Basic conﬁguration

a. For Load balancer name, enter a name for your load balancer. For example, my-glb. The name of your Gateway Load Balancer must be unique within your set of load balancers for the Region. It can have a maximum of 32 characters, can contain only alphanumeric characters and hyphens, and must not begin or end with a hyphen.

b. For IP address type, you must choose IPv4, because your clients can only use IPv4 addresses to communicate with the load balancer.

6. Network mapping

a. For VPC, select the service provider VPC. Only VPCs with an internet gateway are available for selection.

b. For Mappings, select all of the Availability Zones in which you launched security appliance instances, and the corresponding public subnets.

7. IP listener routing

8. For Default action, select a target group to forward traﬃc to. If you don't have a default target group, create a target group ﬁrst. Only target groups with GENEVE protocol are available for use with the Gateway Load Balancer.

9. Tag and create

(20)

Important next steps

a. Add an optional tag to categorize your load balancer. Tag keys must be unique for each load balancer. Allowed characters are letters, spaces, numbers (in UTF-8), and the following special characters: + - = . _ : / @. Do not use leading or trailing spaces. Tag values are case-sensitive. For more information, see Update tags (p. 16).

b. Review your conﬁguration, and choose Create load balancer. A few default attributes are applied to your load balancer during creation. You can view and edit them after creating the load balancer.

Important next steps

After creating your load balancer, verify that your EC2 instances have passed the initial health check.

To test your load balancer, you must create a Gateway Load Balancer endpoint and update your route table to make the Gateway Load Balancer endpoint the next hop. These conﬁgurations are set within the Amazon VPC console. For more information, see Step 2: Create a Gateway Load Balancer endpoint (p. 5) and Step 3: Conﬁgure routing (p. 6) in the Getting started with Gateway Load Balancers (p. 2) section.

Tags for your Gateway Load Balancer

Tags help you to categorize your load balancers in diﬀerent ways, for example, by purpose, owner, or environment.

You can add multiple tags to each load balancer. Tag keys must be unique for each Gateway Load Balancer. If you add a tag with a key that is already associated with the load balancer, it updates the value of that tag.

When you are ﬁnished with a tag, you can remove it from your Gateway Load Balancer.

Restrictions

• Maximum number of tags per resource—50

• Maximum key length—127 Unicode characters

• Maximum value length—255 Unicode characters

• Tag keys and values are case-sensitive. Allowed characters are letters, spaces, and numbers representable in UTF-8, plus the following special characters: + - = . _ : / @. Do not use leading or trailing spaces.

• Do not use the aws: prefix in your tag names or values because it is reserved for AWS use. You can't edit or delete tag names or values with this prefix. Tags with this prefix do not count against your tags per resource limit.

To update the tags for a Gateway Load Balancer using the console

4. Choose Tags, Add/Edit Tags, and then do one or more of the following:

a. To update a tag, edit the values of Key and Value.

b. To add a new tag, choose Create Tag. For Key and Value, enter values.

c. To delete a tag, choose the delete icon (X) next to the tag.

5. When you have ﬁnished updating tags, choose Save.

(21)

Delete a load balancer

To update the tags for a Gateway Load Balancer using the AWS CLI Use the add-tags and remove-tags commands.

Delete a Gateway Load Balancer

As soon as your Gateway Load Balancer becomes available, you are billed for each hour or partial hour that you keep it running. When you no longer need the Gateway Load Balancer, you can delete it. As soon as the Gateway Load Balancer is deleted, you stop incurring charges for it.

You can't delete a Gateway Load Balancer if it is in use by another service. For example, if the Gateway Load Balancer is associated with a VPC endpoint service, you must delete the endpoint service conﬁguration before you can delete the associated Gateway Load Balancer.

Deleting a Gateway Load Balancer also deletes its listeners. Deleting a Gateway Load Balancer does not aﬀect its registered targets. For example, your EC2 instances continue to run and are still registered to their target groups. To delete your target groups, see Delete a target group (p. 30).

To delete n Gateway Load Balancer using the console

4. Choose Actions, Delete.

5. When prompted for conﬁrmation, choose Yes, Delete.

To delete a Gateway Load Balancer using the AWS CLI Use the delete-load-balancer command.

(22)

Listeners for your Gateway Load Balancers

When you create your Gateway Load Balancer, you add a listener. A listener is a process that checks for connection requests.

Listeners for Gateway Load Balancers listen for all IP packets across all ports. You cannot specify a protocol or port when you create a listener for a Gateway Load Balancer. You cannot delete the listener for a Gateway Load Balancer.

When you create a listener, you specify a rule for routing requests. This rule forwards requests to the speciﬁed target group. You can update the listener rule to forward requests to a diﬀerent target group.

To update your listener using the console

3. Select the load balancer and choose Listeners.

4. Choose Edit listener.

5. For Forwarding to target group, choose a target group.

6. Choose Save.

To update your listener using the AWS CLI Use the modify-listener command.

(23)

Routing conﬁguration

Target groups for your Gateway Load Balancers

Each target group is used to route requests to one or more registered targets. When you create a listener, you specify a target group for its default action. Traffic is forwarded to the target group that's specified in the listener rule. You can create different target groups for different types of requests.

You deﬁne health check settings for your Gateway Load Balancer on a per target group basis. Each target group uses the default health check settings, unless you override them when you create the target group or modify them later on. After you specify a target group in a rule for a listener, the Gateway Load Balancer continually monitors the health of all targets registered with the target group that are in an Availability Zone enabled for the Gateway Load Balancer. The Gateway Load Balancer routes requests to the registered targets that are healthy. For more information, see Health checks for your target groups (p. 23).

Contents

• Routing conﬁguration (p. 19)

• Target type (p. 19)

• Registered targets (p. 20)

• Target group attributes (p. 20)

• Deregistration delay (p. 20)

• Create a target group for your Gateway Load Balancer (p. 21)

• Health checks for your target groups (p. 23)

• Register targets with your target group (p. 27)

• Tags for your target group (p. 29)

• Delete a target group (p. 30)

Routing conﬁguration

Target groups for Gateway Load Balancers support the following protocol and port:

• Protocol: GENEVE

• Port: 6081

Target type

When you create a target group, you specify its target type, which determines how you specify its targets. After you create a target group, you cannot change its target type.

The following are the possible target types:

instance

The targets are speciﬁed by instance ID.

(24)

Registered targets

ip

The targets are speciﬁed by IP address.

When the target type is ip, you can specify IP addresses from one of the following CIDR blocks:

• The subnets of the VPC for the target group

• 10.0.0.0/8 (RFC 1918)

• 100.64.0.0/10 (RFC 6598)

• 172.16.0.0/12 (RFC 1918)

• 192.168.0.0/16 (RFC 1918)

Important

You can't specify publicly routable IP addresses.

Registered targets

Your Gateway Load Balancer serves as a single point of contact for clients, and distributes incoming traﬃc across its healthy registered targets. Each target group must have at least one registered target in each Availability Zone that is enabled for the Gateway Load Balancer. You can register each target with one or more target groups.

If demand increases, you can register additional targets with one or more target groups in order to handle the demand. The Gateway Load Balancer starts routing traﬃc to a newly registered target as soon as the registration process completes.

If demand decreases, or you need to service your targets, you can deregister targets from your target groups. Deregistering a target removes it from your target group, but does not affect the target otherwise. The Gateway Load Balancer stops routing traffic to a target as soon as it is deregistered. The target enters the draining state until in-flight requests have completed. You can register the target with the target group again when you are ready for it to resume receiving traffic.

Target group attributes

The following are the target group attributes:

deregistration_delay.timeout_seconds

The amount of time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused. The range is 0-3600 seconds. The default value is 300 seconds.

Deregistration delay

When you deregister a target, the Gateway Load Balancer manages ﬂows to that target in the following manner:

New ﬂows:

The Gateway Load Balancer stops sending new ﬂows to a deregistered target.

(25)

Create a target group

Existing ﬂows:

The Gateway Load Balancer handles existing ﬂows based on protocol.

• TCP protocols: Existing ﬂows for TCP protocols are closed if idle for more than 350 seconds.

• Non-TCP protocols: Existing ﬂows for all non-TCP protocols are closed if idle for more than 120 seconds.

To help drain existing flows, we recommend that you stop sending all traffic to the load balancer. This allows the idle timeout created by deregistration to take effect. A deregistered target shows that it is draining until the timeout expires. After the deregistration delay timeout expires, the target transitions to an unused state.

New console

To update the deregistration delay value using the new console

2. On the navigation pane, under LOAD BALANCING, choose Target Groups.

3. Choose the name of the target group to open its details page.

4. On the Group details page, in the Attributes section, choose Edit.

5. On the Edit attributes page, change the value of Deregistration delay as needed.

6. Choose Save changes.

Old console

To update the deregistration delay value using the old console

3. Select the target group.

4. Choose Description, Edit attributes.

5. Change the value of Deregistration delay as needed, and then choose Save.

To update the deregistration delay value using the AWS CLI Use the modify-target-group-attributes command.

Create a target group for your Gateway Load Balancer

You register targets for your Gateway Load Balancer using a target group.

To route traﬃc to the targets in a target group, create a listener and specify the target group in the default action for the listener. For more information, see Listeners (p. 18).

You can add or remove targets from your target group at any time. For more information, see Register targets (p. 27). You can also modify the health check settings for your target group. For more

information, see Modify health check settings (p. 26).

(26)

Create a target group

New console

To create a target group using the new console

2. In the navigation pane, under LOAD BALANCING, choose Target Groups.

4. For Choose a target type, select Instances to register targets by instance ID or IP addresses to register targets by IP address.

5. For Target group name, enter a name for the target group. This name must be unique per Region per account, can have a maximum of 32 characters, must contain only alphanumeric characters or hyphens, and must not begin or end with a hyphen.

6. For Protocol, use GENEVE. With the GENEVE protocol, Port must be 6081.

7. For VPC, select a virtual private cloud (VPC).

8. In the Health checks section (optional), modify the default settings as needed.

9. Expand the Tags section (optional) and add one or more tags. To add a tag, choose Add tag and enter the tag key and tag value.

10. Choose Next.

11. Add one or more targets as follows:

Old console

To create a target group using the old console

4. For Target group name, enter a name for the target group. This name must be unique per Region per account, can have a maximum of 32 characters, must contain only alphanumeric characters or hyphens, and must not begin or end with a hyphen.

5. For Protocol, use GENEVE. With the GENEVE protocol, Port must be 6081.

6. For Target type, select instance to specify targets by instance ID or ip to specify targets by IP address.

7. For VPC, select a virtual private cloud (VPC).

8. (Optional) For Health check settings and Advanced health check settings, modify the default settings as needed. Choose Create.

9. (Optional) Add one or more tags as follows:

a. Select the newly created target group.

b. Choose Tags, Add/Edit Tags.

c. On the Add/Edit Tags page, for each tag that you add, choose Create Tag and then specify the tag key and tag value. When you have ﬁnished adding tags, choose Save.

10. (Optional) To add targets to the target group, see Register targets with your target group (p. 27).

(27)

Conﬁgure health checks

To create a target group using the AWS CLI

Use the create-target-group command to create the target group, the add-tags command to tag your target group, and the register-targets command to add targets.

Health checks for your target groups

You register your targets with one or more target groups. Your Gateway Load Balancer starts routing requests to a newly registered target as soon as the registration process completes. It can take a few minutes for the registration process to complete and for health checks to start.

The Gateway Load Balancer periodically sends a request to each registered target to check its status.

After each health check is complete, the Gateway Load Balancer closes the connection that was established for the health check.

Health check settings

You configure active health checks for the targets in a target group by using the following settings. If the health checks exceed the specified number of UnhealthyThresholdCount consecutive failures, the Gateway Load Balancer takes the target out of service. When the health checks exceed the specified number of HealthyThresholdCount consecutive successes, the Gateway Load Balancer puts the target back in service.

Setting Description

HealthCheckProtocol The protocol that the load balancer uses when performing health checks on targets. The possible protocols are HTTP, HTTPS, and TCP. The default is TCP.

HealthCheckPort The port that Gateway Load Balancer uses when

performing health checks on targets. The range is 1 to 65535. The default is 80.

HealthCheckPath [HTTP/HTTPS health checks] The ping path that

is the destination on the targets for health checks.

The default is /.

HealthCheckTimeoutSeconds The amount of time, in seconds, during which no response from a target means a failed health check. The range is 2 to 120. The default is 5.

HealthCheckIntervalSeconds The approximate amount of time, in seconds, between health checks of an individual target.

The range is 5 to 300. The default is 10 seconds.

This value must be greater than or equal to HealthCheckTimeoutSeconds.

Important

Health checks for Gateway Load Balancers are distributed and use a consensus mechanism to determine target health. Therefore, you should expect target appliances to receive several health checks within the conﬁgured time interval.

(28)

Target health status

Setting Description

HealthyThresholdCount The number of consecutive successful health checks required before considering an unhealthy target healthy. The range is 2 to 10. The default is 3.

UnhealthyThresholdCount The number of consecutive failed health checks required before considering a target unhealthy.

The range is 2 to 10. The default is 3.

Matcher [HTTP/HTTPS health checks] The HTTP codes to

use when checking for a successful response from a target. This value must be 200-399.

Target health status

Before the Gateway Load Balancer sends a health check request to a target, you must register it with a target group, specify its target group in a listener rule, and ensure that the Availability Zone of the target is enabled for the Gateway Load Balancer.

The following table describes the possible values for the health status of a registered target.

Value Description

initial The Gateway Load Balancer is in the process of registering the target or performing the initial health checks on the target.

Related reason codes: Elb.RegistrationInProgress | Elb.InitialHealthChecking

healthy The target is healthy.

Related reason codes: None

unhealthy The target did not respond to a health check or failed the health check.

Related reason code: Target.FailedHealthChecks unused The target is not registered with a target group, the target

group is not used in a listener rule, the target is in an Availability Zone that is not enabled, or the target is in the stopped or terminated state.

Related reason codes: Target.NotRegistered

| Target.NotInUse | Target.InvalidState | Target.IpUnusable

draining The target is deregistering and connection draining is in process.

Related reason code:

Target.DeregistrationInProgress

unavailable Target health is unavailable.

(29)

Health check reason codes

Value Description

Related reason code: Elb.InternalError

Health check reason codes

If the status of a target is any value other than Healthy, the API returns a reason code and a description of the issue, and the console displays the same description. Reason codes that begin with Elb originate on the Gateway Load Balancer side and reason codes that begin with Target originate on the target side.

Reason code Description

Elb.InitialHealthChecking Initial health checks in progress

Elb.InternalError Health checks failed due to an internal error Elb.RegistrationInProgress Target registration is in progress

Target.DeregistrationInProgress Target deregistration is in progress Target.FailedHealthChecks Health checks failed

Target.InvalidState Target is in the stopped state Target is in the terminated state

Target is in the terminated or stopped state Target is in an invalid state

Target.IpUnusable The IP address cannot be used as a target, as it is in use by a load balancer

Target.NotInUse Target group is not conﬁgured to receive traﬃc from the Gateway Load Balancer

Target is in an Availability Zone that is not enabled for the Gateway Load Balancer

Target.NotRegistered Target is not registered to the target group

Gateway Load Balancer target failure scenarios

Existing flows: Existing flows always go to the same target unless the flows time out or are reset, regardless of the health status of the target. This approach facilitates connection draining, and accommodates 3rd party firewalls that are sometimes unable to respond to health checks due to high CPU usage.

New flows: New flows are sent to a healthy target. When a load balancing decision for a flow has been made, the Gateway Load Balancer will send the flow to the same target even if that target becomes unhealthy, or other targets become healthy.

When all targets are unhealthy, the Gateway Load Balancer picks a target at random and forwards traffic to it for the life of the flow, until it is either reset or has timed out. Because traffic is being forwarded to an unhealthy target, traffic is dropped until that target becomes healthy again.

(30)

Check the health of your targets

Cross-zone load balancing: By default, load balancing across Availability Zones is disabled. If load balancing across zones is enabled, each Gateway Load Balancer is able to see all targets in all Availability Zones, and they are all treated the same, regardless of their zone.

Load balancing and health check decisions are always independent among zones. Even when load balancing across zones is enabled, the behavior for existing ﬂows and new ﬂows is the same as described above. For more information, see Cross-zone load balancing in the Elastic Load Balancing User Guide.

Check the health of your targets

You can check the health status of the targets registered with your target groups.

New console

To check the health of your targets using the new console

4. On the Targets tab, the Status column indicates the status of each target.

5. If the target status is any value other than Healthy, the Status details column contains more information.

Old console

To check the health of your targets using the old console

4. Choose Targets, and view the status of each target in the Status column. If the status is any value other than Healthy, the console displays more information.

To check the health of your targets using the AWS CLI

Use the describe-target-health command. The output of this command contains the target health state.

It includes a reason code if the status is any value other than Healthy.

To receive email notiﬁcations about unhealthy targets

Use CloudWatch alarms to trigger a Lambda function to send details about unhealthy targets. For step- by-step instructions, see the following blog post: Identifying unhealthy targets of your load balancer.

Modify health check settings

You can modify some of the health check settings for your target group.

New console

To modify health check settings for a target group using the new console

(31)

Register targets

4. On the Group details tab, in the Health check settings section, choose Edit.

5. On the Edit health check settings page, modify the settings as needed, and then choose Save changes.

Old console

To modify health check settings for a target group using the old console

4. Choose Health checks, Edit.

5. On the Edit target group page, modify the settings as needed, and then choose Save.

To modify health check settings for a target group using the AWS CLI Use the modify-target-group command.

Register targets with your target group

When your target is ready to handle requests, you register it with one or more target groups. You can register targets by instance ID or by IP address. The Gateway Load Balancer starts routing requests to the target as soon as the registration process completes and the target passes the initial health checks.

It can take a few minutes for the registration process to complete and health checks to start. For more information, see Health checks for your target groups (p. 23).

If demand on your currently registered targets increases, you can register additional targets in order to handle the demand. If demand on your registered targets decreases, you can deregister targets from your target group. It can take a few minutes for the deregistration process to complete and for the Gateway Load Balancer to stop routing requests to the target. If demand increases subsequently, you can register targets that you deregistered with the target group again. If you need to service a target, you can deregister it and then register it again when servicing is complete.

When you deregister a target, Elastic Load Balancing waits until in-ﬂight requests have completed.

This is known as connection draining. The status of a target is draining while connection draining is in progress. After deregistration is complete, status of the target changes to unused. For more information, see Deregistration delay (p. 20).

Target security groups

When you register EC2 instances as targets, you must ensure that the security groups for these instances allow inbound and outbound traﬃc on port 6081.

Gateway Load Balancers do not have associated security groups. Therefore, the security groups for your targets must use IP addresses to allow traﬃc from the load balancer.

Network ACLs

When you register EC2 instances as targets, you must ensure that the network access control lists (ACL) for the subnets for your instances allow traﬃc on port 6081. The default network ACL for a VPC

(32)

Register or deregister targets

allows all inbound and outbound traﬃc. If you create custom network ACLs, verify that they allow the appropriate traﬃc.

Register or deregister targets

Each target group must have at least one registered target in each Availability Zone that is enabled for the Gateway Load Balancer.

The target type of your target group determines how you register targets with that target group. For more information, see Target type (p. 19).

Requirements

• You cannot register instances by instance ID if they are in a VPC that is peering to the load balancer VPC (same Region or diﬀerent Region). You can register these instances by IP address.

Contents

• Register or deregister targets by instance ID (p. 28)

• Register or deregister targets by IP address (p. 29)

• Register or deregister targets using the AWS CLI (p. 29)

Register or deregister targets by instance ID

An instance must be in the running state when you register it.

New console

To register or deregister targets by instance ID using the new console

4. Choose the Targets tab.

5. To register instances, choose Register targets. Select one or more instances, and then choose Include as pending below. When you are ﬁnished adding instances, choose Register pending targets.

6. To deregister instances, select the instance and then choose Deregister.

Old console

To register or deregister targets by instance ID using the old console

4. Choose Targets, Edit.

5. (Optional) For Registered instances, select any instances to be deregistered and choose Remove.

6. (Optional) For Instances, select any running instances to be registered and then choose Add to registered.

7. Choose Save.

(33)

Update tags

Register or deregister targets by IP address

An IP address that you register must be from one of the following CIDR blocks:

• The subnets of the VPC for the target group

• 10.0.0.0/8 (RFC 1918)

• 100.64.0.0/10 (RFC 6598)

• 172.16.0.0/12 (RFC 1918)

• 192.168.0.0/16 (RFC 1918)

New console

To register or deregister targets by IP address using the new console

3. Chose the name of the target group to open its details page.

4. Choose the Targets tab.

5. To register IP addresses, choose Register targets. For each IP address, select the network, Availability Zone, IP address, and port, and then choose Include as pending below. When you are ﬁnished specifying addresses, choose Register pending targets.

6. To deregister IP addresses, select the IP addresses and then choose Deregister. If you have many registered IP addresses, you might ﬁnd it helpful to add a ﬁlter or change the sort order.

Old console

To register or deregister targets by IP address using the old console

3. Select the target group and choose Targets, Edit.

4. To register IP addresses, choose the Register targets icon (the plus sign) in the menu bar. For each IP address, specify the network, Availability Zone, IP address, and port, and then choose Add to list. When you are ﬁnished specifying addresses, choose Register.

5. To deregister IP addresses, choose the Deregister targets icon (the minus sign) in the menu bar.

If you have many registered IP addresses, you might ﬁnd it helpful to add a ﬁlter or change the sort order. Select the IP addresses and choose Deregister.

6. To leave this screen, choose the Back to target group icon (the back button) in the menu bar.

Register or deregister targets using the AWS CLI

Use the register-targets command to add targets and the deregister-targets command to remove targets.

Tags for your target group

Tags help you to categorize your target groups in diﬀerent ways, for example, by purpose, owner, or environment.

You can add multiple tags to each target group. Tag keys must be unique for each target group. If you add a tag with a key that is already associated with the target group, it updates the value of that tag.

(34)

Delete a target group

When you are ﬁnished with a tag, you can remove it.

Restrictions

• Maximum number of tags per resource—50

• Maximum key length—127 Unicode characters

• Maximum value length—255 Unicode characters

• Tag keys and values are case sensitive. Allowed characters are letters, spaces, and numbers representable in UTF-8, plus the following special characters: + - = . _ : / @. Do not use leading or trailing spaces.

• Do not use the aws: prefix in your tag names or values because it is reserved for AWS use. You can't edit or delete tag names or values with this prefix. Tags with this prefix do not count against your tags per resource limit.

New console

To update the tags for a target group using the new console

4. On the Tags tab, choose Manage tags and do one or more of the following:

a. To update a tag, enter new values for Key and Value.

b. To add a tag, choose Add tag and enter values for Key and Value.

c. To delete a tag, choose Remove next to the tag.

5. When you have ﬁnished updating tags, choose Save changes.

Old console

To update the tags for a target group using the old console

4. On the Tags tab, choose Add/Edit Tags, and then do one or more of the following:

a. To update a tag, edit the values of Key and Value.

b. To add a new tag, choose Create Tag and then enter values for Key and Value.

c. To delete a tag, choose the delete icon (X) next to the tag.

5. When you have ﬁnished updating tags, choose Save.

To update the tags for a target group using the AWS CLI Use the add-tags and remove-tags commands.

Delete a target group

You can delete a target group if it is not referenced by the forward actions of any listener rules. Deleting a target group does not aﬀect the targets registered with the target group. If you no longer need a registered EC2 instance, you can stop or terminate it.

(35)

Delete a target group

New console

To delete a target group using the new console

3. Select the target group and choose Actions, Delete.

4. When prompted for conﬁrmation, choose Yes, delete.

Old console

To delete a target group using the old console

3. Select the target group and choose Actions, Delete.

4. When prompted for conﬁrmation, choose Yes.

To delete a target group using the AWS CLI Use the delete-target-group command.

Elastic Load Balancing

Elastic Load Balancing

Gateway Load Balancers

Elastic Load Balancing: Gateway Load Balancers

Table of Contents

What is a Gateway Load Balancer?

Appliance vendors

Getting started

Pricing

Getting started with Gateway Load Balancers

Overview

Traﬃc from the internet to the application (blue arrows):

Traﬃc from the application to the internet (orange arrows):

Routing

Prerequisites

Step 1: Register targets and create a Gateway Load Balancer

To create a target group and register targets

To create a Gateway Load Balancer

Step 2: Create a Gateway Load Balancer endpoint

To create a Gateway Load Balancer endpoint

Step 3: Conﬁgure routing

To conﬁgure routing

Getting started with Gateway Load Balancers using the AWS CLI

Overview

Traﬃc from the internet to the application (blue arrows):

Traﬃc from the application to the internet (orange arrows):

Routing

Prerequisites

Step 1: Create a Gateway Load Balancer and register targets

To create a Gateway Load Balancer and register targets

Step 2: Create a Gateway Load Balancer endpoint

To create a Gateway Load Balancer endpoint

Step 3: Conﬁgure routing

To conﬁgure routing

Gateway Load Balancers

Load balancer state

Load balancer attributes

Availability Zones

Deletion protection

To enable deletion protection using the console

To disable deletion protection using the console

Cross-zone load balancing

To enable cross-zone load balancing using the console

Create a Gateway Load Balancer

Step 1: Conﬁgure your target group and register targets

To conﬁgure your target group

Step 2: Conﬁgure the load balancer and listener

To create a Gateway Load Balancer

Important next steps

Tags for your Gateway Load Balancer

Restrictions

To update the tags for a Gateway Load Balancer using the console

Delete a Gateway Load Balancer

To delete n Gateway Load Balancer using the console

Listeners for your Gateway Load Balancers

To update your listener using the console

Target groups for your Gateway Load Balancers

Routing conﬁguration

Target type

Important

Registered targets

Target group attributes

Deregistration delay

To update the deregistration delay value using the new console

To update the deregistration delay value using the old console

Create a target group for your Gateway Load Balancer

To create a target group using the new console

To create a target group using the old console

Health checks for your target groups

Health check settings

Important

Target health status

Health check reason codes

Gateway Load Balancer target failure scenarios

Check the health of your targets

To check the health of your targets using the new console

To check the health of your targets using the old console

Modify health check settings

To modify health check settings for a target group using the new console

To modify health check settings for a target group using the old console