DEV Community

Leonard Hermawan for AWS Community Builders

Posted on

Setup and Configuring AWS Gateway Load Balancer

Gateway load balancer works at Layer 3 OSI layer. Gateway Load Balancers use Gateway Load Balancer endpoints to securely exchange traffic across many VPC we have. In example we have 2 VPC. Security VPC and HQ VPC .

This is network topology diagram for this lab.

AWS gateway Load Balancer topology diagram

I used 2 ip subnets for HQ VPC. One subnet for our web servers, and one subnet for GWLB enpoint in HQ VPC.

First step we must choose and do initial configuration to launch third party security appliance.
We can use Cloudformation template to help us do initial configuration for Gateway LoadBalancer. We must fill the important parameters ourself such as which VPC our security Gateway Load Balancer will reside, which subnet will we use, and if we want to install security management server directly,and configured our security group to permit udp port 6081 for allowing traffic from GWLB.

AWS cloudformation checkpoint stack (1)

I configured my Gateway Load Balancer in my Security-VPC with 2 of availabilty zones( refer my topology diagram).

AWS cloudformation checkpoint stack (2)

I turn to ‘false’ connection acceptance required.

Setting EC2 and auto scaling for Gateway Load Balancer

I am using checkpoint AMI with C5.Xlarge EC2 (this is EC2 type recommendation). (I will added another post how to choose security gateway from AWS Marketplace).For this lab I created 2 Security Gateways Checkpoint AMI .

Security Gateway EC2

After our security gateway instance is up , we must create target group

Setting Target Group
After that we must create Gateway load balancer endpoint located in our HQ VPC

Before creating endpoint, we must create endpoint services first and choose our Gateway Load Balancer we created earlier.

Configuring Endpoint Services

After that we can create endpoint . We must copy our endpoint service name from previous activity, and select subnets which our endpoint services located.

Create Endpoint

VPC endpoint successfully created

Last step we must configure our route tables . Outgoing route table for redirect outgoing traffic from our web server to our endpoint and Ingress route table for redirect incoming traffic from internet that will go to our web server. All traffic will be check by our security gateway in our security VPC.

All outgoing traffic will go to our security gateway first via our endpoint.

Outgoing Route Table

and Ingress route table for redirect incoming traffic from internet that will go to our web server.

Ingress Route Table

We can use add 1 more route table for outgoing traffic to the internet from our HQ-VPC.
We can check our Endpoint Metric in AWS CloudWatch too. (Configured at Cloudformation Stack). Thankyou for your time reading this!

AWS CloudWatch Metric

My reference for this lab:

  1. https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk174447 ->AWS cloudformation example template for gateway load balancer (we can custom all the parameters freely)
  2. https://www.youtube.com/watch?v=f4DduW2M5WI -> AWS official short video about Gateway Load Balancer

Top comments (0)