Large enterprises have an established network structure and firewalls, intrusion detection and prevention systems, and deep packet inspection systems. They use tools from various vendors they trust. These tools were great for the customers but on-prem architecture forces us to overprovision and the whole design process is different.
Now with the cloud migration in place many of these awesome vendors are AWS partners and we find in AWS marketplace highly sophisticated, virtualized versions of these software. These partners have tremendous value, decades worth of experience and deep domain expertise. In cloud we have the facility of elasticity, pay as you go and resiliency.
A Gateway Load Balancer acts as an entry point here.
Gateway Load Balancers enable you to deploy, scale, and manage virtual appliances, such as firewalls, intrusion detection and prevention systems, and deep packet inspection systems.
It combines a transparent network gateway (that is, a single entry and exit point for all traffic) and distributes traffic while scaling your virtual appliances with the demand.
Gateway Load Balancers use Gateway Load Balancer endpoints to securely exchange traffic across VPC boundaries.
A Gateway Load Balancer endpoint is a VPC endpoint that provides private connectivity between virtual appliances in the service provider VPC and application servers in the service consumer VPC.
You deploy the Gateway Load Balancer in the same VPC as the virtual appliances. You register the virtual appliances with a target group for the Gateway Load Balancer.
So we can put the security applications in a separate VPC and offer it as a SAAS to other accounts too!!!
Gateway Load Balancer is a transparent layer 3 load balancer and doesn’t produce access logs. Access logging can be done on Gateway Load Balancer target appliances such as firewalls, IDS/IPS, and authentication appliances must be enabled in order to collect access logs.
Cloudwatch,VPC flowlogs and Cloudtrail :)
Some key points to remember in Gateway Load Balancer
- Enables you to intercept traffic and route it to a service that you’ve configured using Gateway Load Balancers.
- Security groups and endpoint policies are not supported
- Endpoints support IPv4 traffic only.
Traffic coming to your applications from the Internet (blue arrows):
Traffic enters the service application VPC through the internet gateway.
Traffic is sent to the Gateway Load Balancer endpoint, as a result of ingress routing.
Traffic is sent to the Gateway Load Balancer for inspection through the security appliance.
Traffic is sent back to the Gateway Load Balancer endpoint after inspection.
Traffic is sent to the application servers (destination subnet).
Traffic from the application to the internet (orange arrows):
Traffic is sent to the Gateway Load Balancer endpoint as a result of the default route configured on the application server subnet.
Traffic is sent to the Gateway Load Balancer for inspection through the security appliance.
Traffic is sent back to the Gateway Load Balancer endpoint after inspection.
Traffic is sent to the internet gateway based on the route table configuration.
Traffic is routed back to the internet.
Happy Learning Guys!!!!
By Sabiha Ali, Solutions Architect, ScaleCapacity
Oldest comments (0)