AWS Gateway Load Balancer is a new fully-managed network gateway and load balancer. The service is tailored to deploy, scale and manage third-party virtual appliances such as firewalls, intrusion detection, prevention systems and deep packet inspection systems in the cloud.
The Gateway Load Balancer works with the VPC Ingress Routing, the service introduced last year by AWS that allows customers to route incoming and outgoing network traffic to and from an internet gateway or virtual private gateway to the Elastic Network Interface of an EC2 instance. Announcing recently the general availability of the new service, Channy Yun, principal technical evangelist at AWS, explains the benefits of the Gateway Load Balancer:
You can make a Customer VPC where the customer workloads will sit, which will be the VPC where the GWLB Endpoint is deployed. AWS Partner’s appliances will be deployed in the Partner VPC. The appliance providers and consumers can reside in different AWS accounts and VPCs. GWLBe enables consolidation of appliances, consistency of security policies, reduction in operator errors, and seamless inspection of traffic without having to change the traffic source or destination and requiring NAT translations.
Source: https://aws.amazon.com/blogs/aws/introducing-aws-gateway-load-balancer-easy-deployment-scalability-and-high-availability-for-partner-appliances/
In a separate article, Justin Davies, principal solutions architect at AWS, describes the supported architecture patterns for the new service. Many users like the idea that the service simplifies network traffic inspection and Colm MacCárthaigh, senior principal engineer at AWS, tweeted:
Gateway Load Balancer is huge and brings a capability to the cloud that has never even existed in traditional/legacy datacenter networks. It's not "just" equal-cost multi-path routing (...) I don't think it's an overstatement to say that for the first time, a very small team can develop network functionality that will be horizontally scalable and highly available.
Among the AWS partners offering solutions for the new service, Cisco announced the integration of Cloud ACI and Trend Micro added support of their new Cloud One – Network Security.
Not everyone thinks this focus on third-party appliances is positive. Corey Quinn, cloud economist at The Duckbill Group, argues that embedding partner appliances into a VPC is not a good idea:
I just want to make it very, very clear that you don’t need to start paying third-party vendors to do AWS networking properly—and I really wish the Gateway Load Balancer documentation and examples reflected that more effectively. (...) A (very!) careful reading of the documentation indicates that you aren’t required to go cross-account with these devices, and that there’s no requirement that the appliances actually be third party.
Luc van Donkersgoed, head of AWS technology at Sentia Group, followed this advice and described the process of building GeneveProxy, a Python application which receives traffic from the Gateway Load Balancer, decapsulates the packet, inspects the packet, re-encapsulates it and returns it to the Gateway Load Balancer. The source code of the application can be found on the Github project page.
Including the new service, AWS now offers four different managed load balancers: the other options are the Application Load Balancer, a layer 7 load balancer, the Network Load Balancer, for TCP and UDP (layer 4) load balancing and the Classic Load Balancer for EC2 Classic networks. The Gateway Load Balancer runs within one availability zone and is charged hourly plus the number of Gateway Load Balancer Capacity Units used, a metric that depends on new and active connections or flows per second and the processed bytes.