Sunday, May 18, 2025

Gateway Load Balancer (GWLB)

 

AWS Gateway Load Balancer (GWLB)

The AWS Gateway Load Balancer is a service designed to simplify the deployment, scaling, and management of third-party virtual appliances (such as firewalls, IDS/IPS, deep packet inspection systems, etc.) in the cloud. It operates at Layer 3 (network layer) and supports transparent insertion of appliances into the traffic path.

 Architecture

At a high level, AWS GWLB works like this:
#  sql
Inbound/Outbound Traffic
        |
     VPC Endpoint (GWLBE)  <--->  Gateway Load Balancer (GWLB)
        |                             |
     Appliance VPC              Target Group (virtual appliances like firewalls)
                                 (in EC2 or containers)
  1. Gateway Load Balancer Endpoint (GWLBE):
    • A type of VPC endpoint (powered by PrivateLink) that allows you to route traffic from your VPC to the GWLB.
  2. GWLB:
    • Routes traffic to/from a fleet of virtual appliances.
    • Uses GENEVE protocol (port 6081) for encapsulation, ensuring traffic symmetry and preserving original packet information.
  3. Target Group:
    • The set of appliance instances (like EC2s running Palo Alto, Fortinet, etc.) that handle the inspection.

 Setup Overview

  1. Create appliance instances:
    • Deploy your network virtual appliances (NVAs) in an Appliance VPC.
  2. Create GWLB:
    • Create a Gateway Load Balancer and register your appliance instances in the target group.
  3. Create VPC Endpoint Service (PrivateLink):
    • Expose the GWLB via an endpoint service.
  4. Create GWLB Endpoint (GWLBE):
    • In the spoke VPCs (application or other VPCs), create GWLBE that connects to the endpoint service.
  5. Update route tables:
    • Route traffic through the GWLBE to enforce inspection.

 Key Features

Feature

Description

Layer 3 (L3) Routing

Operates at the network layer for seamless traffic forwarding.

GENEVE encapsulation

Preserves original packet metadata and ensures traffic symmetry.

Elasticity

Scales appliance fleet automatically based on demand.

High Availability

Supports cross-AZ deployments for redundancy.

PrivateLink Integration

Allows secure, private traffic between VPCs.

Health Checks

Monitors appliance health to route traffic efficiently.

 Use Cases

Use Case

Description

 Security Inspection

Inline security inspection with third-party appliances (firewalls, IDS/IPS).

 Traffic Mirroring / Packet Inspection

Advanced visibility and DPI on network traffic.

 Zero Trust Architecture

Enforce traffic filtering and segmentation across VPCs.

 SaaS Network Appliance

Build and offer security appliances as a service.

 Service Chaining

Insert multiple services (e.g., firewallantivirus DLP) in traffic path.

twtech Service Chaining sequence:  firewall → antivirus → DLP — reflects a progressive chain of network security layers, each with a distinct role in inspecting, protecting, and controlling data traffic. Here's what each component does in this flow:

 Firewall

  • Role: First line of defense.
  • Function: Filters traffic based on IP, port, protocol, or application-level rules.
  • Example: Blocks unauthorized inbound/outbound connections (e.g., a blocked IP trying to connect to port 22).

 Antivirus / Anti-Malware

  • Role: Malware detection engine.
  • Function: Scans payloads for known malicious signatures or behavioral patterns.
  • Example: Detects and quarantines a file infected with a known trojan or virus in an email attachment.

 DLP (Data Loss Prevention)

  • Role: Prevents sensitive data leakage.
  • Function: Inspects content for patterns like credit card numbers, SSNs, or confidential keywords.
  • Example: Blocks an outbound email containing unencrypted customer data from being sent outside the organization.

 Combined Flow (Security Chain):

When traffic flows through this stack:

  1. Firewall checks if the traffic should even be allowed.
  2. Antivirus inspects the contents of allowed traffic for threats.
  3. DLP ensures the data itself is not violating compliance or security policies.

In a GENEVE/GWLB Context:

when twtech is using Gateway Load Balancer with chained security appliances (like firewalls, IDS, antivirus, DLP), this exact sequence could be implemented as part of service chaining using GENEVE encapsulation, ensuring that each packet passes through multiple security layers before reaching its destination.

Best Practices

  • Deploy GWLB in a dedicated Appliance VPC.
  • Use Auto Scaling for your appliance fleet.
  • Enable Cross-Zone Load Balancing for HA.
  • Use security groups and network ACLs to tightly control traffic.
  • Monitor with VPC Flow Logs, CloudWatch, and GWLB metrics.

Concepts:

TL,

DR,

UDP,

TCP,

Here’s what each of those terms stands for and means in the context of the GENEVE protocol:

 TL – Type-Length

  • Meaning: TL refers to the Type-Length-Value (TLV) structure used in GENEVE headers.
  • Purpose in GENEVE:
    GENEVE supports optional metadata fields in its header. These fields are structured using the TLV format, where:
    • Type: Indicates what kind of metadata is being sent (e.g., tenant ID, VPC ID, etc.).
    • Length: Specifies the size of the value.
    • Value: The actual metadata.
  • Why it's important: This extensibility allows GENEVE to carry custom or vendor-specific information, which is critical for appliances like firewalls or load balancers to process traffic intelligently.

 DR – Don't Refragment

  • Meaning: DR usually refers to the Don't Fragment (DF) bit in the IP header, but in context it might be a misinterpretation or typo.
  • Clarification:
    • GENEVE encapsulates packets in UDP over IP, and the underlying IP layer can have the Don't Fragment flag set, which prevents packet fragmentation.
    • This is important for MTU (Maximum Transmission Unit) handling.
  • If you meant something else by DR, let me know, but in GENEVE, "DR" is not a defined field.

 UDP – User Datagram Protocol

  • Meaning: A lightweight, connectionless transport protocol in the TCP/IP suite.
  • Purpose in GENEVE:
    • GENEVE encapsulates packets inside UDP packets, typically sent over UDP port 6081.
    • UDP is preferred because it’s low-latency and suitable for encapsulating and forwarding packets without the overhead of connection management (unlike TCP).

TCP -- Transmission Control Protocol

What is TCP?

  • A core transport-layer protocol in the TCP/IP suite.
  • Provides reliable, connection-oriented communication between devices.

 Key Features of TCP:

Feature

Description

Connection-Oriented

Establishes a connection using a 3-way handshake (SYN, SYN-ACK, ACK) before data transfer.

Reliable Delivery

Ensures packets are received in order and without errors using acknowledgments and retransmissions.

Flow Control

Manages the rate of data transmission to avoid overwhelming the receiver.

Congestion Control

Adjusts the transmission rate based on network congestion.

Ordered Data

Reassembles packets in the correct sequence at the receiving end.

 Common Use Cases:

  • Web browsing (HTTP/HTTPS)
  • Email protocols (SMTP, IMAP, POP3)
  • File transfers (FTP)
  • Secure remote login (SSH)

twtech-Summary Table:

Term

Stands for

Role in GENEVE

TL

Type-Length (part of TLV)

For adding optional, extensible metadata

DR

Don't Fragment (possibly)

Prevents IP fragmentation of GENEVE packets

UDP

User Datagram Protocol

Transport protocol used to carry GENEVE packets

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Kubernetes Clusters | Upstream Vs Downstream.

  The terms "upstream" and "downstream" in the context of Kubernetes clusters often refer to the direction of code fl...