Gateway Load Balancer (GWLB)

• Deploy, scale, and manage fleets of 3rd-party virtual network appliances in AWS

• Common use cases:
• Firewalls
• Intrusion Detection/Prevention Systems (IDPS)
• Deep Packet Inspection
• Payload manipulation or inspection

• Operates at Layer 3 (Network layer), processing IP packets

• Combines:
• Transparent network gateway – single entry/exit for all traffic
• Load balancer – distributes traffic to appliances

• Uses GENEVE protocol on port 6081 for traffic encapsulation

Architecture

• Route table entries direct specific traffic (e.g., 172.16.0.0/16) through the GWLB

• GWLB forwards traffic to a target group of security appliances (EC2 or IP targets)

• After inspection or modification, traffic proceeds to the application’s destination

• Can integrate with on-prem appliances via AWS Transit Gateway or VPC Peering

Target Groups

• Supported targets:
• EC2 instances (identified by instance ID)
• Private IP addresses (for AWS or on-prem appliances)

• Enables hybrid setups with security appliances in multiple environments