Gateway load balancer works at Layer 3 OSI layer. Gateway Load Balancers use Gateway Load Balancer endpoints to securely exchange traffic across many VPC we have. In example we have 2 VPC. Security VPC and HQ VPC .
This is network topology diagram for this lab.
I used 2 ip subnets for HQ VPC. One subnet for our web servers, and one subnet for GWLB enpoint in HQ VPC.
First step we must choose and do initial configuration to launch third party security appliance.
We can use Cloudformation template to help us do initial configuration for Gateway LoadBalancer. We must fill the important parameters ourself such as which VPC our security Gateway Load Balancer will reside, which subnet will we use, and if we want to install security management server directly,and configured our security group to permit udp port 6081 for allowing traffic from GWLB.
I configured my Gateway Load Balancer in my Security-VPC with 2 of availabilty zones( refer my topology diagram).
I turn to ‘false’ connection acceptance required.
I am using checkpoint AMI with C5.Xlarge EC2 (this is EC2 type recommendation). (I will added another post how to choose security gateway from AWS Marketplace).For this lab I created 2 Security Gateways Checkpoint AMI .
After our security gateway instance is up , we must create target group
After that we must create Gateway load balancer endpoint located in our HQ VPC
Before creating endpoint, we must create endpoint services first and choose our Gateway Load Balancer we created earlier.
After that we can create endpoint . We must copy our endpoint service name from previous activity, and select subnets which our endpoint services located.
Last step we must configure our route tables . Outgoing route table for redirect outgoing traffic from our web server to our endpoint and Ingress route table for redirect incoming traffic from internet that will go to our web server. All traffic will be check by our security gateway in our security VPC.
All outgoing traffic will go to our security gateway first via our endpoint.
and Ingress route table for redirect incoming traffic from internet that will go to our web server.
We can use add 1 more route table for outgoing traffic to the internet from our HQ-VPC.
We can check our Endpoint Metric in AWS CloudWatch too. (Configured at Cloudformation Stack). Thankyou for your time reading this!
My reference for this lab:
- https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk174447 ->AWS cloudformation example template for gateway load balancer (we can custom all the parameters freely)
- https://www.youtube.com/watch?v=f4DduW2M5WI -> AWS official short video about Gateway Load Balancer
Top comments (0)