Inspecting inbound traffic from the internet using firewall appliances with Gateway Load Balancer
Customers use third-party next-generation firewalls (NGFW) and intrusion prevention systems (IPS) as part of their defense in depth strategy. Traditionally these often are dedicated hardware or software/virtual appliances. You can use Gateway Load Balancer to scale these virtual appliances horizontally to inspect traffic from and to your VPC, as shown in the following figure.
In the preceding architecture, Gateway Load Balancer endpoints are deployed into each Availability Zone in a separate edge VPC. The next-generation firewalls, intrusion prevention systems etc. are deployed behind the Gateway Load Balancer in the centralized appliance VPC. This appliance VPC can be in the same AWS account as the spoke VPCs or different AWS account. Virtual appliances can be configured to use Auto Scaling groups and are registered automatically with the Gateway Load Balancer, allowing auto scaling of the security layer.
These virtual appliances can be managed by accessing their management interfaces through an Internet Gateway (IGW) or using a bastion host setup in the appliance VPC.
Using the VPC ingress routing feature, the edge route table is updated to route inbound
traffic from internet to firewall appliances behind Gateway Load Balancer. Inspected traffic is routed via
Gateway Load Balancer endpoints to target VPC instance. Refer to the Introducing AWS Gateway Load Balancer: Supported architecture patterns