Using the NAT gateway and Gateway Load Balancer with Amazon EC2 instances for centralized IPv4 egress - Building a Scalable and Secure Multi-VPC AWS Network Infrastructure
High availabilityAdvantagesKey considerations

Using the NAT gateway and Gateway Load Balancer with Amazon EC2 instances for centralized IPv4 egress

Using a software-based virtual appliance (on Amazon EC2) from AWS Marketplace and AWS Partner Network as an exit point is similar to the NAT gateway setup. This option can be used if you want to use the advanced layer 7 firewall/Intrusion Prevention/Detection System (IPS/IDS) and deep packet inspection capabilities of the various vendor offerings.

In the following figure, in addition to NAT gateway, you deploy virtual appliances using EC2 instances behind a Gateway Load Balancer (GWLB). In this setup, the GWLB, Gateway Load Balancer Endpoint (GWLBE), virtual appliances and NAT gateways are deployed in a centralized VPC which is connected to Transit Gateway using VPC attachment. The spoke VPCs are also connected to the Transit Gateway using a VPC Attachment. Because GWLBEs are a routable target, you can route traffic moving to and from Transit Gateway to the fleet of virtual appliances that are configured as targets behind a GWLB. GWLB acts as a bump-in-the-wire and transparently passes all Layer 3 traffic through third-party virtual appliances, and thus invisible to the source and destination of the traffic. Therefore, this architecture allows you to centrally inspect all of your egress traffic traversing through Transit Gateway.

For more information on how the traffic flows from the applications in the VPCs to the internet and back through this setup, refer to Centralized inspection architecture with AWS Gateway Load Balancer and AWS Transit Gateway.

You can enable appliance mode on Transit Gateway to maintain flow symmetry through virtual appliances. This means the bidirectional traffic is routed through the same appliance and the Availability Zone for the life of the flow. This setting is particularly important for stateful firewalls performing deep packet inspection. Enabling appliance mode removes the need for complex workarounds, such as source network address translation (SNAT), to force traffic to return to the correct appliance to maintain symmetry. Refer to Best practices for deploying Gateway Load Balancer for details.

It is also possible to deploy GWLB endpoints in a distributed manner without Transit Gateway to enable egress inspection. Learn more about this architectural pattern in the Introducing AWS Gateway Load Balancer: Supported architecture patterns blog post.

A diagram depicting Centralized egress with Gateway Load Balancer and EC2 instance (route table design)

Centralized egress with Gateway Load Balancer and EC2 instance (route table design)

High availability

AWS recommends deploying Gateway Load Balancers and virtual appliances in multiple Availability Zones for higher availability.

Gateway Load Balancer can perform health checks to detect virtual appliance failures. In case of an unhealthy appliance, GWLB reroutes the new flows to healthy appliances. Existing flows always go to the same target regardless of health status of target. This allows for connection draining and accommodate health check failures due to CPU spikes on appliances. For more details, refer to section 4: Understand appliance and Availability Zone failure scenarios in the blog post Best practices for deploying Gateway Load Balancer. Gateway Load Balancer can use auto scaling groups as targets. This benefit takes out the heavy lifting of managing availability and scalability of the appliance fleets.

Advantages

Gateway Load Balancer and Gateway Load Balancer endpoints are powered by AWS PrivateLink, which allows for the exchange of traffic across VPC boundaries securely without the need to traverse the public internet.

Gateway Load Balancer is a managed service that removes undifferentiated heavy lifting of managing, deploying, scaling virtual security appliances so that you can focus on the things that matter. Gateway Load Balancer can expose the stack of firewalls as an endpoint service for customers to subscribe to using the AWS Marketplace. This is called Firewall as a Service (FWaaS); it introduces a simplified deployment and removes the need to rely on BGP and ECMP to distribute traffic across multiple Amazon EC2 instances.

Key considerations

  • The appliances need to support Geneve encapsulation protocol to integrate with GWLB.

  • Some third-party appliances can support SNAT and overlay routing (two-arm mode) therefore eliminating the need to create NAT gateways for saving costs. However, consult with an AWS partner of your choice before using this mode as this is dependent on vendor support and implementation.

  • Take a note of GWLB idle timeout. This can result in connection timeouts on clients. You can tune your timeouts on client, server, firewall, and OS level to avoid this. Refer to Section 1: Tune TCP keep-alive or timeout values to support long-lived TCP flows in the Best practices for deploying Gateway Load Balancer blog post for more information.

  • GWLBE are powered by AWS PrivateLink, so AWS PrivateLink charges will be applicable. You can learn more in the AWS PrivateLink pricing page. If you are using the centralized model with Transit Gateway, the TGW data processing charges will be applicable.

  • Consider deploying Transit Gateway and egress VPC in a separate Network Services account to segregate access based on delegation of duties, such as only network administrators can access Network Services Account.