===== AWS Gateway Load Balancer =====
{{tag>AWS VyOS GWLB}}
==== Description ====
* https://aws.amazon.com/blogs/aws/introducing-aws-gateway-load-balancer-easy-deployment-scalability-and-high-availability-for-partner-appliances/
* https://github.com/aws-samples/aws-gateway-load-balancer-code-samples/tree/main/aws-cli
* https://github.com/aws-samples/aws-gateway-load-balancer-code-samples/tree/main/aws-cloudformation/distributed_architecture
==== Diagram ====
==== Testing Network ====
Below are the networks and route tables that were used during testing. I also used the default Security Group for each VPC but I added rule to allow all traffic from 10.0.0.0/8. In a production environment the security group should be more restrictive.
^ ^ Hub ^ Spoke 1 ^ Spoke 2 ^
| **CIDR** | **10.0.0.0/23** | **10.1.0.0/23** | **10.1.2.0/23** |
| Public A | 10.0.0.0/26 | 10.1.0.0/26 | 10.1.2.0/26 |
| Public B | 10.0.0.64/26 | 10.1.0.64/26 | 10.1.2.64/26 |
| Private A / Management A | 10.0.1.0/26 | 10.1.1.0/26 | 10.1.3.0/26 |
| Private B / Management B | 10.0.1.64/26 | 10.1.1.64/26 | 10.1.3.64/26 |
=== Spoke VPC Route Tables ===
^ VPC Spoke 1 Inbound Route Table ^^
^ Destination ^ Target ^
| 10.1.0.0/23 | Local |
| 10.1.1.0/26 | GWLB VPCE 1A |
^ VPC Spoke 1 Public A Route Table ^^
^ Destination ^ Target ^
| 10.1.0.0/23 | Local |
| 0.0.0.0/0 | IGW |
^ VPC Spoke 1 Private A Route Table ^^
^ Destination ^ Target ^
| 10.1.0.0/23 | Local |
| 0.0.0.0/0 | GWLB VPCE 1A |
^ VPC Spoke 2 Inbound Route Table ^^
^ Destination ^ Target ^
| 10.1.2.0/23 | Local |
| 10.1.3.0/26 | GWLB VPCE 2A |
^ VPC Spoke 2 Public A Route Table ^^
^ Destination ^ Target ^
| 10.1.2.0/23 | Local |
| 0.0.0.0/0 | IGW |
^ VPC Spoke 2 Private A Route Table ^^
^ Destination ^ Target ^
| 10.1.2.0/23 | Local |
| 0.0.0.0/0 | GWLB VPCE 2A |
=== Shared VPC route Tables ===
^ VPC Hub Public A Route Table ^^
^ Destination ^ Target ^
| 10.0.0.0/23 | Local |
| 0.0.0.0/0 | IGW |
^ VPC Hub Management A Route Table ^^
^ Destination ^ Target ^
| 10.0.0.0/23 | Local |
| 0.0.0.0/0 | IGW |
^ VPC Hub Public B Route Table ^^
^ Destination ^ Target ^
| 10.0.0.0/23 | Local |
| 0.0.0.0/0 | IGW |
^ VPC Hub Management B Route Table ^^
^ Destination ^ Target ^
| 10.0.0.0/23 | Local |
| 0.0.0.0/0 | IGW |
==== Instance Firewall (VyOS) Configuration ====
This configuration hairpins the GENEVE traffic from the GWLB to the VyOS instance back to the GWLB. This allows for testing but does not allow for inspection. This configuration should only be used as a POC and not used in production as it allows all traffic.
| Public Interface (EC2 eth0) | 10.0.0.7 |
| Management Interface (EC2 eth1) | 10.0.1.7 |
| GWLB Interface | 10.0.0.49 |
vyos@ip-10-0-0-7:~$ show configuration commands
set interfaces ethernet ens5 address 'dhcp'
set interfaces ethernet ens6 address 'dhcp'
set nat destination rule 100 destination address '10.0.0.7'
set nat destination rule 100 inbound-interface 'ens5'
set nat destination rule 100 protocol 'udp'
set nat destination rule 100 source address '10.0.0.49'
set nat destination rule 100 translation address '10.0.0.49'
set nat destination rule 100 translation port '6081'
set nat source rule 100 destination address '10.0.0.49'
set nat source rule 100 destination port '6081'
set nat source rule 100 outbound-interface 'ens5'
set nat source rule 100 protocol 'udp'
set nat source rule 100 source address '10.0.0.49'
set nat source rule 100 translation address 'masquerade'
set protocols static route 0.0.0.0/0 dhcp-interface 'ens6'
vyos@ip-10-0-0-7:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
ens5 10.0.0.7/26 u/u
ens6 10.0.1.7/26 u/u
vyos@ip-10-0-0-7:~$
==== Findings ====