# Access virtual appliances through AWS PrivateLink Access virtual appliances You can use a Gateway Load Balancer to distribute traffic to a fleet of network virtual appliances. The appliances can be used for security inspection, compliance, policy controls, and other networking services. You specify the Gateway Load Balancer when you create a VPC endpoint service. Other AWS principals access the endpoint service by creating a Gateway Load Balancer endpoint. **Pricing** You are billed for each hour that your Gateway Load Balancer endpoint is provisioned in each Availability Zone. You are also billed per GB of data processed. For more information, see [AWS PrivateLink Pricing](https://aws.amazon.com/privatelink/pricing/). **Topics** + [ ## Overview ](#gwlbe-overview) + [ ## IP address types ](#gwlbe-ip-address-type) + [ ## Routing ](#gateway-load-balancer-endpoints-routing) + [Create a Gateway Load Balancer endpoint service](create-gateway-load-balancer-endpoint-service.md) + [Create a Gateway Load Balancer endpoint](gateway-load-balancer-endpoints.md) For more information, see [Gateway Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/). ## Overview The following diagram shows how application servers access security appliances through AWS PrivateLink. The application servers run in a subnet of the service consumer VPC. You create a Gateway Load Balancer endpoint in another subnet of the same VPC. All traffic entering the service consumer VPC through the internet gateway is first routed to the Gateway Load Balancer endpoint for inspection and then routed to the destination subnet. Similarly, all traffic leaving the application servers is routed to the Gateway Load Balancer endpoint for inspection before it is routed back through the internet gateway. ![\[Using a Gateway Load Balancer endpoint to access security appliances.\]](http://docs.aws.amazon.com/vpc/latest/privatelink/images/gateway-load-balancer-endpoint.png) **Traffic from the internet to the application servers (blue arrows):** 1. Traffic enters the service consumer VPC through the internet gateway. 1. Traffic is sent to the Gateway Load Balancer endpoint, based on route table configuration. 1. Traffic is sent to the Gateway Load Balancer for inspection through the security appliance. 1. Traffic is sent back to the Gateway Load Balancer endpoint after inspection. 1. Traffic is sent to the application servers, based on route table configuration. **Traffic from the application servers to the internet (orange arrows):** 1. Traffic is sent to the Gateway Load Balancer endpoint, based on route table configuration. 1. Traffic is sent to the Gateway Load Balancer for inspection through the security appliance. 1. Traffic is sent back to the Gateway Load Balancer endpoint after inspection. 1. Traffic is sent to the internet gateway based on the route table configuration. 1. Traffic is routed back to the internet. ## IP address types Service providers can make their service endpoints available to service consumers over IPv4, IPv6, or both IPv4 and IPv6, even if their security appliances support only IPv4. If you enable dualstack support, existing consumers can continue to use IPv4 to access your service and new consumers can choose to use IPv6 to access your service. If a Gateway Load Balancer endpoint supports IPv4, the endpoint network interfaces have IPv4 addresses. If a Gateway Load Balancer endpoint supports IPv6, the endpoint network interfaces have IPv6 addresses. The IPv6 address for an endpoint network interface is unreachable from the internet. If you describe an endpoint network interface with an IPv6 address, notice that `denyAllIgwTraffic` is enabled. **Requirements to enable IPv6 for an endpoint service** + The VPC and subnets for the endpoint service must have associated IPv6 CIDR blocks. + The Gateway Load Balancer for the endpoint service must use the dualstack IP address type. The security appliances do not need to support IPv6 traffic. **Requirements to enable IPv6 for a Gateway Load Balancer endpoint** + The endpoint service must have an IP address type that includes IPv6 support. + The IP address type of a Gateway Load Balancer endpoint must be compatible with the subnet for the Gateway Load Balancer endpoint, as described here: + **IPv4** – Assign IPv4 addresses to your endpoint network interfaces. This option is supported only if all selected subnets have IPv4 address ranges. + **IPv6** – Assign IPv6 addresses to your endpoint network interfaces. This option is supported only if all selected subnets are IPv6 only subnets. + **Dualstack** – Assign both IPv4 and IPv6 addresses to your endpoint network interfaces. This option is supported only if all selected subnets have both IPv4 and IPv6 address ranges. + The route tables for the subnets in the service consumer VPC must route IPv6 traffic and the network ACLs for these subnets must allow IPv6 traffic. ## Routing To route traffic to the endpoint service, specify the Gateway Load Balancer endpoint as a target in your route tables, using its ID. For the diagram above, add routes to the route tables as follows. When using a Gateway Load Balancer endpoint as a target, you cannot specify a prefix list as a destination. In these tables, IPv6 routes are included for a dualstack configuration. **Route table for the internet gateway** This route table must have a route that sends traffic destined for the application servers to the Gateway Load Balancer endpoint. | Destination | Target | | --- | --- | | VPC IPv4 CIDR | Local | | VPC IPv6 CIDR | Local | | Application subnet IPv4 CIDR | vpc-endpoint-id | | Application subnet IPv6 CIDR | vpc-endpoint-id | **Route table for the subnet with the application servers** This route table must have a route that sends all traffic from the application servers to the Gateway Load Balancer endpoint. | Destination | Target | | --- | --- | | VPC IPv4 CIDR | Local | | VPC IPv6 CIDR | Local | | 0.0.0.0/0 | vpc-endpoint-id | | ::/0 | vpc-endpoint-id | **Route table for the subnet with the Gateway Load Balancer endpoint** This route table must send traffic that is returned from inspection to its final destination. For traffic that originated from the internet, the local route sends the traffic to the application servers. For traffic that originated from the application servers, add a route that sends all traffic to the internet gateway. | Destination | Target | | --- | --- | | VPC IPv4 CIDR | Local | | VPC IPv6 CIDR | Local | | 0.0.0.0/0 | internet-gateway-id | | ::/0 | internet-gateway-id | # Create an inspection system as a Gateway Load Balancer endpoint service Create a Gateway Load Balancer endpoint service You can create your own service powered by AWS PrivateLink, known as an *endpoint service*. You are the service provider, and the AWS principals that create connections to your service are the service consumers. Endpoint services require either a Network Load Balancer or a Gateway Load Balancer. In this case, you'll create an endpoint service using a Gateway Load Balancer. For more information about creating an endpoint service using a Network Load Balancer, see [Create an endpoint service](create-endpoint-service.md). **Topics** + [ ## Considerations ](#considerations-gateway-load-balancer-endpoint-service) + [ ## Prerequisites ](#prerequisites-gateway-load-balancer-endpoint-service) + [ ## Create the endpoint service ](#create-endpoint-service-glb) + [ ## Make your endpoint service available ](#share-gateway-load-balancerendpoint-service) ## Considerations + An endpoint service is available in the Region where you created it. + When service consumers retrieve information about an endpoint service, they can see only the Availability Zones that they have in common with the service provider. When the service provider and service consumer are in different accounts, an Availability Zone name, such as `us-east-1a`, might be mapped to a different physical Availability Zone in each AWS account. You can use AZ IDs to consistently identify the Availability Zones for your service. For more information, see [AZ IDs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#az-ids) in the *Amazon EC2 User Guide*. + There are quotas on your AWS PrivateLink resources. For more information, see [AWS PrivateLink quotas](vpc-limits-endpoints.md). ## Prerequisites + Create a service provider VPC with at least two subnets in the Availability Zone in which the service should be available. One subnet is for the security appliance instances and the other is for the Gateway Load Balancer. + Create a Gateway Load Balancer in your service provider VPC. If you plan to enable IPv6 support on your endpoint service, you must enable dualstack support on your Gateway Load Balancer. For more information, see [Getting started with Gateway Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/getting-started.html). + Launch security appliances in the service provider VPC and register them with a load balancer target group. ## Create the endpoint service Use the following procedure to create an endpoint service using a Gateway Load Balancer. **To create an endpoint service using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. In the navigation pane, choose **Endpoint services**. 1. Choose **Create endpoint service**. 1. For **Load balancer type**, choose **Gateway**. 1. For **Available load balancers**, select your Gateway Load Balancer. 1. For **Require acceptance for endpoint**, select **Acceptance required** to require that connection requests to your endpoint service are accepted manually. Otherwise, they are accepted automatically. 1. For **Supported IP address types**, do one of the following: + Select **IPv4** – Enable the endpoint service to accept IPv4 requests. + Select **IPv6** – Enable the endpoint service to accept IPv6 requests. + Select **IPv4** and **IPv6** – Enable the endpoint service to accept both IPv4 and IPv6 requests. 1. (Optional) To add a tag, choose **Add new tag** and enter the tag key and the tag value. 1. Choose **Create**. **To create an endpoint service using the command line** + [create-vpc-endpoint-service-configuration](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc-endpoint-service-configuration.html) (AWS CLI) + [New-EC2VpcEndpointServiceConfiguration](https://docs.aws.amazon.com/powershell/latest/reference/items/New-EC2VpcEndpointServiceConfiguration.html) (Tools for Windows PowerShell) ## Make your endpoint service available Service providers must do the following to make their services available to service consumers. + Add permissions that allow each service consumer to connect to your endpoint service. For more information, see [Manage permissions](configure-endpoint-service.md#add-remove-permissions). + Provide the service consumer with the name of your service and the supported Availability Zones so that they can create an interface endpoint to connect to your service. For more information, see the procedure below. + Accept the endpoint connection request from the service consumer. For more information see [Accept or reject connection requests](configure-endpoint-service.md#accept-reject-connection-requests). AWS principals can connect to your endpoint service privately by creating a Gateway Load Balancer endpoint. For more information, see [Create a Gateway Load Balancer endpoint](gateway-load-balancer-endpoints.md). # Access an inspection system using a Gateway Load Balancer endpoint Create a Gateway Load Balancer endpoint You can create a Gateway Load Balancer endpoint to connect to [endpoint services](concepts.md#concepts-endpoint-services) powered by AWS PrivateLink. For each subnet that you specify from your VPC, we create an endpoint network interface in the subnet and assign it a private IP address from the subnet address range. An endpoint network interface is a requester-managed network interface; you can view it in your AWS account, but you can't manage it yourself. You are billed for hourly usage and data processing charges. For more information, see [Gateway Load Balancer endpoint pricing](https://aws.amazon.com/privatelink/pricing/#Gateway_Load_Balancer_Endpoint_pricing). **Topics** + [ ## Considerations ](#considerations-gateway-load-balancer-endpoints) + [ ## Prerequisites ](#prerequisites-gateway-load-balancer-endpoints) + [ ## Create the endpoint ](#create-gateway-load-balancer-endpoint) + [ ## Configure routing ](#configure-routing-gateway-load-balancer-endpoint) + [ ## Manage tags ](#add-remove-gateway-load-balancer-endpoint-tags) + [ ## Delete a Gateway Load Balancer endpoint ](#delete-gateway-load-balancer-endpoint) ## Considerations + You can choose only one Availability Zone in the service consumer VPC. You can't change this subnet later on. To use a Gateway Load Balancer endpoint in a different subnet, you must create a new Gateway Load Balancer endpoint. + You can create a single Gateway Load Balancer endpoint per Availability Zone per service, and you must select the Availability Zone that the Gateway Load Balancer supports. When the service provider and service consumer are in different accounts, an Availability Zone name, such as `us-east-1a`, might be mapped to a different physical Availability Zone in each AWS account. You can use AZ IDs to consistently identify the Availability Zones for your service. For more information, see [AZ IDs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#az-ids) in the *Amazon EC2 User Guide*. + Before you can use the endpoint service the service provider must accept the connection requests. The service can't initiate requests to resources in your VPC through the VPC endpoint. The endpoint only returns responses to traffic that was initiated by resources in your VPC. + Each Gateway Load Balancer endpoint can support a bandwidth of up to 10 Gbps per Availability Zone and automatically scales up to 100 Gbps. + If an endpoint service is associated with multiple Gateway Load Balancers, a Gateway Load Balancer endpoint establishes a connection with only one load balancer per Availability Zone. + To keep traffic within the same Availability Zone, we recommend that you create a Gateway Load Balancer endpoint in each Availability Zone to which you'll send traffic. + Network Load Balancer client IP preservation is not supported when traffic is routed through a Gateway Load Balancer endpoint, even if the target is in the same VPC as the Network Load Balancer. + If the application servers and the Gateway Load Balancer endpoint are in the same subnet, the NACL rules are evaluated for traffic from the application servers to the Gateway Load Balancer endpoint. + If you use a Gateway Load Balancer with an egress-only internet gateway, the IPv6 traffic is dropped. Instead, use an internet gateway and inbound firewall rules. + There are quotas on your AWS PrivateLink resources. For more information, see [AWS PrivateLink quotas](vpc-limits-endpoints.md). ## Prerequisites + Create a service consumer VPC with at least two subnets in the Availability Zone from which you'll access the service. One subnet is for the application servers and the other is for the Gateway Load Balancer endpoint. + To verify which Availability Zones are supported by the endpoint service, describe the endpoint service using the console or the [describe-vpc-endpoint-services](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-vpc-endpoint-services.html) command. + If your resources are in a subnet with a network ACL, verify that the network ACL allows traffic between the endpoint network interfaces and the resources in the VPC. ## Create the endpoint Use the following procedure to create a Gateway Load Balancer endpoint that connects to the endpoint service for the inspection system. **To create a Gateway Load Balancer endpoint using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. In the navigation pane, choose **Endpoints**. 1. Choose **Create endpoint**. 1. For **Type**, choose **Endpoint services that use NLBs and GWLBs**. 1. For **Service name**, enter the name of the service, and then choose **Verify service**. 1. For **VPC**, select the VPC from which you'll access the endpoint service. 1. For **Subnets**, select one subnet in which to create an endpoint network interface. 1. For **IP address type**, choose from the following options: + **IPv4** – Assign IPv4 addresses to the endpoint network interface. This option is supported only if the selected subnet has an IPv4 address range. + **IPv6** – Assign IPv6 addresses to the endpoint network interface. This option is supported only if the selected subnet is an IPv6 only subnet. + **Dualstack** – Assign both IPv4 and IPv6 addresses to the endpoint network interface. This option is supported only if the selected subnet has both IPv4 and IPv6 address ranges. 1. (Optional) To add a tag, choose **Add new tag** and enter the tag key and the tag value. 1. Choose **Create endpoint**. The initial status is `pending acceptance`. **To create a Gateway Load Balancer endpoint using the command line** + [create-vpc-endpoint](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc-endpoint.html) (AWS CLI) + [New-EC2VpcEndpoint](https://docs.aws.amazon.com/powershell/latest/reference/items/New-EC2VpcEndpoint.html) (Tools for Windows PowerShell) ## Configure routing Use the following procedure to configure route tables for the service consumer VPC. This enables the security appliances to perform security inspection for inbound traffic that's destined for the application servers. For more information, see [Routing](vpce-gateway-load-balancer.md#gateway-load-balancer-endpoints-routing). **To configure routing using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. In the navigation pane, choose **Route Tables**. 1. Select the route table for the internet gateway and do the following: 1. Choose **Actions**, **Edit routes**. 1. If you support IPv4, choose **Add route**. For **Destination**, enter the IPv4 CIDR block of the subnet for the application servers. For **Target**, select the VPC endpoint. 1. If you support IPv6, choose **Add route**. For **Destination**, enter the IPv6 CIDR block of the subnet for the application servers. For **Target**, select the VPC endpoint. 1. Choose **Save changes**. 1. Select the route table for the subnet with the application servers and do the following: 1. Choose **Actions**, **Edit routes**. 1. If you support IPv4, choose **Add route**. For **Destination**, enter **0.0.0.0/0**. For **Target**, select the VPC endpoint. 1. If you support IPv6, choose **Add route**. For **Destination**, enter **::/0**. For **Target**, select the VPC endpoint. 1. Choose **Save changes**. 1. Select the route table for the subnet with the Gateway Load Balancer endpoint, and do the following: 1. Choose **Actions**, **Edit routes**. 1. If you support IPv4, choose **Add route**. For **Destination**, enter **0.0.0.0/0**. For **Target**, select the internet gateway. 1. If you support IPv6, choose **Add route**. For **Destination**, enter **::/0**. For **Target**, select the internet gateway. 1. Choose **Save changes**. **To configure routing using the command line** + [create-route](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-route.html) (AWS CLI) + [New-EC2Route](https://docs.aws.amazon.com/powershell/latest/reference/items/New-EC2Route.html) (Tools for Windows PowerShell) ## Manage tags You can tag your Gateway Load Balancer endpoint to help you identify it or categorize it according to your organization's needs. **To manage tags using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. In the navigation pane, choose **Endpoints**. 1. Select the interface endpoint. 1. Choose **Actions**, **Manage tags**. 1. For each tag to add choose **Add new tag** and enter the tag key and tag value. 1. To remove a tag, choose **Remove** to the right of the tag key and value. 1. Choose **Save**. **To manage tags using the command line** + [create-tags](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-tags.html) and [delete-tags](https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-tags.html) (AWS CLI) + [New-EC2Tag](https://docs.aws.amazon.com/powershell/latest/reference/items/New-EC2Tag.html) and [Remove-EC2Tag](https://docs.aws.amazon.com/powershell/latest/reference/items/Remove-EC2Tag.html) (Tools for Windows PowerShell) ## Delete a Gateway Load Balancer endpoint Delete the endpoint When you are finished with an endpoint, you can delete it. Deleting a Gateway Load Balancer endpoint also deletes the endpoint network interfaces. You can't delete a Gateway Load Balancer endpoint if there are routes in your route tables that point to the endpoint. **To delete a Gateway Load Balancer endpoint** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. In the navigation pane, choose **Endpoints** and select your endpoint. 1. Choose **Actions**, **Delete Endpoint**. 1. In the confirmation screen, choose **Yes, Delete**. **To delete a Gateway Load Balancer endpoint** + [delete-vpc-endpoints](https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-vpc-endpoints.html) (AWS CLI) + [Remove-EC2VpcEndpoint](https://docs.aws.amazon.com/powershell/latest/reference/items/Remove-EC2VpcEndpoint.html) (AWS Tools for Windows PowerShell)