Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
AWS has introduced Gateway Load Balancers today.
Gateway Load Balancers enable you to deploy, scale, and manage virtual appliances, such as firewalls, intrusion detection and prevention systems, and deep packet inspection systems.
A Gateway Load Balancer operates at the third layer of the Open Systems Interconnection (OSI) model, the network layer. It listens for all IP packets across all ports and forwards traffic to the target group that's specified in the listener rule. The Gateway Load Balancer and its registered virtual appliance instances exchange application traffic using the GENEVE protocol on port 6081.
Gateway Load Balancers use Gateway Load Balancer endpoints to securely exchange traffic across VPC boundaries. A Gateway Load Balancer endpoint is a VPC endpoint that provides private connectivity between virtual appliances in the service provider VPC and application servers in the service consumer VPC. You deploy the Gateway Load Balancer in the same VPC as the virtual appliances. You register the virtual appliances with a target group for the Gateway Load Balancer.
Affected Resource(s)
- aws_default_route_table: Add
route configuration block vpc_endpoint_id argument
- aws_lb: Support
load_balancer_type argument value of gateway
- aws_lb_target_group: Support
protocol argument value of GENEVE
- aws_route: Add
vpc_endpoint_id argument
- aws_route_table: Add
route configuration block vpc_endpoint_id argument
- aws_vpc_endpoint: Support
vpc_endpoint_type argument value of GatewayLoadBalancer
- aws_vpc_endpoint_service: Add
gateway_load_balancer_arns argument
Example Terraform Configuration
# This configuration is only intended for illustrative purposes of the new functionality.
# For example, this does not separate consumer and appliance VPCs or fully secure/route production traffic.
data "aws_availability_zones" "available" {
state = "available"
}
data "aws_caller_identity" "current" {}
resource "aws_vpc" "test" {
cidr_block = "10.10.10.0/25"
tags = {
Name = "tf-acc-test-load-balancer"
}
}
resource "aws_subnet" "test" {
availability_zone = data.aws_availability_zones.available.names[0]
cidr_block = cidrsubnet(aws_vpc.test.cidr_block, 2, 0)
vpc_id = aws_vpc.test.id
tags = {
Name = "tf-acc-test-load-balancer"
}
}
resource "aws_lb" "test" {
load_balancer_type = "gateway"
name = "gwlb-test"
subnet_mapping {
subnet_id = aws_subnet.test.id
}
}
resource "aws_lb_target_group" "test" {
name = "gwlb-test"
port = 6081
protocol = "GENEVE"
vpc_id = aws_vpc.test.id
health_check {
port = 80
protocol = "HTTP"
}
}
resource "aws_vpc_endpoint_service" "test" {
acceptance_required = false
allowed_principals = [data.aws_caller_identity.current.arn]
gateway_load_balancer_arns = [aws_lb.test.arn]
}
resource "aws_vpc_endpoint" "test" {
service_name = aws_vpc_endpoint_service.test.service_name
subnet_ids = [aws_subnet.test.id]
vpc_endpoint_type = aws_vpc_endpoint_service.test.service_type
vpc_id = aws_vpc.test.id
}
resource "aws_route_table" "test" {
vpc_id = aws_vpc.test.id
}
resource "aws_route" "test" {
route_table_id = aws_route_table.test.id
destination_cidr_block = "0.0.0.0/0"
vpc_endpoint_id = aws_vpc_endpoint.test.id
}References
Community Note
Description
AWS has introduced Gateway Load Balancers today.
Affected Resource(s)
routeconfiguration blockvpc_endpoint_idargumentload_balancer_typeargument value ofgatewayprotocolargument value ofGENEVEvpc_endpoint_idargumentrouteconfiguration blockvpc_endpoint_idargumentvpc_endpoint_typeargument value ofGatewayLoadBalancergateway_load_balancer_arnsargumentExample Terraform Configuration
References