What Does GWLB Mean?
On This Page
Quick Definition
A Gateway Load Balancer (GWLB) is an AWS service that helps route network traffic to security and inspection appliances, like firewalls, while keeping everything fast and reliable. It works with both virtual private cloud (VPC) traffic and on-premises connections. Think of it as a smart traffic director for your security tools.
Commonly Confused With
NLB is a Layer 4 load balancer that distributes TCP/UDP traffic to targets such as EC2 instances, usually without inspecting content. GWLB is specifically designed to forward traffic through a chain of virtual appliances using the GENEVE protocol, preserving the original packet headers. NLB does not support appliance chaining out of the box.
If you just want to distribute web traffic to multiple web servers, use NLB. If you need all traffic to go through a firewall first, use GWLB.
ALB operates at Layer 7 (HTTP/HTTPS) and can perform content-based routing, SSL termination, and path-based routing. GWLB operates at Layer 3/4 and does not inspect application content. ALB cannot forward traffic through third-party appliances in the same way as GWLB.
Use ALB to route users to different microservices based on the URL path. Use GWLB when you need every packet to be inspected by a security appliance before it reaches the application.
Transit Gateway is a network transit hub that connects VPCs and on-premises networks. It does not perform load balancing or traffic inspection itself. GWLB is often used together with TGW to inspect traffic flowing between connected networks. TGW provides the connectivity; GWLB provides the inspection.
Transit Gateway is like a highway interchange that connects multiple roads. GWLB is a toll booth and inspection station placed on that highway to check all vehicles passing through.
CLB is an older generation load balancer that works at both Layer 4 and Layer 7 but lacks many features like GENEVE support and appliance chaining. GWLB is more modern and purpose-built for security appliances. CLB does not support the same traffic-flow patterns as GWLB.
CLB might be used in legacy architectures. For new deployments requiring traffic inspection, always choose GWLB.
Must Know for Exams
GWLB appears in several AWS certification exams, most notably the AWS Certified Solutions Architect – Associate (SAA-C03), the AWS Certified Security – Specialty (SCS-C02), and the AWS Certified Advanced Networking – Specialty (ANS-C01). In the Solutions Architect Associate exam, GWLB is often tested in the context of designing highly available and secure VPC architectures. For example, you might be presented with a scenario where a company needs to inspect all traffic between VPCs or from on-premises to the cloud.
The correct answer would involve deploying a GWLB in a centralized VPC and using VPC endpoints (GWLBe) in the spoke VPCs. In the Security Specialty exam, GWLB is more deeply tested. Expect questions about how to route traffic through third-party firewalls while maintaining stateful inspection.
You may be asked about symmetric routing: why it is important for stateful firewalls and how GWLB supports it. Also, you might see questions about the GENEVE protocol and why it is used, it allows the original packet headers to be preserved so the firewall can see the real source and destination. In the Advanced Networking exam, GWLB is a major topic.
Expect detailed questions about traffic flows, health checks, cross-zone load balancing, and integration with AWS Transit Gateway. You might be asked to troubleshoot why traffic is not reaching an appliance, common issues include incorrect route tables, missing security group rules, or the GWLB endpoint not being properly associated. Question types include multiple-choice, multiple-select, and scenario-based fill-in-the-blank.
For example: A company has deployed a GWLB with two appliances in different AZs. During a traffic spike, one appliance fails. What happens? Answer: The GWLB stops sending traffic to the failed appliance and distributes load to the healthy one, assuming the health check fails.
You may also encounter questions where you need to select the most cost-effective or least complex design. For instance: Should you use a GWLB or a Network Load Balancer (NLB) for firewall inspection? The correct choice is GWLB because it is specifically designed for appliance chaining and supports GENEVE encapsulation.
The exam expects you to differentiate GWLB from other load balancers (ALB, NLB, CLB) and to know when each is appropriate. For IT certification candidates, mastering GWLB means understanding its architecture, protocols, health checks, and integration points. It is not enough to memorize the definition, you must be able to apply it to real-world scenarios.
Simple Meaning
Imagine you own a busy office building with multiple security checkpoints, a front desk, a security guard, and maybe a metal detector. Every visitor has to pass through all these checkpoints before they can enter the building. Now imagine you are the building manager and you want each checkpoint to handle its own job without slowing down the others.
A Gateway Load Balancer is like a conveyor belt that smoothly moves visitors (network packets) from the entrance to the right checkpoint in the right order. It makes sure the security team sees all the visitors they need to check, and it doesn’t let any visitor skip a checkpoint. In the cloud world, a GWLB sits between the public internet or on-premises networks and your AWS applications.
It takes all incoming traffic and sends it through a chain of virtual appliances, things like next-generation firewalls, intrusion prevention systems, or packet inspection tools. The GWLB doesn’t make decisions about where traffic ultimately goes; it just ensures that every packet passes through the correct inspection appliances. It also makes sure that if one appliance gets overloaded, traffic is spread across multiple identical appliances.
That way, no single security tool becomes a bottleneck. The GWLB also handles health checks: if an appliance fails, it stops sending traffic there and uses a healthy one instead. All of this happens transparently to the end user, so they don’t even know the traffic was inspected.
For IT learners, the key takeaway is that GWLB is the glue that connects network traffic to security and monitoring services, making cloud networks more secure without slowing them down.
Full Technical Definition
AWS Gateway Load Balancer (GWLB) is a Layer 3 (network) and Layer 4 (transport) load balancer that operates at the gateway layer of a virtual private cloud (VPC). It is designed to integrate with third-party virtual appliances, such as firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), deep packet inspection (DPI) tools, and other network security functions. GWLB uses the GENEVE protocol (Generic Network Virtualization Encapsulation) on port 6081 to encapsulate traffic between the load balancer and the appliance endpoints.
This encapsulation preserves the original packet headers while allowing the appliances to see and inspect the traffic. GWLB supports both IPv4 and IPv6 traffic, and it can handle TCP, UDP, and ICMP traffic. It is typically deployed in a centralized VPC design, where a single GWLB is used to inspect traffic from multiple VPCs (via VPC peering or AWS Transit Gateway) or from on-premises networks (via AWS Direct Connect or VPN).
The GWLB itself does not perform any deep packet inspection; it simply forwards traffic to a target group of virtual appliances. These appliances are EC2 instances or containerized services running security software. The GWLB performs health checks on these appliances using HTTP/HTTPS or TCP probes to ensure that only healthy appliances receive traffic.
If an appliance fails a health check, the GWLB automatically reroutes traffic to the remaining healthy targets. The GWLB supports cross-zone load balancing, which distributes traffic evenly across appliances in different Availability Zones for high availability. It also supports connection draining (deregistration delay) to allow in-flight requests to complete before an appliance is taken out of service.
In terms of architecture, GWLB is deployed in a VPC subnet, and it uses a Gateway Load Balancer endpoint (GWLBe) in other VPCs or in the same VPC to send traffic to the GWLB. The GWLBe is a VPC endpoint that is attached to the subnet where the GWLB resides. Traffic flows from the source (e.
g., an EC2 instance in a different VPC) to the GWLBe, then to the GWLB, then to the target group of appliances, and then back to the destination. This is known as an inbound-inspection outbound-spoke architecture.
The GWLB also supports symmetric routing, meaning that both inbound and outbound traffic can be sent through the same appliance for stateful inspection (like firewalls that need to see both directions of a connection). The GWLB scales automatically based on traffic load, and it integrates with AWS CloudWatch for monitoring metrics such as active connections, new connections, and throughput. For IT professionals, understanding GWLB is essential for designing secure and scalable network architectures in AWS, especially when compliance requirements mandate centralized inspection of all traffic.
Real-Life Example
Think of a large hospital with many entrances. The hospital wants every visitor to be checked for temperature, ID, and any contagious symptoms before they reach a patient. Instead of having a single overwhelmed checkpoint at the main entrance, the hospital sets up a central screening station in the lobby.
A receptionist directs visitors from every entrance, front door, emergency room, even staff entrance, to that central screening station. At the screening station, there are multiple nurses in separate booths. The receptionist’s job is to make sure each visitor is sent to the next available nurse, so no nurse is overloaded.
If a nurse steps away, the receptionist stops sending visitors to that booth and sends them to another nurse. Once the visitor passes the screening, the receptionist directs them to the correct floor or room. In this analogy, the hospital is a cloud network, the entrances are different traffic sources (like users on the internet or branch offices), the screening station is the GWLB, the nurses are the virtual appliances (firewalls, IDS), and the booths are the target group.
The receptionist’s instructions about which nurse to use are like the GWLB’s load-balancing algorithm. The hospital’s policy of sending every visitor through screening before letting them in is like a security policy enforced by the GWLB. The receptionist also knows if a nurse is sick (health check) and avoids sending visitors there.
The GWLB does exactly this in the cloud: it collects traffic from multiple sources, sends it to a pool of security appliances for inspection, and then forwards it to the final destination. The beauty is that the visitor, the network packet, never knows it was screened. The hospital runs smoothly because the screening is distributed and reliable.
Similarly, a GWLB makes cloud security scalable, manageable, and transparent to the end user. For IT learners, this analogy highlights how load balancing of security functions keeps networks safe without becoming the weak link.
Why This Term Matters
In modern cloud environments, security is not optional. Companies must inspect all traffic for threats, malware, and policy violations. Doing this at scale is challenging because security appliances can be slow and expensive.
Without a GWLB, an organization would have to either place an appliance in every subnet (costly and complex) or route all traffic through a single appliance (a single point of failure and a performance bottleneck). GWLB solves both problems by centralizing traffic inspection while distributing the load across multiple appliances. It allows you to use best-of-breed third-party security tools without locking you into a specific vendor.
For IT professionals, earning a certification like AWS Certified Solutions Architect – Associate or AWS Certified Security – Specialty requires understanding how GWLB fits into network architecture. You might be asked to design a solution that meets compliance requirements, like PCI DSS or HIPAA, where all traffic must be inspected for malicious content. GWLB makes that possible without redesigning the entire network.
It also simplifies operations: if you need to update a firewall rule or patch a security appliance, you can take one appliance out of service without interrupting traffic because the GWLB redirects traffic to other appliances. The cost model is also efficient because you can start with fewer appliances and scale as traffic grows. In short, GWLB matters because it provides a scalable, highly available, and cost-effective way to enforce security in the cloud.
For exam candidates, it is a core component in scenarios involving centralized traffic inspection, network segmentation, and compliance.
How It Appears in Exam Questions
GWLB questions in AWS certification exams typically fall into three categories: scenario-based design, configuration steps, and troubleshooting. In scenario-based questions, you are given a business requirement like: A company wants to inspect all traffic from its VPCs to the internet and between VPCs using a third-party firewall. They want high availability and minimal latency penalty.
What should they use? The correct answer is a GWLB in a centralized VPC with GWLB endpoints in each spoke VPC. Another pattern involves integration with AWS Transit Gateway. For instance: A company uses Transit Gateway to connect multiple VPCs and on-premises networks.
They need to inspect traffic between all these networks. Which architecture should they use? Answer: Attach the VPCs to a Transit Gateway and route traffic to a GWLB in an inspection VPC.
In configuration questions, you might be asked about the steps to set up GWLB. For example: What is the first step when configuring a GWLB? Answer: Create the GWLB in a VPC subnet, then create a target group with the appliance instances, then configure listeners, then create a GWLBe endpoint in the spoke VPCs, and finally update route tables.
Some questions test understanding of health checks: What happens if a GWLB health check fails on one of three appliances? The GWLB stops sending new connections to that appliance, but existing connections are drained (connection draining). Troubleshooting questions might present a scenario where traffic is not being inspected.
For example: A company set up a GWLB but traffic bypasses it and goes directly to the destination. What is the most likely cause? Answer: The route tables in the spoke VPCs do not have a route pointing to the GWLB endpoint (GWLBe).
Another common trap: The security group or network ACL on the appliance instances is blocking the GENEVE traffic (port 6081) from the GWLB. Questions may also ask about symmetric routing: Why is it important for stateful firewalls? Because if only one direction passes through the firewall, the firewall will drop return traffic as it has no state.
GWLB solves this by ensuring both directions go through the same appliance. One more pattern: Compare GWLB to NLB. A question might say: An organization wants to load balance traffic to a fleet of firewall appliances.
Which service should they use and why? The answer is GWLB because it supports traffic flow through appliances and preserves source IP using GENEVE. NLB would not preserve the original source IP in the same way and is not designed for appliance chaining.
For exam candidates, the key is to read carefully: if the scenario mentions traffic inspection, security appliances, or centralized inspection, GWLB is likely the answer. If the question mentions simple load balancing of web servers, ALB or NLB is correct. Always look for keywords like "inspection", "firewall", "third-party appliance", "GENEVE", and "traffic chaining".
Practise GWLB Questions
Test your understanding with exam-style practice questions.
Example Scenario
A company called SecureCloud Inc. runs a fleet of web servers in multiple AWS VPCs. They have a security requirement: all traffic from the internet to their web servers must first pass through a next-generation firewall for malware inspection.
They also need all traffic between their VPCs to be inspected. Currently, they have two firewall appliances running on EC2 instances, each in a different Availability Zone for redundancy. SecureCloud’s network engineer decides to use a Gateway Load Balancer (GWLB) to route traffic through these appliances.
The engineer creates a GWLB in a centralized VPC called "Inspection-VPC". He creates a target group with the two firewall instances and sets a health check to confirm they are alive. Then he creates a listener on port 6081 (GENEVE).
In each of the other VPCs (the "Spoke-VPCs"), he creates a Gateway Load Balancer endpoint (GWLBe) and attaches it to a subnet. He then updates the route tables in the Spoke-VPCs so that internet-bound traffic and inter-VPC traffic is routed to the GWLBe instead of directly to the internet or to the other VPC. Now, when a user from the internet sends a request to SecureCloud’s web server, the packet arrives at the Spoke-VPC’s internet gateway.
The route table directs the packet to the GWLBe. The GWLBe forwards it to the GWLB, which then sends it to one of the healthy firewall appliances. After inspection, the firewall forwards the packet back to the GWLB, which then sends it to the actual web server.
The return traffic follows the same path in reverse, ensuring the firewall sees both directions. This scenario demonstrates how GWLB provides a scalable and redundant way to enforce security across multiple VPCs without changing the web server configurations. For the IT certification candidate, understanding this flow is essential for answering questions about centralized inspection architectures.
The example also shows the importance of health checks and cross-zone load balancing to maintain availability.
Common Mistakes
Confusing GWLB with a Network Load Balancer (NLB) and using NLB for appliance chaining.
NLB is designed for TCP/UDP traffic distribution to targets like EC2 instances, but it does not support traffic chaining through virtual appliances in the same way. NLB does not use GENEVE encapsulation, so the original packet headers are not preserved for the appliances. GWLB is specifically built for this purpose.
Always use GWLB when you need to send traffic through a chain of security appliances for inspection. Reserve NLB for simple load balancing of non-security workloads.
Forgetting to create Gateway Load Balancer endpoints (GWLBe) in spoke VPCs and assuming route tables can point directly to the GWLB.
The GWLB itself is not directly routable from other VPCs. You must create a GWLBe endpoint in each spoke VPC to allow traffic to reach the GWLB. Without the endpoint, traffic will not be forwarded to the inspection appliance.
In every VPC that needs to route traffic through the GWLB, create a GWLBe endpoint in the appropriate subnet and point the route table entries to that endpoint.
Thinking that GWLB performs deep packet inspection or content filtering.
GWLB is only a load balancer; it forwards traffic to target appliances. It does not inspect application-layer data. The actual inspection is done by the virtual appliances in the target group.
Understand that GWLB is a traffic forwarder. The security functions are provided by the appliances you deploy (e.g., Firewall, IDS/IPS). GWLB just makes sure the traffic gets to them efficiently.
Ignoring the GENEVE protocol requirement and using standard HTTP health checks on appliances.
GWLB uses the GENEVE protocol on port 6081 to encapsulate traffic. If you configure the appliances to only accept plain TCP or HTTP on port 80, they will not be able to process the encapsulated packets. Health checks can be HTTP/HTTPS, but the data traffic itself must be GENEVE.
Configure your appliances to accept GENEVE traffic on port 6081. For health checks, you can use a separate health check port (e.g., TCP 80) configured on the appliance to respond to GWLB health checks.
Assuming that GWLB automatically handles symmetric routing for stateful firewalls without additional configuration.
GWLB supports symmetric routing, but it must be explicitly configured. If the routing table in the inspection VPC does not send return traffic back through the same appliance, the firewall will see only half the connection and drop packets. Symmetric routing requires careful route table design.
Ensure both forward and return traffic routes go through the GWLB and the same appliance. Use the Gateway Load Balancer endpoint's Subnet associations to control traffic flow. Test with a single appliance first to confirm bidirectional traffic.
Exam Trap — Don't Get Fooled
{"trap":"A question asks: 'Which AWS load balancer should you use to distribute traffic to a fleet of virtual firewalls while preserving the original source IP of the client?'","why_learners_choose_it":"Learners often jump to Network Load Balancer (NLB) because they know NLB preserves the client IP address when used with targets in the same VPC. They assume that because NLB can preserve source IP, it is the right choice for firewalls."
,"how_to_avoid_it":"Remember that GWLB is the only AWS load balancer designed to chain traffic through virtual appliances. GWLB uses GENEVE encapsulation to preserve the original packet headers while still enabling the appliance to see the original source IP. NLB preserves source IP but does not have the same traffic-chaining capabilities as GWLB.
Always choose GWLB when the scenario involves third-party network appliances like firewalls, IDS/IPS, or other inspection tools."
Step-by-Step Breakdown
Step 1: Design the architecture
Decide on a centralized inspection model. Create a dedicated VPC (Inspection VPC) that will host the GWLB and the virtual appliances. The spoke VPCs (where the actual application servers run) will connect to the inspection VPC via VPC peering or Transit Gateway. Plan the IP address ranges to avoid overlaps.
Step 2: Deploy the virtual appliances
Launch EC2 instances (or containers) running the third-party firewall or IDS/IPS software in the Inspection VPC. Deploy them across multiple Availability Zones for high availability. Ensure they are configured to accept GENEVE traffic on port 6081 and that they respond to health check probes (e.g., TCP port 80).
Step 3: Create the Gateway Load Balancer
In the Inspection VPC, go to the AWS console or use CLI to create a GWLB. Choose a name, specify the VPC, and select the subnets (at least two AZs for HA). The GWLB will automatically generate a DNS name and node IPs.
Step 4: Create the target group and register appliances
Create a target group for the GWLB. Specify the protocol as GENEVE on port 6081. Register the appliance EC2 instances as targets. Set up health checks (e.g., HTTP on port 80) to monitor the health of each appliance. The GWLB will only send traffic to healthy targets.
Step 5: Configure the listener and rules
Create a listener on the GWLB that listens on port 6081 (GENEVE). Optionally, you can define rules to forward traffic to different target groups based on source IP or port. For most inspection scenarios, a single rule forwarding all traffic to the target group is sufficient.
Step 6: Create Gateway Load Balancer endpoints (GWLBe) in spoke VPCs
In each spoke VPC, create a VPC endpoint of type Gateway Load Balancer Endpoint. Associate it with a subnet in that spoke VPC. This endpoint acts as the entry point for traffic destined to the GWLB. Record the endpoint ID and the network interface IDs.
Step 7: Update route tables for traffic redirection
In each spoke VPC, modify the route tables associated with subnets containing the applications. Add a route for 0.0.0.0/0 (internet traffic) with the target being the GWLBe endpoint ID. Also add a route for the CIDR blocks of other spoke VPCs or on-premises networks pointing to the GWLBe. This forces traffic to go through the GWLB.
Step 8: Test and validate traffic flow
Send test traffic from a source in a spoke VPC or from the internet. Use tools like 'traceroute' or 'curl' to verify that traffic is passing through the appliance. Check the appliance logs to confirm it is receiving and inspecting packets. Also verify that return traffic follows the same path (symmetric routing).
Step 9: Monitor and scale
Use CloudWatch to monitor GWLB metrics (active connections, throughput). Set up alarms for appliance health. If traffic grows, add more appliance instances to the target group. The GWLB will automatically load balance across them. You can also enable Auto Scaling for the appliances based on CPU or connection count.
Practical Mini-Lesson
Gateway Load Balancer (GWLB) is a critical component for any organization that needs to enforce consistent security policies across a multi-VPC or hybrid cloud environment. In practice, a professional deploying GWLB must understand the interplay between routing, encapsulation, and load balancing. First, you need to decide on the placement of the GWLB and the appliances.
The recommended practice is to place the GWLB in a separate, dedicated inspection VPC. This VPC should be peered or connected via Transit Gateway to all the VPCs that require inspection. The reason for a separate VPC is to avoid routing loops and to keep the security boundary clear.
The appliances themselves should be deployed in at least two Availability Zones. Each appliance should be configured with two network interfaces: one for management (for health checks and updates) and one for data plane traffic (accepting GENEVE-encapsulated traffic). In production, the appliances must be carefully tuned.
The GENEVE encapsulation adds around 50 bytes of overhead per packet. This can affect the maximum transmission unit (MTU) settings. You may need to set a lower MTU (e.g., 1400) on the appliance instances to avoid fragmentation.
Also, the appliances must be able to handle the GENEVE header to extract the original packet information. Most major firewall vendors (Palo Alto, Check Point, Fortinet) support GENEVE in their AWS marketplace images. On the routing side, the most common mistake is not configuring symmetric routing.
For stateful firewalls, the same appliance must see both the request and the response. This means that the route tables in the inspection VPC must also point traffic back through the same GWLB. One way to achieve this is by using the GWLBe endpoint in the spoke VPC for both directions.
Another approach is to use a separate route table for the GWLB subnets that sends traffic back to the source via the same GWLBe. The health check configuration is another area where things can go wrong. The GWLB can perform TCP, HTTP, or HTTPS health checks on the appliance.
Typically, you configure the appliance to have a simple web server on a separate port (like port 8088) that responds with a status page. The GWLB health check then probes that port. If the appliance is overloaded or unhealthy, the GWLB will mark it as unhealthy and stop sending traffic.
However, you must also ensure that the health check packets do not go through the GENEVE tunnel; otherwise, they might not reach the appliance correctly. From a cost perspective, GWLB itself is free; you only pay for the data processed through it and the GWLB endpoint hours. This makes it efficient for scaling.
In practice, professionals should also set up CloudWatch alarms for high latency or low health check success rates. If an appliance consistently fails health checks, it may be due to a misconfiguration (wrong GENEVE listener) or resource exhaustion (CPU, memory). Troubleshooting steps include checking the security groups and network ACLs on the appliance subnets to ensure they allow traffic from the GWLB subnets on port 6081.
Also, verify that the route tables in the spoke VPCs have the correct target (the GWLBe ID, not the GWLB’s IP address). Finally, logging and monitoring are essential. Enable VPC Flow Logs to see if traffic is being directed to the GWLB.
Check the appliance logs to confirm they are receiving the packets. In a certification exam context, you will likely be asked to identify the cause of a traffic failure. Common culprits are missing routes, security group blocks, or wrong health check configuration.
By understanding these practical details, you will be prepared for both real-world deployment and exam scenarios.
Memory Tip
Think 'Gateway Load Balancer = Gateway to Inspection'. It's the middleman that makes sure traffic never skips the security checkpoint.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
An AAAA record is a DNS record that maps a domain name to an IPv6 address, allowing devices to find each other over the internet using the newer IP addressing system.
5G is the fifth generation of cellular network technology, designed to deliver faster speeds, lower latency, and support for many more connected devices than previous generations.
Frequently Asked Questions
What is the difference between GWLB and AWS Network Firewall?
AWS Network Firewall is a managed firewall service that inspects traffic with stateful rules. GWLB is a load balancer that sends traffic to third-party appliances. They can be used together, but they are different services. Network Firewall is fully managed; GWLB gives you more control over the inspection software.
Does GWLB work with on-premises traffic?
Yes, if you have a VPN or Direct Connect connection, you can route on-premises traffic through a GWLB endpoint in a VPC. The traffic will then be inspected before reaching the VPC resources or going back on-premises.
Can I use GWLB with containers?
Yes, you can run your virtual appliances as containers on Amazon ECS or EKS, as long as they accept GENEVE traffic on port 6081. The container instances must be in a target group registered with the GWLB.
What happens if all appliances in a target group become unhealthy?
If no appliance is healthy, the GWLB will reject incoming connections. No traffic will be forwarded, and clients will receive a connection timeout. To avoid this, you should have at least two appliances in different AZs and configure proper health checks.
Is GWLB available in all AWS Regions?
GWLB is available in most commercial AWS Regions, but not in all. You should check the AWS Regional Services list for the specific Region you are using. It is also available in AWS GovCloud regions.
Can I use GWLB without GENEVE?
No, GWLB uses GENEVE encapsulation to preserve the original packet headers. The target appliances must support GENEVE. If your appliance only supports VXLAN or GRE, it may not work with GWLB. Check the vendor documentation.
How do I ensure symmetric routing with GWLB?
Symmetric routing requires that both forward and return traffic go through the same appliance. You can achieve this by using the same GWLB endpoint for both directions and by ensuring that the route tables in the inspection VPC send return traffic back through the same GWLB. Testing with a single appliance can help verify the setup.
Summary
Gateway Load Balancer (GWLB) is an AWS service designed to simplify and scale the inspection of network traffic through third-party virtual appliances like firewalls and IDS/IPS. It operates at the network layer (Layer 3/4) and uses the GENEVE protocol to encapsulate traffic while preserving the original packet headers, allowing appliances to see real source and destination addresses. GWLB is deployed in a centralized inspection VPC and uses VPC endpoints (GWLBe) in spoke VPCs to attract traffic.
This creates a transparent, scalable, and highly available inspection path for all traffic entering or leaving the spoke VPCs, as well as traffic between VPCs or from on-premises networks. For IT certification candidates, especially those pursuing AWS Solutions Architect or Security certifications, understanding GWLB is essential for answering questions about centralized inspection architectures, compliance requirements, and high-availability design. Common exam topics include health checks, symmetric routing, the role of GENEVE, and the difference between GWLB and other load balancers.
Practical implementation steps include creating the GWLB, setting up target groups, configuring route tables, and troubleshooting connectivity issues. By mastering these concepts, learners can confidently design secure, scalable cloud networks that meet enterprise security needs. The key exam takeaway is to recognize scenarios that require traffic inspection and to choose GWLB as the solution, not an ALB or NLB.
With practice and a solid understanding of the architecture, GWLB becomes a powerful tool in any cloud professional’s toolkit.