Which firewall appliances will work with Gateway Load Balancer?

Question

I noticed this section in the [recent blog][1] introducing AWS Gateway Load Balancer:

> You can integrate to GWLB by supporting GENEVE protocol in your
> appliance, implementing software to decode/encode GWLB metadata, and
> performing interoperability testing of your appliances in the AWS
> environment. For more information, please get in touch with your AWS
> partner team.

I have two questions:

1. Is GENEVE support common among commercial appliances? Can we expect that most appliance will just work with GWLB off the shelf, or are vendors going to have to add support for it?

2. I'm trying to understand how GWLB works with traditional firewall appliances which have an "inside" and "outside" network interface (traffic is received from the Internet on the "outside" interface and routed to a location in the private network from the "inside" interface). How would traffic flow from the GWLB and would the appliance need a single network interface?

[1]: https://aws.amazon.com/blogs/aws/introducing-aws-gateway-load-balancer-easy-deployment-scalability-and-high-availability-for-partner-appliances

Accepted Answer

For (1), GENEVE is not very common as it is a relatively new protocol. The launch partners for GWLB are listed on [the announcement page](https://aws.amazon.com/blogs/aws/introducing-aws-gateway-load-balancer-easy-deployment-scalability-and-high-availability-for-partner-appliances/) - I'm sure there will be more but customers need to talk with their chosen firewall vendor.

For (2) why does the definition of "inside" and "outside" matter? In the traditional firewall world those definitions really come from the traffic flows and with GWLB it is the same way - it is an arbitrary notion of which side is which and what normally happens is that the "inside-to-outside" flows (i.e. those that are initiated from a customer's internal network) are generally more permissive than "outside-to-inside" flows. But from the firewall's perspective there isn't much difference between them.

Admittedly, in some vendor solutions you define a "high security" and "low security" interface. But in my experience that's a little unusual as compared to others.

What the customer will probably be doing is defining which IP addresses (individual, subnets, groups) can communicate with others and that implies inside/outside relevance.

Which firewall appliances will work with Gateway Load Balancer?

관련 콘텐츠