- Newest
- Most votes
- Most comments
When traffic is forwarded through Gateway Load Balancer to your firewall appliances, the targets see the original client source IP address, not just the tunnel endpoint IP. This is a key feature of Gateway Load Balancer's design.
Gateway Load Balancer operates as a transparent layer 3 load balancer and uses GENEVE encapsulation to forward traffic to your target appliances. The GENEVE tunnel preserves the original packet headers, including the source IP address, so your firewall appliances receive the complete original packet information.
This means your third-party firewalls can:
- Log the actual client source IP addresses
- Enforce security policies based on the true source IP
- Perform accurate threat analysis and forensics
However, it's important to note that Gateway Load Balancer itself does not generate access logs since it's a transparent layer 3 load balancer that doesn't terminate flows. To capture detailed traffic information, you'll need to enable access logging directly on your Gateway Load Balancer target appliances (your firewalls). Additionally, you can enable VPC Flow Logs on the Gateway Load Balancer for additional visibility into traffic patterns.
This source IP preservation is particularly valuable when you're performing both ingress and egress inspection, as it allows your firewall appliances to maintain full visibility of the original traffic characteristics for proper security policy enforcement and logging.
Sources
Source IP visibility for combined Ingress and Egress inspection Architectures | AWS re:Post
Monitor your Gateway Load Balancers - Elastic Load Balancing
Gateway Load Balancer forwards traffic using GENEVE encapsulation. The firewall appliances receive an outer packet (GWLB tunnel endpoints) and an inner packet (original client traffic).
Policy enforcement and logging depend on the appliance inspecting the inner packet, not the outer tunnel headers.
In practice this means:
- AWS preserves the original source and destination IPs inside the GENEVE payload
- Your firewall must explicitly support GENEVE decapsulation to see those original addresses
- If GENEVE isn’t handled correctly by the appliance, you’ll only observe the tunnel IPs, which typically results in broken IP-based rules and misleading logs
A common validation step is to capture packets on the appliance interface and confirm visibility of the inner headers, rather than assuming preservation based on architecture alone.
Also worth noting: Gateway Load Balancer itself does not terminate connections or provide flow-level access logs. Visibility must come from the inspection appliances, with VPC Flow Logs only confirming that traffic traversed the GWLB path—not what the appliance ultimately allowed or denied.
This design enables transparent inline inspection while maintaining symmetric routing, but correct appliance integration is critical for meaningful source-IP-based policy enforcement.
Documentation:
How Gateway Load Balancer works https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/introduction.html
AWS Networking blog – integrate appliance with GWLB https://aws.amazon.com/blogs/networking-and-content-delivery/integrate-your-custom-logic-or-appliance-with-aws-gateway-load-balancer/?utm_source=chatgpt.com
Relevant content
- asked 3 months ago
- asked a year ago
- asked 3 years ago
- AWS OFFICIALUpdated 9 months ago
