All Products
Search
Document Center

PrivateLink:Access network virtual appliances

Last Updated:Jun 12, 2026

GWLB distributes traffic to a group of network virtual appliances, such as firewalls, intrusion detection systems (IDS), traffic mirroring systems, and deep packet inspection (DPI) systems. This provides security inspection and protection with high availability. A service provider creates an endpoint service and specifies a GWLB instance as the service resource. A service consumer then creates a GWLB endpoint (GWLBe) to establish a connection with the endpoint service.

  • Decouple services from security: Deploy and manage your service network and security infrastructure independently, and connect them privately using PrivateLink.

  • Transparent security inspection: GWLB operates as a Layer 3 gateway. The source and destination IP addresses of the traffic remain unchanged during security inspection. This eliminates the need to modify client or backend service configurations.

  • Eliminate single points of failure: With GWLB, you can deploy security appliances in a high-availability configuration. If an appliance fails, traffic is automatically routed to a healthy one, preventing appliance failures from disrupting your service.

  • Elastic scaling: You can add or remove network virtual appliances behind a GWLB instance at any time to match traffic volume, without changing the network architecture of your service VPC.

How it works

  • A service provider deploys a GWLB instance and backend network virtual appliances in a security VPC. Then, the service provider creates an endpoint service and specifies the GWLB instance as the service resource to provide security inspection.

  • A service consumer creates a GWLBe in a service VPC. After the GWLBe is connected to the endpoint service, the service consumer configures routes to steer inbound and outbound traffic from the VPC to the network virtual appliances for security inspection.

    • The system creates an endpoint ENI in the vSwitch where the GWLBe is located.

    • All traffic that enters the service VPC through an IPv4 gateway is first directed to the GWLBe based on the routes in the gateway route table. The traffic is then forwarded via PrivateLink to the GWLB instance, which distributes the traffic to backend network virtual appliances for inspection. After inspection, the traffic is routed back to the GWLBe and then to the application servers in the service VPC.

image

IPv4 inbound traffic

IPv4 outbound traffic

1. IPv4 traffic enters the service VPC through an IPv4 gateway.

2. The gateway route table directs the traffic to the GWLBe.

3. The GWLBe forwards the traffic to the GWLB instance, which then forwards the traffic to a security appliance.

4. After inspection, the security appliance returns the traffic to the GWLB instance, which then forwards it to the GWLBe through PrivateLink.

5. The GWLBe's vSwitch route table then sends the traffic to the service servers.

1. The service server's vSwitch route table sends the traffic to the GWLBe.

2. The GWLBe sends the traffic to the GWLB instance, which then forwards the traffic to a security appliance.

3. After inspection, the security appliance returns the traffic to the GWLB instance, which then forwards it to the GWLBe through PrivateLink.

4. The GWLBe's vSwitch route table then sends the traffic to the IPv4 gateway.

5. The IPv4 gateway routes the traffic to the internet.

Prerequisites

  • PrivateLink is enabled.

  • A VPC and a GWLB instance are created:

    • The GWLB instance has a listener and a backend server group configured.

    • The security group of the backend servers (network virtual appliances) of the GWLB instance must allow traffic on UDP port 6081 (the Geneve protocol port), and on the ports and protocols required for health checks.

    • Make sure that the instance type of the ECS instances used for the network virtual appliances supports jumbo frames. The Geneve encapsulation adds 68 bytes to the original data packet, which may cause the packet size to exceed 1,500 bytes.

  • When the service resource is a GWLB, see Regions and availability zones that support PrivateLink.

Access network virtual appliances using PrivateLink

The service provider creates an endpoint service. The service consumer creates a GWLBe and configures routes to steer traffic from the service VPC to the network virtual appliances for security inspection.

Console

Provider: Create endpoint service

  1. Go to the Create endpoint service page in the PrivateLink console.

    • Region: Select the region where the network virtual appliances are deployed.

    • Service Resource Type: Select GWLB. For high availability, add Service Resources in multiple availability zones.

    • Automatically Accept Endpoint Connections: Specify whether to automatically accept connection requests when a service consumer creates a GWLBe to access the network virtual appliances. Changing this setting after the endpoint service is created does not affect existing connections.

      • Yes: When a service consumer creates a GWLBe to connect to the service, the connection is automatically established.

      • No: The service provider must manually approve connection requests.

    • IP Version: Only IPv4 is supported.

    • Service Payer: Select the party that pays for the PrivateLink connection. By default, the service consumer is the payer. This setting cannot be changed after it is confirmed.

  2. After you create an endpoint service, you must configure a service whitelist to allow cross-account users to initiate connection requests to the endpoint service.

    On the details page of the endpoint service, click the Service Whitelist tab. Then, click Add to Whitelist to specify the users who can access the service.

    • Enter *: All users can send connection requests to the endpoint service.

    • Enter account UIDs: Only the specified users can send connection requests to the endpoint service.

Consumer: Create GWLBe

  1. Go to the Endpoints - Create endpoint page.

  2. Configure the GWLBe:

    • Region: Select the region where you want to create the GWLBe. This must be the same region where the endpoint service is located.

    • Type: Select Other Endpoint Services and verify the endpoint service by its name. After successful verification, you can access the service.

    • Network Settings:

      • The availability zone must be selected from the ones where the endpoint service is available (which must be the same as the availability zones of the service resources).

      • You can specify an IP address from the vSwitch for the elastic network interface in the endpoint's availability zone. If you do not specify an IP address, the system assigns one by default. You cannot specify a system-reserved address of the vSwitch for the elastic network interface.

      • IP Version: Only IPv4 is supported.

Configure routes

Configure routes for the service VPC where the GWLBe is deployed to steer inbound and outbound traffic to the GWLBe. The traffic is then forwarded through PrivateLink to the network virtual appliances for security inspection.

Configure a gateway route table

  1. Create an IPv4 gateway and associate a gateway route table with it.

  2. Go to the Route Tables page and click the ID of the target gateway route table to go to its details page.

  3. Click the Route Entry List > System Route tab. Find the system route for the target vSwitch CIDR block and click Actions in the Edit column. Change the next hop to the GWLBe. After the modification, the route entry appears on the Custom Route tab.

Configure vSwitch route tables

  1. Procedure:

    1. Go to the Route Tables page and click the ID of the target vSwitch route table to go to its details page.

    2. Click the Route Entry List > Custom Route tab. Click Add Route Entry to configure the destination CIDR block and next hop.

  2. Route configuration:

    Route table

    Destination CIDR

    Next hop

    The route table for the service ECS instance's vSwitch

    0.0.0.0/0

    GWLBe

    The route table for the GWLBe's vSwitch

    0.0.0.0/0

    IPv4 gateway

API

  • The service provider calls the CreateVpcEndpointService operation to create an endpoint service. Set ServiceResourceType to gwlb.

  • The service consumer calls the CreateVpcEndpoint operation to create a GWLBe. Set EndpointType to GatewayLoadBalancer.

  • Call the UpdateGatewayRouteTableEntryAttribute operation to modify the next hop type and ID in the gateway route table. Set NextHopType to GatewayLoadBalancerEndpoint and NextHopId to the ID of the GWLBe.

  • Call the CreateRouteEntry operation to create a custom route entry for a vSwitch route table.

    • For the service ECS instance's vSwitch route table: set NextHopType to GatewayLoadBalancerEndpoint and NextHopId to the ID of the GWLBe.

    • For the route table of the GWLBe's vSwitch: set NextHopType to Ipv4Gateway and NextHopId to the ID of the IPv4 gateway.

Ensure high availability

  • Endpoint service: The GWLB instance and its backend network virtual appliances can be deployed in multiple availability zones. If the network virtual appliances in one availability zone fail, traffic is automatically distributed to healthy appliances in other availability zones. This ensures the high availability of the security inspection service.

  • Endpoint: A GWLBe directs traffic based on the next hop in a route table. In a multi-availability zone deployment, configure the service subnet in each availability zone to use the GWLBe in the same availability zone as the next hop. In the IPv4 gateway route table, each service subnet should also point to the GWLBe in the corresponding availability zone. This ensures precise, zone-aware traffic routing.

image

Console

Provider: Multi-AZ service resources

  • When you create the endpoint service, select GWLB instances in multiple availability zones as service resources.

  • After the endpoint service is created, click its ID. On the Basic Information tab, click Add Service Resource, and then select an availability zone and the corresponding GWLB instance.

Consumer: Create GWLBe per AZ

  • Create a separate GWLBe for each availability zone and select a vSwitch within that availability zone.

  • Create a separate route table for the service vSwitch in each availability zone, and point the 0.0.0.0/0 route to the GWLBe in the same availability zone. In the IPv4 gateway route table, point each service subnet to the GWLBe in its corresponding availability zone.

A GWLBe directs traffic based on the next hop in a route table. Each availability zone requires a separate GWLBe instance. You cannot add an availability zone to an existing GWLBe.

API

Manage service resources

After an endpoint service is created, you can add or remove service resources (GWLB instances) to scale the availability of your security inspection service across availability zones as needed.

Console

Add a service resource

  1. Go to the Endpoint Services list page and click the ID of the target endpoint service to go to its details page.

  2. On the Basic Information tab, in the Service Resource section, click Add Service Resource. Select an availability zone and the corresponding GWLB instance.

Remove a service resource

On the Basic Information tab of the target endpoint service, in the Service Resource section, find the target service resource and click Actions in the Delete column. This removes the resource from the endpoint service but does not delete the resource instance itself.

If a service resource is associated with an endpoint availability zone, you cannot directly delete it. You must first disconnect the endpoint connection.

API

Stop accessing network virtual appliances

If you no longer need to steer traffic to network virtual appliances through a GWLBe, you must release the resources in the following order to prevent routing black holes that can interrupt your services.

Console

  1. Revert route configurations: Go to the Route Tables page and delete the custom route entries in the gateway and vSwitch route tables that point to the GWLBe or IPv4 gateway.

  2. Delete the GWLBe: Go to the Endpoints list page, find the target GWLBe, and click Actions in the Delete column.

  3. Delete the endpoint service: Go to the Endpoint Services list page, find the target endpoint service, and click Actions in the Delete column.

API

  1. Call the DeleteRouteEntry operation to delete the custom route entries.

  2. Call the DeleteVpcEndpoint operation to delete the GWLBe.

  3. Call the DeleteVpcEndpointService operation to delete the endpoint service.

More information

Configure network virtual appliances

GWLB operates transparently at Layer 3 of the OSI model. The backend network virtual appliance must be able to handle service traffic encapsulated with the Geneve protocol.

Deployment recommendations

When you deploy a GWLB instance, we recommend that you enable the following features:

  • GWLB health check: Automatically detects the availability of backend network virtual appliances. If an appliance becomes unhealthy, requests are automatically routed to healthy appliances.

  • Connection draining: Smoothly handles existing connections when a backend network virtual appliance is removed.

  • Flow rebalancing: Reroutes existing traffic flows to healthy backend appliances when a backend network virtual appliance fails or is removed.