All Products
Search
Document Center

Server Load Balancer:What is GWLB?

Last Updated:May 27, 2026

Gateway Load Balancer (GWLB) is a Layer 3 load balancing service that listens on all ports of a specific IP address and distributes traffic to network virtual appliances (NVAs) in backend server groups, ensuring NVA high availability. GWLB supports firewalls, intrusion detection systems, traffic mirroring, and deep packet inspection appliances.

GWLB components

image

Component

Description

Instance

GWLB is a Layer 3 (network layer) load balancer in the OSI model that transparently distributes traffic across backend servers, enhancing application security and availability.

Listener

GWLB listens for traffic directed to all ports of a specific IP address and forwards the traffic to backend server groups via the Geneve protocol. A GWLB instance supports only one listener.

Server Group

A server group contains one or more Geneve-compatible backend servers that process traffic distributed by GWLB.

Server groups are independent of GWLB instances and can be associated with multiple GWLB instances. Supported backend types include Elastic Compute Service (ECS) instances, elastic container instances, elastic network interfaces (ENIs), and IP addresses.

GWLB performs health checks on backend servers and stops forwarding traffic to unhealthy ones. GWLB health check configurations include the protocol, port, and thresholds.

How GWLB works

image

GWLB instances must work with the GWLB endpoint (GWLBe) provided by the PrivateLink service. The GWLBe is a VPC endpoint type that establishes a private connection between a business VPC and a security VPC, routing traffic to the GWLB instance in the security VPC for distribution.

The GWLBe controls traffic flow using route tables. Incoming traffic is routed to the GWLB instance by the GWLBe, inspected and filtered by backend NVAs, returned to the GWLBe by the GWLB instance, and forwarded to the application.

GWLB listens on all IP packets across all ports and distributes traffic to backend server groups via IP listeners. GWLB supports scheduling algorithms including a five-tuple hash (source IP, destination IP, protocol, source port, destination port), a three-tuple hash (source IP, destination IP, protocol), and a two-tuple hash (source IP, destination IP), routing packets with the same hash value to the same backend NVA.

NVA providers

GWLB supports the integration of third-party NVAs into backend server groups to monitor and filter incoming traffic.

Use cases

Deploying Internet firewalls with GWLB

To defend against complex network attacks, enterprises need highly available firewall clusters. GWLB centralizes traffic management, directing inbound and outbound traffic to the firewall cluster for deep inspection and filtering. GWLB ensures multi-zone availability of the firewall cluster, eliminating single points of failure.

Deploying NAT firewalls with GWLB

A Network Address Translation (NAT) gateway is typically the egress for cloud resources accessing the Internet. GWLB forwards all NAT gateway traffic to a unified security layer, ensuring that all Internet-bound traffic is monitored and filtered by firewalls.

Deploying VPC firewalls with GWLB

When cloud resources across multiple regional VPCs need connectivity, transit routers can direct traffic to GWLB for distribution to backend security appliances. Only filtered traffic is allowed to pass, enhancing network security.

Create GWLB instances

To create GWLB instances, go to the buy page.

Deploy and manage GWLB instances

You can deploy and manage GWLB instances in the following ways:

References