To address the management complexity and security risks caused by fragmented public access points and inconsistent security policies in cloud environments, you can build an Internet boundary firewall by integrating Gateway Load Balancer (GWLB) with an IPv4 gateway. This solution uses the IPv4 gateway to centrally control all public traffic entering or leaving the VPC and routes it through GWLB to network virtual appliances for deep inspection and filtering. This enables centralized enforcement of security policies, reduces security risks, and improves network management efficiency.
Overview of the GWLB and IPv4 gateway integration solution
In traditional public service deployments, resources inside a VPC communicate directly with the Internet by binding public IP addresses. This approach introduces several security issues:
-
Wide attack surface: Each bound public IP acts as a direct exposure point to the Internet. As the number of such IPs grows across different resources, the enterprise’s network security perimeter becomes fragmented, making unified traffic monitoring and policy enforcement difficult.
-
Complex policy management: Security policies (such as security groups) must be configured and maintained separately for each resource with a public IP. This increases operational overhead and time costs and raises the risk of misconfigurations that compromise security.
-
Lack of deep inspection: Security groups and network ACLs enforce access control primarily at Layer 4 (based on IP addresses and ports). They cannot perform deep packet inspection (DPI), intrusion prevention, or other Layer 7 security protections.
By deploying the IPv4 gateway together with GWLB, you can build a centralized, transparent, and scalable Internet boundary firewall. The IPv4 gateway centrally manages all inbound and outbound public traffic from the VPC. This traffic is then routed via Gateway Load Balancer endpoints (GWLBe) to backend network virtual appliances (such as firewalls) for deep inspection. After inspection, the traffic is routed back through the corresponding GWLBe and finally forwarded to the application servers.
Key features
-
-
Centralized control of public traffic: By combining the IPv4 gateway with route tables and other components, you can ensure all public traffic passes through the IPv4 gateway. This simplifies unified security policy enforcement and auditing and effectively reduces security risks from decentralized access.
-
-
-
Transparent traffic inspection: GWLB operates as a Layer 3 network gateway. Traffic retains its original source and destination IP addresses during inspection by network virtual appliances, requiring no changes to clients or backend services.
-
Scalable network virtual appliances: You can add or remove network virtual appliances behind GWLB at any time based on changes in service traffic.
-
Cross-zone high availability deployment: GWLB and its backend network virtual appliances can be deployed across multiple zones. If a network virtual appliance or GWLBe fails in one zone, traffic automatically shifts to healthy nodes in other zones, ensuring high availability of security services.
-
Scenarios
-
Centralized security compliance auditing: Provides a unified cluster of security appliances for industries with strict compliance requirements (such as finance and government) to enable consistent auditing, monitoring, and event tracing of public traffic logs and security policies.
-
Deep security protection for public services: Delivers deep content inspection for websites, APIs, or applications exposed to the Internet, effectively defending against web attacks, malicious scans, virus intrusions, and other advanced threats.
-
Secure outbound access for VPC resources: Offers a secure egress channel for VPC resources that actively access the Internet (for tasks like patch updates or external API calls), preventing access to malicious sites and data leakage.
Limits
-
At least one network virtual appliance must run behind GWLB.
-
The access policy (for example, security group rules) for GWLB backend servers must allow UDP traffic on port 6081 (the Geneve protocol port).
-
When creating an endpoint service, you must select a region and zone that support both PrivateLink and GWLB instances. For information about the regions and zones that support PrivateLink and GWLB instances, see Regions and zones that support PrivateLink and Regions and zones that support GWLB.
-
The zones where GWLBe is deployed must be a subset of the zones where the endpoint service resources (GWLB) are deployed to establish a connection.
Scenario example
A company’s core business system runs in a VPC in the China (Ulanqab) region of Alibaba Cloud. To ensure high availability, application server ECS instances are distributed across two zones (Ulanqab Zone B and Ulanqab Zone C) and serve external traffic by directly binding elastic IP addresses (EIPs). As the business scales, this deployment model—due to its fragmented public entry points—makes it hard to enforce unified security policies and auditing, failing to meet the company’s growing need for centralized security control. Additionally, this model lacks deep traffic inspection capabilities, making it ineffective against increasingly sophisticated cyberattacks.
To resolve these issues, the company can deploy GWLB together with an IPv4 gateway to build a highly available Internet boundary firewall. This setup enables centralized traffic inspection and management, significantly reducing security risks and enforcing consistent security protection policies.
Prerequisites
-
You have created a business VPC and a security VPC, configured business subnets and GWLB subnets in Zone B and Zone C of the business VPC, and set up security subnets in Zone B and Zone C of the security VPC. For more information, see Virtual Private Cloud and vSwitch.
-
You have created application server ECS instances in the business VPC and deployed application services on them. If an ECS instance needs public network communication, assign it a public IP address.
-
You have created and activated an IPv4 gateway for the business VPC.
-
You have created the required route tables, including the IPv4 gateway route table, business subnet route tables, and GWLBe subnet route tables.
-
You have created at least two ECS instances in the security VPC to simulate network virtual appliances.
ImportantEnsure the ECS instance types in the security VPC support jumbo frames because Geneve encapsulation adds 68 bytes to the original packet, which may exceed 1500 bytes. For more information, see Network maximum transmission unit and Instance families that support jumbo frames.
-
You have created security groups for all ECS instances in both the business VPC and security VPC. Ensure the security group for ECS instances in the security VPC allows UDP traffic on port 6081 and permits the ports and protocols required for health checks.
Procedure
Step 1: Configure Gateway Load Balancer
Create a GWLB instance
An instance is a load balancing service entity. Create a GWLB instance first.
-
In the top menu bar of the Gateway Load Balancer (GWLB) console, select the region where you want to deploy the GWLB instance.
-
On the Instances page, click Create GWLB.
-
On the Gateway Load Balancer purchase page, configure the GWLB instance settings, then click Buy Now and follow the console prompts to complete instance activation.
In this scenario, set Region and zone to China (Ulanqab), VPC to the security VPC you created, and Zone to Ulanqab Zone B and Ulanqab Zone C. Select the vSwitch IDs of the corresponding security subnets in each zone. Use default values or adjust as needed for other GWLB instance settings not listed here.
-
Return to the Instances page and select the appropriate region to view your new instance.
Create a backend server group
Create a server group and add backend servers to receive client requests forwarded by GWLB.
-
In the navigation pane on the left, choose .
-
On the Server Group page, click Create Server Group.
-
In the Create Server Group dialog box, configure the server group parameters, then click Create.
In this scenario, set Server Group Type to Server and VPC to the security VPC you created (the same VPC as the GWLB instance). Use default values or adjust as needed for other server group settings not listed here.
-
In the The server group is created dialog box, click Add Backend Server.
-
In the Add Backend Server panel, select the ECS_01 and ECS_02 instances you created, then click OK.
Configure listeners
Configure a listener for the instance and associate it with the backend server group to forward traffic on all ports to backend servers using the Geneve protocol.
-
In the navigation pane on the left, choose and click the instance ID.
-
Click the Listener tab, then click Create IP Listener.
-
On the Create IP Listener configuration page, select Server Group Type, choose the server group you created, then click OK.
Use default values or adjust as needed for other IP listener settings not listed here.
Step 2: Configure network virtual appliances
Because GWLB operates in transparent mode at Layer 3 of the OSI model, you must adapt the network virtual appliances deployed behind it to correctly receive, process, and return Geneve-encapsulated traffic.
Alibaba Cloud GWLB supports integrating third-party network virtual appliances (such as Fortinet and Hillstone) into the backend server group. This topic uses iptables to simulate a backend network virtual appliance. Follow your device vendor’s instructions for actual configurations.
Step 3: Configure PrivateLink
Configure an endpoint service
Expose the GWLB instance as a service resource in an endpoint service for access by the business VPC.
-
On the Endpoint Services page, click Create Endpoint Service.
-
On the Create Endpoint Service page, configure the endpoint service settings, then click OK.
In this scenario, set Region to China (Ulanqab), Service Resource Type to GWLB, Select Service Resource to Ulanqab Zone B and Ulanqab Zone C, choose the GWLB instance you created as the service resource, and set Automatically Accept Endpoint Connections to Yes. Use default values or adjust as needed for other endpoint service settings not listed here.
Configure Gateway Load Balancer endpoints
As a service consumer, create GWLBe instances to connect to the endpoint service.
-
On the Endpoints page, click the GWLB Endpoint tab, then click Create Endpoint.
-
On the Create Endpoint page, configure the GWLBe_01 settings, then click OK.
Configuration for this scenario is as follows. Use default values or adjust as needed for other endpoint settings not listed here.
Parameter
Description
Region
This topic selects China (Ulanqab).
Endpoint Name
Enter a custom name for the endpoint.
Endpoint Type
Select the node type for the endpoint. This topic selects GWLB Endpoint.
Type
This topic selects Select Service and chooses the endpoint service you created.
VPC
Select the VPC for the endpoint. This topic selects the business VPC ID.
Zones and vSwitches
Select the zone corresponding to the endpoint service, then choose a vSwitch in that zone. The system automatically creates an endpoint elastic network interface (ENI) under this vSwitch.
This topic selects Ulanqab Zone B and the vSwitch ID of the GWLBe subnet in Zone B.
-
Repeat the creation steps to create GWLBe_02. Select Ulanqab Zone C and the vSwitch ID of the GWLBe subnet in Zone C.
NoteEnsure the endpoint connection status shows as Connected.
Step 4: Configure routing
Configure routes to direct traffic to GWLBe.
-
In the top menu bar of the Route Table page, select the region of the route table.
In this scenario, select China (Ulanqab).
-
Follow the instructions below to click the ID of each target route table and configure routes on the route table details page.
NoteOn the route table details page, under the tab, you can view system route entries.
The system automatically adds the following system routes to custom route tables: routes with destination CIDR blocks matching the vSwitch CIDR blocks in the VPC, enabling communication between cloud resources within those vSwitches.
-
IPv4 gateway route table: The IPv4 gateway route table must contain entries that route traffic destined for application servers to GWLBe.
On the route table details page, under the tab, find the target system route entries. In the Operations column, click Modify. In the Modify Route Entry dialog box, configure as follows, then click OK.
After configuration, these route entries appear under the Custom Route tab.
Configuration
System route entry with destination CIDR block 192.168.1.0/24
System route entry with destination CIDR block 192.168.2.0/24
Next Hop Type
Select GWLB Endpoint.
GWLB Endpoint
Select the existing GWLBe_01 in zone B.
Select the existing GWLBe_02 in zone C.
-
Business subnet route tables: The business subnet route tables must contain entries that route all traffic from application servers to GWLBe.
On the route table details pages for the business subnets in Ulanqab Zone B and Zone C, go to the tab and click Add Route Entry. In the Add Route Entry dialog box, configure as follows, then click OK.
Setting
Business subnet B route table
Business subnet C route table
Destination CIDR Block
0.0.0.0/0
Next Hop Type
Select GWLB Endpoint.
GWLB Endpoint
Select GWLBe_01 in Zone B.
Select the GWLBe_02 you created in Ulanqab Zone C.
-
GWLBe subnet route tables: The GWLBe subnet route tables must route inspected return traffic to its final destination. For Internet-originated traffic, local routes ensure delivery to application servers. For traffic from application servers, add a route that sends all traffic to the IPv4 gateway.
On the route table details pages for the GWLBe subnets in Ulanqab Zone B and Zone C, go to the tab and click Add Route Entry. In the Add Route Entry dialog box, configure as follows, then click OK.
Setting
GWLBe subnet route table
Destination CIDR Block
0.0.0.0/0
Next Hop Type
Select IPv4 Gateway.
IPv4 Gateway
Select the IPv4 gateway you created.
-
Step 5: Verification tests
Log on to a security appliance server and capture all packets on port 6081 by running the following command:
tcpdump -i any port 6081
The output shows request and response packets from application server ECS instances, confirming that GWLB successfully routes traffic to network virtual appliances for security inspection.
Test inbound traffic connectivity
-
From any client with Internet access, run
curl http://<EIP bound to application server ECS_B_01>andcurl http://<EIP bound to application server ECS_C_01>to verify normal application access.C:\Users\Administrator>curl http://8.xxx.56/ Hello World ! This is ECS_C_01. C:\Users\Administrator>curl http://8.xxx.130/ Hello World ! This is ECS_B_01. -
On any backend ECS instance of GWLB, open a command line window and run
tcpdump -i any port 6081to capture all packets on port 6081.If the output shows
Geneve-encapsulated traffic with inner packets likeIP <client public IP>.xxxxx > <application ECS private IP>.http ..., GWLB is correctly distributing external traffic to security appliances for processing.10:24:36.525075 IP 10.0.1.41.56736 > iZ0jlgs5xxx.geneve: Geneve, Flags [none], vni 0x0, options [32 bytes]: IP 47.83.xxx.59927 > 192.168.1.153.http: Flags [SEW], seq 2485172945, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 10:24:36.525098 IP iZ0jlgsxxx .56736 > 10.0.1.41.geneve: Geneve, Flags [none], vni 0x0, options [32 bytes]: IP 47.83.xxx.59927 > 192.168.1.153.http: Flags [SEW], seq 2485172945, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 10:24:36.526547 IP 10.0.1.41.56736 > iZ0jlgs5xxx.geneve: Geneve, Flags [none], vni 0x0, options [32 bytes]: IP 192.168.1.153.http > 47.83.xxx.59927: Flags [S,E], seq 3488689686, ack 2485172946, win 59220, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 10:24:36.526549 IP iZ0jlgxxx .56736 10.0.1.41.geneve: Geneve, Flags [none], vni 0x0, options [32 bytes]: IP 192.168.1.153.http > 47.83.xxx.59927: Flags [S,E], seq 3488689686, ack 2485172946, win 59220, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 10:24:36.572545 IP 10.0.1.41.56736 > iZ0jlgxxx.geneve: Geneve, Flags [none], vni 0x0, options [32 bytes]: IP 47.83.xxx.59927 > 192.168.1.153.http: Flags [.], ack 1, win 255, length 0 10:24:36.572551 IP iZ0jlgs4u5xxx .56736 > 10.0.1.41.geneve: Geneve, Flags [none], vni 0x0, options [32 bytes]: IP 47.83.xxx.59927 > 192.168.1.153.http: Flags [.], ack 1, win 255, length 0 10:24:36.572552 IP 10.0.1.41.56736 > iZ0jlgs5xxx.geneve: Geneve, Flags [none], vni 0x0, options [32 bytes]: IP 47.83.xxx.59927 > 192.168.1.153.http: Flags [P.], seq 1:77, ack 1, win 255, length 76: HTTP: GET / HTTP/1.1 10:24:36.572554 IP iZ0xxx .56736 10.0.1.41.geneve: Geneve, Flags [none], vni 0x0, options [32 bytes]: IP 47.83.xxx.59927 > 192.168.1.153.http: Flags [P.], seq 1:77, ack 1, win 255, length 76: HTTP: GET / HTTP/1.1 10:24:36.622282 IP 10.0.1.41.56736 > iZ0jlgsxxx.geneve: Geneve, Flags [none], vni 0x0, options [32 bytes]: IP 47.83.xxx.59927 > 192.168.1.153.http: Flags [F.], seq 77, ack 269, win 254, length 0 10:24:36.622288 IP iZ0jlgs4uxxx .56736 > 10.0.1.41.geneve: Geneve, Flags [none], vni 0x0, options [32 bytes]: IP 47.83.xxx.59927 > 192.168.1.153.http: Flags [F.], seq 77, ack 269, win 254, length 0 10:24:36.623401 IP 10.0.1.41.56736 > iZ0jlgs5xxx.geneve: Geneve, Flags [none], vni 0x0, options [32 bytes]: IP 192.168.1.153.http > 47.83.xxx.59927: Flags [F.], seq 269, ack 78, win 463, length 0 10:24:36.623481 IP iZ0jlgs4uxxx .56736 > 10.0.1.41.geneve: Geneve, Flags [none], vni 0x0, options [32 bytes]: IP 192.168.1.153.http > 47.83.xxx.59927: Flags [F.], seq 269, ack 78, win 463, length 0
Test outbound traffic connectivity
-
Log on to any application server and run
ping www.aliyun.comto verify normal Internet access.[root@iZ0jl xxx xxx ~]# ping www.aliyun.com PING www.aliyun.com.w.cdngslb.com (124.238.xxx.xxx) 56(84) bytes of data. 64 bytes from 124.238.xxx.xxx (124.238.xxx.xxx): icmp_seq=1 ttl=51 time=17.3 ms 64 bytes from 124.238.xxx.xxx (124.238.xxx.xxx): icmp_seq=2 ttl=51 time=15.1 ms 64 bytes from 124.238.xxx.xxx (124.238.xxx.xxx): icmp_seq=3 ttl=51 time=15.1 ms 64 bytes from 124.238.xxx.xxx (124.238.xxx.xxx): icmp_seq=4 ttl=51 time=14.5 ms 64 bytes from 124.238.xxx.xxx (124.238.xxx.xxx): icmp_seq=5 ttl=51 time=14.4 ms 64 bytes from 124.238.xxx.xxx (124.238.xxx.xxx): icmp_seq=6 ttl=51 time=14.4 ms 64 bytes from 124.238.xxx.xxx (124.238.xxx.xxx): icmp_seq=7 ttl=51 time=14.4 ms 64 bytes from 124.238.xxx.xxx (124.238.xxx.xxx): icmp_seq=8 ttl=51 time=14.4 ms -
On any backend ECS instance of GWLB, open a command line window and run
tcpdump -i any port 6081to capture all packets on port 6081.The output shows request and response packets from application server ECS instances, confirming that outbound traffic from application servers passes through GWLB backend network virtual appliances for inspection and pass-through.
10:15:18.247012 IP 10.0.1.41.32236 > iZ0jlgs xxx.geneve: Geneve, Flags [none], vni 0x0, options [32 bytes]: IP 192.168.1.153 > 124.238.xxx : ICMP echo request, id 9, seq 8, length 64 10:15:18.247028 IP iZ0jlgs xxx > 10.0.1.41.geneve: Geneve, Flags [none], vni 0x0, options [32 bytes]: IP 192.168.1.153 > 124.238.xxx : ICMP echo request, id 9, seq 8, length 64 10:15:18.261183 IP 10.0.1.41.32236 > iZ0jlgs xxx.geneve: Geneve, Flags [none], vni 0x0, options [32 bytes]: IP 124.238.xxx > 192.168.1.153: ICMP echo reply, id 9, seq 8, length 64 10:15:18.261192 IP iZ0jlgs xxx.32236 > 10.0.1.41.geneve: Geneve, Flags [none], vni 0x0, options [32 bytes]: IP 124.238.xxx > 192.168.1.153: ICMP echo reply, id 9, seq 8, length 64 10:15:19.248397 IP 10.0.1.41.32236 > iZ0jlgs xxx.geneve: Geneve, Flags [none], vni 0x0, options [32 bytes]: IP 192.168.1.153 > 124.238.xxx : ICMP echo request, id 9, seq 9, length 64 10:15:19.248419 IP iZ0jlg xxx.32236 > 10.0.1.41.geneve: Geneve, Flags [none], vni 0x0, options [32 bytes]: IP 192.168.1.153 > 124.238.xxx : ICMP echo reply, id 9, seq 9, length 64 10:15:19.262605 IP 10.0.1.41.32236 > iZ0jlg xxx.geneve: Geneve, Flags [none], vni 0x0, options [32 bytes]: IP 124.238.xxx > 192.168.1.153: ICMP echo request, id 9, seq 9, length 64 10:15:19.262613 IP iZ0jlg xxx.32236 > 10.0.1.41.geneve: Geneve, Flags [none], vni 0x0, options [32 bytes]: IP 124.238.xxx > 192.168.1.153: ICMP echo reply, id 9, seq 9, length 64
References
-
GWLB billing overview: GWLB uses pay-as-you-go pricing. Costs include GWLB instance fees and LCU fees.
-
PrivateLink billing: GWLB requires GWLBe to deliver services. GWLBe is priced and billed independently by the PrivateLink service.
-
When deploying GWLB, enable the following features:
-
GWLB health check: Detects the availability of backend network virtual appliances. If a device fails, new requests are automatically routed to healthy backend devices.
-
Connection draining: Smoothly handles existing connections when removing a backend network virtual appliance.
-
Rebalance existing traffic: When a backend network virtual appliance fails or is removed, GWLB reroutes existing traffic to healthy backend devices to prevent service disruption.
-
-
For more information about PrivateLink and IPv4 gateway: