Support Gateway Load Balancers, Gateway Load Balancer VPC Endpoint Services, and VPC Endpoint Routes

[bflad]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

AWS has introduced Gateway Load Balancers today.

Gateway Load Balancers enable you to deploy, scale, and manage virtual appliances, such as firewalls, intrusion detection and prevention systems, and deep packet inspection systems.

A Gateway Load Balancer operates at the third layer of the Open Systems Interconnection (OSI) model, the network layer. It listens for all IP packets across all ports and forwards traffic to the target group that's specified in the listener rule. The Gateway Load Balancer and its registered virtual appliance instances exchange application traffic using the GENEVE protocol on port 6081.

Gateway Load Balancers use Gateway Load Balancer endpoints to securely exchange traffic across VPC boundaries. A Gateway Load Balancer endpoint is a VPC endpoint that provides private connectivity between virtual appliances in the service provider VPC and application servers in the service consumer VPC. You deploy the Gateway Load Balancer in the same VPC as the virtual appliances. You register the virtual appliances with a target group for the Gateway Load Balancer.

Affected Resource(s)

• aws_default_route_table: Add route configuration block vpc_endpoint_id argument
• aws_lb: Support load_balancer_type argument value of gateway
• aws_lb_target_group: Support protocol argument value of GENEVE
• aws_route: Add vpc_endpoint_id argument
• aws_route_table: Add route configuration block vpc_endpoint_id argument
• aws_vpc_endpoint: Support vpc_endpoint_type argument value of GatewayLoadBalancer
• aws_vpc_endpoint_service: Add gateway_load_balancer_arns argument

Example Terraform Configuration

# This configuration is only intended for illustrative purposes of the new functionality.
# For example, this does not separate consumer and appliance VPCs or fully secure/route production traffic.
data "aws_availability_zones" "available" {
  state = "available"
}

data "aws_caller_identity" "current" {}

resource "aws_vpc" "test" {
  cidr_block = "10.10.10.0/25"

  tags = {
    Name = "tf-acc-test-load-balancer"
  }
}

resource "aws_subnet" "test" {
  availability_zone       = data.aws_availability_zones.available.names[0]
  cidr_block              = cidrsubnet(aws_vpc.test.cidr_block, 2, 0)
  vpc_id                  = aws_vpc.test.id

  tags = {
    Name = "tf-acc-test-load-balancer"
  }
}

resource "aws_lb" "test" {
  load_balancer_type = "gateway"
  name               = "gwlb-test"

  subnet_mapping {
    subnet_id = aws_subnet.test.id
  }
}

resource "aws_lb_target_group" "test" {
  name     = "gwlb-test"
  port     = 6081
  protocol = "GENEVE"
  vpc_id   = aws_vpc.test.id

  health_check {
    port     = 80
    protocol = "HTTP"
  }
}

resource "aws_vpc_endpoint_service" "test" {
  acceptance_required        = false
  allowed_principals         = [data.aws_caller_identity.current.arn]
  gateway_load_balancer_arns = [aws_lb.test.arn]
}

resource "aws_vpc_endpoint" "test" {
  service_name       = aws_vpc_endpoint_service.test.service_name
  subnet_ids         = [aws_subnet.test.id]
  vpc_endpoint_type  = aws_vpc_endpoint_service.test.service_type
  vpc_id             = aws_vpc.test.id
}

resource "aws_route_table" "test" {
  vpc_id = aws_vpc.test.id
}

resource "aws_route" "test" {
  route_table_id         = aws_route_table.test.id
  destination_cidr_block = "0.0.0.0/0"
  vpc_endpoint_id        = aws_vpc_endpoint.test.id
}

References

• Blog
• AWS Go SDK version 1.35.25
• AWS Go SDK version 1.35.25 update
• Gateway Load Balancer Documentation
• Gateway Load Balancer Endpoints Documentation

[nckbnv]

Hey @bflad do you plan to add support for enable appliance mode in the Transit gateway attachment as well.
As Appliance VPC is one of the use cases for GWLB in case you want to use it combined with a TGW.

[bflad]

Initial support for Gateway Load Balancer functionality has been merged and will release with version 3.15.0 of the Terraform AWS Provider, later this week.

@nckbnv I would suggest creating a separate feature request. 👍

[ghost]

This has been released in version 3.15.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[mabdelghany]

This needs to be reopened again. You will need to modify the code for the aws_lb_listener as well. Currently, the GWLB listener does not accept the port or protocol parameters and Terraform marks them as required. Adding them will not allow the creation of the listener and removing them cause Terraform to throw an error.

[bflad]

@mabdelghany thank you for the heads up. Please create a new issue and we will triage as soon as possible.

[mabdelghany]

@bflad I just found another bug in the resources aws_lb. It doesn't matter what value you enter for enable_cross_zone_load_balancing, it always sets to false. From the AWS documentation (https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/how-elastic-load-balancing-works.html), cross zone load balancing can be enabled for both network and gateway load balancers.

This is my code:

resource "aws_lb" "gwlb" {
  name                             = "${var.prefix}-firewall-gateway-lb"
  load_balancer_type               = "gateway"
  subnets                          = var.subnet_ids
  enable_cross_zone_load_balancing = true
  tags = merge(
    var.default_tags,
    map(
      "Name", "${var.prefix}-firewall-gateway-lb"
    )
  )
}

and everytime, I try to plan, I get this:

resource "aws_lb" "gwlb" {
        arn                              = "arn:aws:elasticloadbalancing:us-east-1:xxxxxxxxxxxx:loadbalancer/gwy/xxxxxxxxxxxx-firewall-gateway-lb/xxxxxxxxxxxx"
        arn_suffix                       = "gwy/xxxxxxxxxxxx-firewall-gateway-lb/xxxxxxxxxxxx"
        drop_invalid_header_fields       = false
      ~ enable_cross_zone_load_balancing = false -> true
        enable_deletion_protection       = false
        enable_http2                     = true
        id                               = "arn:aws:elasticloadbalancing:us-east-1:xxxxxxxxxxxx:loadbalancer/gwy/xxxxxxxxxxxx-firewall-gateway-lb/xxxxxxxxxxxx"
        idle_timeout                     = 60
        internal                         = false
        load_balancer_type               = "gateway"
        name                             = "xxxxxxxxxxxx-firewall-gateway-lb"
        security_groups                  = []
        subnets                          = [
            "subnet-xxxxxxxxxxxx",
            "subnet-xxxxxxxxxxxx",
        ]
        tags                             = {
            "CreatedBy"   = "xxxxxxxxxxxx"
            "Environment" = "ProdNet"
            "Name"        = "xxxxxxxxxxxx-firewall-gateway-lb"
        }
        vpc_id                           = "vpc-xxxxxxxxxxxx"

        access_logs {
            enabled = false
        }

        subnet_mapping {
            subnet_id = "subnet-xxxxxxxxxxxx"
        }
        subnet_mapping {
            subnet_id = "subnet-xxxxxxxxxxxx"
        }
    }

Now, per your suggestion, I opened another issue (#16228 (comment)) for the listeners issue mentioned above. Should I update that issue or open up a brand new issue altogether?

[bflad]

Should I update that issue or open up a brand new issue altogether?

It is a separate problem and will require a different fix, so please create a new issue. Thanks. I can likely have that fix submitted later today.

[mabdelghany]

Done (#16311)

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!