VM-Series Integration with an Alibaba Gateway Load Balancer
Understand traffic distribution in a VM-Series firewall and Alibaba GWLB
environment.
| Where Can I Use This? | What Do I Need? |
|---|
- Alibaba Cloud International Regions subscription
- Alibaba Cloud Mainland China subscription
|
- VM-Series License (BYOL)
- VM-Series plugin
- Panorama
|
The
Alibaba Gateway Load Balancer (GWLB)
operates at Layer 3 (the network layer) of the OSI model, acting as a transparent load
balancer that distributes traffic to various backend servers. It listens for traffic on
all ports of a specified IP address, forwarding it to backend server groups using the
Geneve protocol.
Backend servers capable of supporting the Geneve protocol can be grouped
logically. Each server group contains one or more backend servers responsible for
processing requests routed by the GWLB. A GWLB Endpoint(GWLBe) serves as the
consumer-side connection within a Virtual Private Cloud (VPC), allowing VPC traffic to
be seamlessly redirected to the GWLB and subsequently to appliances like firewalls.
VM-Series integration with Alibaba GWLB only supports the IPv4
protocol version.
The image below describes the integration of Alibaba GWLB with VM-Series. You attach a
centralized security VPC to your transit gateway. The centralized security VPC includes
a GWLB to scale and load-balance traffic across the stack of VM-Series firewalls.
For outbound traffic, the application server subnet's route table directs
traffic to the GWLB endpoint. From there, the GWLB endpoint sends the traffic to the
GWLB, which then forwards it to the firewalls. The firewalls conduct a security
inspection of the traffic and return it to the GWLB. The GWLB then routes the traffic
back to the GWLB endpoint via the connection established through the private link
service. Traffic is forwarded to the NAT gateway based on the route table for the GWLB
endpoint subnet. The gateway performs a Source Network Address Translation (SNAT) and
subsequently routes the traffic to the Internet client.
For inbound traffic, the NAT-IPv4 gateway first receives business traffic from
the Internet and performs a Destination Network Address Translation (DNAT). It then
sends this traffic to the Gateway Load Balancer (GWLB) endpoint, guided by its route
table. The GWLB endpoint subsequently forwards the traffic to the GWLB, which then
directs it to the Firewalls (FWs). The FWs conduct security checks on the traffic and
return it to the GWLB. The GWLB, in turn, forwards the traffic back to the GWLB endpoint
via a connection established through the PrivateLink service. Finally, the traffic is
sent to the application server, based on the route table configured for the GWLB
endpoint subnet.
Flow of Traffic
Business VPC to GWLBe: Traffic originating from an
Business VPC, destined for external networks or other internal segments
requiring security inspection, is first routed to a Gateway Load
Balancer Endpoint.
GWLBe to GWLB: The GWLBe transparently forwards these
packets to the Gateway Load Balancer.
GWLB Encapsulation and Distribution: The GWLB
encapsulates the traffic using the GENEVE protocol, adding metadata, and
then distributes it to the available firewalls in the security VPC.
Security Inspection by Firewalls: The VM-Series
firewalls perform comprehensive security inspection, applying configured
policies for threat detection, intrusion prevention, URL filtering, and
more.
Return to GWLB: After inspection, the clean traffic is
sent back to the GWLB.
GWLB to GWLBe to Business VPC: The GWLB then directs the traffic
back through the GWLBe to the Business VPC, preserving the original IP
and flow.
