The Blog

What I Don’t Get about the AWS Gateway Load Balancer

Calendar Icon 11.18.2020
aws-section-divider aws-section-divider

AWS recently launched the AWS Gateway Load Balancer.

Technically, it’s a way of preserving original network traffic/ensuring flow symmetry—or, in other words, “dropping a bunch of instances in-line without having to teach them all about AWS networking.”

This is a great feature!

What’s not so great is that the launch article highlights how good this is for embedding partner appliances into your VPCs.

The examples in the blog post talk about firewalls, intrusion detection systems, SSL intercept devices, deep packet inspection systems, and more. Even the console launch page for these things talks explicitly about “third-party appliances.”

What’s wrong with that?

The trouble I have with that framing is that an entire outmoded series of vendors suddenly have new life breathed into them.

If we were still doing in-person conferences, the RSA expo hall would be full of dancing vendors in the aisles. You’d think some of these folks were getting acquired based on the level of rejoicing amongst their sales teams.

Shoving a bunch of third-party appliances into your VPC configuration is generally a bad idea.

In fact, I’ll take it a step further and state as a strawman argument that “cloud-native” means that you don’t use third-party appliances in your cloud architectures—an assertion that nobody will have any problems with whatsoever.

There’s history here

For the longest time, it was hard to intelligently get an in-line appliance working in a modern AWS environment.

Vendors complained. But the reasoning behind it was simple: The networking architectures of cloud environments and data center environments weren’t 100% congruent. Every attempt to remedy this had the unfortunate side effect of making your cloud environment look an awful lot like your crappy data center environment while introducing a host of problems.

For instance, if you have a proxy server that all of your instances talk to in order to speak to the outside world, and that proxy server goes down (I know—cloud instances can go away! Commence pearl clutching!), suddenly those instances aren’t going to be able to communicate until the proxy server comes back up. Appliance vendors were then basically forced into using auto scaling groups, misusing load balancers, and tempting fate with other suboptimal mitigations.

That was crappy for everyone—and it created a useful amount of friction that indicated that you were doing something that probably wasn’t a best practice.

A breath of fresh air

There’s a silver lining here that makes this service freaking awesome. But to see it, you have to cut through the marketing with a knife.

View everything AWS says publicly about the Gateway Load Balancer as a sponsored ad by all of their legacy networking partners and disregard it. A (very!) careful reading of the documentation indicates that you aren’t required to go cross-account with these devices, and that there’s no requirement that the appliances actually be third party.

And that opens up the world.

Now you can write a bunch of internal tools that don’t require selling your soul to giant networking vendors. You can leverage an open source project or two and see what percentage of your traffic is encrypted or—based upon SNI headers—what hosts are most popular.

By not having to spend incredible amounts of effort to set up the routing and failover bits yourself, AWS has done a tremendous amount of heavy lifting for you.

What distinction am I drawing?

I want to be very clear that I have a visceral negative reaction to third-party networking vendors. Historically, they viewed the cloud as an enemy, were very slow to embrace it, and every solution they offered in the space was oriented much more around preserving legacy lines of business than expanding new capabilities.

That said, there are legitimate use cases for these technologies—particularly in regulated environments.

In any case, this is a net win across the board for everyone.

I just want to make it very, very clear that you don’t need to start paying third-party vendors to do AWS networking properly—and I really wish the Gateway Load Balancer documentation and examples reflected that more effectively.

aws-section-divider