# Gateway Load Balancers Use a Gateway Load Balancer to deploy and manage a fleet of virtual appliances that support the GENEVE protocol. A Gateway Load Balancer operates at the third layer of the Open Systems Interconnection (OSI) model. It listens for all IP packets across all ports and forwards traffic to the target group that's specified in the listener rule, using the GENEVE protocol on port 6081. You can add or remove targets from your load balancer as your needs change, without disrupting the overall flow of requests. Elastic Load Balancing scales your load balancer as traffic to your application changes over time. Elastic Load Balancing can scale to the vast majority of workloads automatically. **Topics** + [ ## Load balancer state ](#load-balancer-state) + [ ## IP address type ](#ip-address-type) + [ ## Availability Zones ](#availability-zones) + [ ## Idle timeout ](#idle-timeout) + [ ## Load balancer attributes ](#load-balancer-attributes) + [ ## Network ACLs ](#load-balancer-network-acl) + [ ## Asymmetric flows ](#asymmetric-flows) + [ ## Network maximum transmission unit (MTU) ](#mtu) + [Create a load balancer](create-load-balancer.md) + [Update the IP address type](load-balancer-ip-address-type.md) + [Edit load balancer attributes](edit-load-balancer-attributes.md) + [Tag a load balancer](tag-load-balancer.md) + [Delete a load balancer](delete-load-balancer.md) + [LCU reservations](capacity-unit-reservation.md) ## Load balancer state A Gateway Load Balancer can be in one of the following states: `provisioning` The Gateway Load Balancer is being set up. `active` The Gateway Load Balancer is fully set up and ready to route traffic. `failed` The Gateway Load Balancer could not be set up. ## IP address type You can set the types of IP addresses that the application servers can use to access your Gateway Load Balancers. Gateway Load Balancers support the following IP address types: **`ipv4`** Only IPv4 is supported. **`dualstack`** Both IPv4 and IPv6 are supported. **Considerations** + The virtual private cloud (VPC) and subnets that you specify for the load balancer must have associated IPv6 CIDR blocks. + The route tables for the subnets in the service consumer VPC must route IPv6 traffic, and the network ACLs for these subnets must allow IPv6 traffic. + A Gateway Load Balancer encapsulates both IPv4 and IPv6 client traffic with an IPv4 GENEVE header and sends it to the appliance. The appliance encapsulates both IPv4 and IPv6 client traffic with an IPv4 GENEVE header and sends it back to the Gateway Load Balancer. For more information about IP address types, see [Update the IP address types for your Gateway Load Balancer](load-balancer-ip-address-type.md). ## Availability Zones When you create a Gateway Load Balancer, you enable one or more Availability Zones, and specify the subnet that corresponds to each zone. When you enable multiple Availability Zones, it ensures that the load balancer can continue to route traffic even if an Availability Zone becomes unavailable. The subnets that you specify must each have at least 8 available IP addresses. Subnets cannot be removed after the load balancer is created. To remove a subnet, you must create a new load balancer. ## Idle timeout For each TCP request made through a Gateway Load Balancer, the state of that connection is tracked. If no data is sent through the connection by either the client or target for longer than the idle timeout, the connection is closed. After the idle timeout period elapses, the load balancer considers the next TCP SYN as a new flow and routes it to a new target. However, data packets sent after the idle timeout period elapses are dropped. The default idle timeout value for TCP flows is 350 seconds, but can be updated to any value between 60-6000 seconds. Clients or targets can use TCP keepalive packets to reset the idle timeout. **Stickiness limitation** Your Gateway Load Balancers idle timeout can only be updated when using 5-tuple stickiness. When using 3-tuple or 2-tuple stickness, the default idle timeout value is used. For more information, see [Flow stickiness](edit-target-group-attributes.md#flow-stickiness) While UDP is connectionless, the load balancer maintains UDP flow state based on the source and destination IP addresses and ports. This ensures that packets that belong to the same flow are consistently sent to the same target. After the idle timeout period elapses, the load balancer considers the incoming UDP packet as a new flow and routes it to a new target. Elastic Load Balancing sets the idle timeout value for UDP flows to 120 seconds. This cannot be changed. EC2 instances must respond to a new request within 30 seconds in order to establish a return path. For more information, see [Update idle timeout](update-idle-timeout.md). ## Load balancer attributes The following are the load balancer attributes for Gateway Load Balancers: `deletion_protection.enabled` Indicates whether deletion protection is enabled. The default is `false`. `load_balancing.cross_zone.enabled` Indicates whether cross-zone load balancing is enabled. The default is `false`. For more information, see [Edit load balancer attributes](edit-load-balancer-attributes.md). ## Network ACLs If the application servers and the Gateway Load Balancer endpoint are in the same subnet, the NACL rules are evaluated for traffic from the application servers to the Gateway Load Balancer endpoint. ## Asymmetric flows Gateway Load Balancers support asymmetric flows when the load balancer processes the initial flow packet and the response flow packet is not routed through the load balancer. Asymmetric routing is not recommended, because it can result in reduced network performance. Gateway Load Balancers do not support asymmetric flows when the load balancer does not process the initial flow packet but the response flow packet is routed through the load balancer. ## Network maximum transmission unit (MTU) The maximum transmission unit (MTU) is the size of the largest data packet that can be transmitted through the network. The Gateway Load Balancer interface MTU supports packets up to 8,500 bytes. Packets with a size larger than 8500 bytes that arrive at the Gateway Load Balancer interface are dropped. A Gateway Load Balancer encapsulates IP traffic with a GENEVE header and forwards it to the appliance. The GENEVE encapsulation process adds 68 bytes to the original packet. Therefore, to support packets up to 8,500 bytes, ensure that the MTU setting of your appliance supports packets of at least 8,568 bytes. Gateway Load Balancers do not support IP fragmentation. Additionally, Gateway Load Balancers do not generate ICMP message "Destination Unreachable: fragmentation needed and DF set". Due to this, Path MTU Discovery (PMTUD) is not supported. # Create a Gateway Load Balancer Create a load balancer A Gateway Load Balancer takes requests from clients and distributes them across targets in a target group, such as EC2 instances. To create a Gateway Load Balancer using the AWS Management Console, complete the following tasks. Alternatively, to create a Gateway Load Balancer using the AWS CLI, see [Getting started using the CLI](getting-started-cli.md). **Topics** + [ ## Prerequisites ](#create-load-balancer-prerequisites) + [ ## Create the load balancer ](#create-load-balancer-steps) + [ ## Important next steps ](#important-next-steps) ## Prerequisites Before you begin, ensure that the virtual private cloud (VPC) for your Gateway Load Balancer has at least one subnet in each Availability Zone where you have targets. ## Create the load balancer Use the following procedure to create your Gateway Load Balancer. Provide basic configuration information for your load balancer, such as a name and IP address type. Then provide information about your network, and the listener that routes traffic to your target groups. Gateway Load Balancers require target groups that use the GENEVE protocol. **To create the load balancer and listener using the console** 1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/). 1. In the navigation pane, under **Load Balancing**, choose **Load Balancers**. 1. Choose **Create load balancer**. 1. Under **Gateway Load Balancer**, choose **Create**. 1. **Basic configuration** 1. For **Load balancer name**, enter a name for your load balancer. For example, **my-glb**. The name of your Gateway Load Balancer must be unique within your set of load balancers for the Region. It can have a maximum of 32 characters, can contain only alphanumeric characters and hyphens, and must not begin or end with a hyphen. 1. For **IP address type**, choose **IPv4** to support IPv4 addresses only or **Dualstack** to support both IPv4 and IPv6 addresses. 1. **Network mapping** 1. For **VPC**, select the service provider VPC. 1. For **Mappings**, select all of the Availability Zones in which you launched security appliance instances, and the corresponding public subnets. 1. **IP listener routing** 1. For **Default action**, select the target group to receive traffic. If you don't have a target group, choose **Create target group**. For more information, see [Create a target group](create-target-group.md). 1. (Optional) Expand **Listener tags** and add the tags that you need. 1. (Optional) Expand **Load balancer tags** and add the tags that you need. 1. Review your configuration, and then choose **Create load balancer**. ## Important next steps After creating your load balancer, verify that your EC2 instances have passed the initial health check. To test your load balancer, you must create a Gateway Load Balancer endpoint and update your route table to make the Gateway Load Balancer endpoint the next hop. These configurations are set within the Amazon VPC console. For more information, see the [Getting started](getting-started.md) tutorial. # Update the IP address types for your Gateway Load Balancer Update the IP address type You can configure your Gateway Load Balancer so that application servers can access your load balancer using IPv4 addresses only, or using both IPv4 and IPv6 addresses (dualstack). The load balancer communicates with targets based on the IP address type of the target group. For more information, see [IP address type](gateway-load-balancers.md#ip-address-type). **To update the IP address type using the console** 1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/). 1. On the navigation pane, under **Load Balancing**, choose **Load Balancers**. 1. Select the load balancer. 1. Choose **Actions**, **Edit IP address type**. 1. For **IP address type**, choose **ipv4** to support IPv4 addresses only or **dualstack** to support both IPv4 and IPv6 addresses. 1. Choose **Save**. **To update the IP address type using the AWS CLI** Use the [set-ip-address-type](https://docs.aws.amazon.com/cli/latest/reference/elbv2/set-ip-address-type.html) command. # Edit attributes for your Gateway Load Balancer Edit load balancer attributes After you create a Gateway Load Balancer, you can edit its load balancer attributes. **Topics** + [ ## Deletion protection ](#deletion-protection) + [ ## Cross-zone load balancing ](#cross-zone-load-balancing) ## Deletion protection To prevent your Gateway Load Balancer from being deleted accidentally, you can enable deletion protection. By default, deletion protection is disabled. If you enable deletion protection for your Gateway Load Balancer, you must disable it before you can delete the Gateway Load Balancer. **To enable deletion protection using the console** 1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/). 1. In the navigation pane, under **Load Balancing**, choose **Load Balancers**. 1. Select the Gateway Load Balancer. 1. Choose **Actions**, **Edit attributes**. 1. On the **Edit load balancer attributes** page, select **Enable** for **Delete Protection**, and then choose **Save**. **To disable deletion protection using the console** 1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/). 1. In the navigation pane, under **Load Balancing**, choose **Load Balancers**. 1. Select the Gateway Load Balancer. 1. Choose **Actions**, **Edit attributes**. 1. On the **Edit load balancer attributes** page, clear **Enable** for **Delete Protection**, and then choose **Save**. **To enable or disable deletion protection using the AWS CLI** Use the [modify-load-balancer-attributes](https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-load-balancer-attributes.html) command with the `deletion_protection.enabled` attribute. ## Cross-zone load balancing By default, each load balancer node distributes traffic across the registered targets in its Availability Zone only. If you enable cross-zone load balancing, each Gateway Load Balancer node distributes traffic across the registered targets in all enabled Availability Zones. For more information, see [Cross-zone load balancing](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/how-elastic-load-balancing-works.html#cross-zone-load-balancing) in the *Elastic Load Balancing User Guide*. **To enable cross-zone load balancing using the console** 1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/). 1. In the navigation pane, under **Load Balancing**, choose **Load Balancers**. 1. Select the Gateway Load Balancer. 1. Choose **Actions**, **Edit attributes**. 1. On the **Edit load balancer attributes** page, select **Enable** for **Cross-Zone Load Balancing**, and then choose **Save**. **To enable cross-zone load balancing using the AWS CLI** Use the [modify-load-balancer-attributes](https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-load-balancer-attributes.html) command with the `load_balancing.cross_zone.enabled` attribute. # Tag a Gateway Load Balancer Tag a load balancer Tags help you to categorize your load balancers in different ways, for example, by purpose, owner, or environment. You can add multiple tags to each load balancer. Tag keys must be unique for each Gateway Load Balancer. If you add a tag with a key that is already associated with the load balancer, it updates the value of that tag. When you are finished with a tag, you can remove it from your Gateway Load Balancer. **Restrictions** + Maximum number of tags per resource—50 + Maximum key length—127 Unicode characters + Maximum value length—255 Unicode characters + Tag keys and values are case-sensitive. Allowed characters are letters, spaces, and numbers representable in UTF-8, plus the following special characters: \$1 - = . \$1 : / @. Do not use leading or trailing spaces. + Do not use the `aws:` prefix in your tag names or values because it is reserved for AWS use. You can't edit or delete tag names or values with this prefix. Tags with this prefix do not count against your tags per resource limit. **To update the tags for a Gateway Load Balancer using the console** 1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/). 1. In the navigation pane, under **Load Balancing**, choose **Load Balancers**. 1. Select the Gateway Load Balancer. 1. Choose **Tags**, **Add/Edit Tags**, and then do one or more of the following: 1. To update a tag, edit the values of **Key** and **Value**. 1. To add a new tag, choose **Create Tag**. For **Key** and **Value**, enter values. 1. To delete a tag, choose the delete icon (X) next to the tag. 1. When you have finished updating tags, choose **Save**. **To update the tags for a Gateway Load Balancer using the AWS CLI** Use the [add-tags](https://docs.aws.amazon.com/cli/latest/reference/elbv2/add-tags.html) and [remove-tags](https://docs.aws.amazon.com/cli/latest/reference/elbv2/remove-tags.html) commands. # Delete a Gateway Load Balancer Delete a load balancer As soon as your Gateway Load Balancer becomes available, you are billed for each hour or partial hour that you keep it running. When you no longer need the Gateway Load Balancer, you can delete it. As soon as the Gateway Load Balancer is deleted, you stop incurring charges for it. You can't delete a Gateway Load Balancer if it is in use by another service. For example, if the Gateway Load Balancer is associated with a VPC endpoint service, you must delete the endpoint service configuration before you can delete the associated Gateway Load Balancer. Deleting a Gateway Load Balancer also deletes its listeners. Deleting a Gateway Load Balancer does not affect its registered targets. For example, your EC2 instances continue to run and are still registered to their target groups. To delete your target groups, see [Delete a target group for your Gateway Load Balancer](delete-target-group.md). **To delete a Gateway Load Balancer using the console** 1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/). 1. In the navigation pane, under **Load Balancing**, choose **Load Balancers**. 1. Select the Gateway Load Balancer. 1. Choose **Actions**, **Delete**. 1. When prompted for confirmation, choose **Yes, Delete**. **To delete a Gateway Load Balancer using the AWS CLI** Use the [delete-load-balancer](https://docs.aws.amazon.com/cli/latest/reference/elbv2/delete-load-balancer.html) command. # Capacity reservations for your Gateway Load Balancer LCU reservations Load balancer Capacity Unit (LCU) reservations allow you to reserve a static minimum capacity for your load balancer. Gateway Load Balancers automatically scale to support detected workloads and meet capacity needs. When minimum capacity is configured, your load balancer continues scaling up or down based on the traffic received, but also prevents the capacity from going lower than the minimum capacity configured. Consider using LCU reservation in following situations: + You have an upcoming event that will have a sudden, unusual high traffic and want to ensure your load balancer can support the sudden traffic spike during the event. + You have unpredictable spiky traffic due to the nature of your workload for a short period. + You are setting up your load balancer to on-board or migrate your services at a specific start time and need start with a high capacity instead of waiting for auto-scaling to take effect. + You are migrating workloads between load balancers and want to configure the destination to match the scale of the source. **Estimate the capacity that you need** When determining the amount of capacity you should reserve for your load balancer, we recommend performing load testing or reviewing historical workload data that represents the upcoming traffic you expect. Using the Elastic Load Balancing console, you can estimate how much capacity you need to reserve based on the reviewed traffic. Alternatively, you can refer to CloudWatch metric **ProcessedBytes** to determine the right level of capacity. Capacity for your load balancer is reserved in LCUs, with each LCU being equal to 2.2Mbps. You can use the **PeakBytesPerSecond** metric to see the maximum per-minute throughput traffic on the load balancer, then convert that throughput to LCUs using a conversion rate of 2.2Mbps equals 1 LCU. If you don't have historical workload data to reference and cannot perform load testing, you can estimate capacity needed using the LCU reservation calculator. The LCU reservation calculator uses data based on historical workloads AWS observe and may not represent your specific workload. For more information, see [Load Balancer Capacity Unit Reservation Calculator](https://exampleloadbalancer.com/ondemand_capacity_reservation_calculator.html). **Supported Regions** This feature is available only in the following Regions: + US East (N. Virginia) + US East (Ohio) + US West (Oregon) + Asia Pacific (Hong Kong) + Asia Pacific (Singapore) + Asia Pacific (Sydney) + Asia Pacific (Tokyo) + Europe (Frankfurt) + Europe (Ireland) + Europe (Stockholm) **Minimum and maximum values for an LCU reservation** The total reservation request must be at least 2,750 LCU per Availability Zone. The maximum value is determined by the quotas for your account. For more information, see [Load Balancer Capacity Units](quotas-limits.md#lcu-quotas). # Request Load balancer Capacity Unit reservation for your Gateway Load Balancer Request reservation Before you use LCU reservation, review the following: + LCU reservation only supports reserving throughput capacity for Gateway Load Balancers. When requesting a LCU reservation, convert your capacity needs from Mbps to LCUs using the conversion rate of 1 LCU to 2.2 Mbps. + Capacity is reserved at the regional level and is evenly distributed across availability zones. Confirm you have enough evenly distributed targets in each availability zone before turning on LCU reservation. + LCU reservation requests are fulfilled on a first come first serve basis, and depends on available capacity for a zone at that time. Most requests are typically fulfilled within an hour, but can take up to a few hours. + To update an existing reservation, the previous request must be provisioned or failed. You can increase reserved capacity as many times as you need, however you can only decrease the reserved capacity two times per day. **Request a LCU reservation** The steps in this procedure explain how to request a LCU reservation on your load balancer. **To request a LCU reservation using the console** 1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/). 1. On the navigation pane, choose **Load Balancers**. 1. Select the load balancer name. 1. On the **Capacity** tab, choose **Edit LCU Reservation**. 1. Select **Historic reference based estimate**, then select the load balancer from the dropdown list. 1. Select the reference period to view the recommended reserved LCU level. 1. If you do not have historic reference workload, you can choose **Manual estimate** and enter the number of LCUs to be reserved. 1. Choose **Save**. **To request a LCU reservation using AWS CLI** Use the [modify-capacity-reservation](https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-capacity-reservation.html) command. # Update or terminate Load balancer Capacity Unit reservations for your Gateway Load Balancer Update or terminate reservation **Update or terminate a LCU reservation** The steps in this procedure explain how to update or terminate a LCU reservation on your load balancer. **To update or terminate a LCU reservation using the console** 1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/). 1. On the navigation pane, choose **Load Balancers**. 1. Select the load balancer name. 1. On the **Capacity** tab, confirm the status of reservation is Provisioned. 1. To update the LCU reservation choose **Edit LCU Reservation**. 1. To terminate the LCU reservation, choose **Cancel Capacity**. **To update or terminate a LCU reservation using the AWS CLI** Use the [modify-capacity-reservation](https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-capacity-reservation.html) command. # Monitor Load balancer Capacity Unit reservation for your Gateway Load Balancer Monitor reservation **Reservation Status** LCU reservation has four available status: + pending ‐ Indicates the reservation it is in the process of provisioning. + provisioned ‐ Indicates the reserved capacity is ready and available to use. + failed ‐ Indicates the request cannot be completed at the time. + rebalancing ‐ Indicates an availability zone has been added and the load balancer is rebalancing capacity. **Reserved LCU** To determine reserved LCU utilization, you can compare the per-minute **PeakBytesPerSecond** metric with the per-hour Sum(ReservedLCUs). To convert bytes per minute to LCU per hour, use (bytes per min)\$18/60/ (10^6)/2.2. **Monitor reserved capacity** The steps in this process explain how to check the status of a LCU reservation on your load balancer. **To view the status of a LCU reservation using the console** 1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/). 1. On the navigation pane, choose **Load Balancers**. 1. Select the load balancer name. 1. On the **Capacity** tab, you can view the **Reservation Status** and **Reserved LCU** value. **To monitor the status of the LCU reservation using AWS CLI** Use the [describe-capacity-reservation](https://docs.aws.amazon.com/cli/latest/reference/elbv2/describe-capacity-reservation.html) command.