- Newest
- Most votes
- Most comments
The problem that Transit Gateway Appliance Mode solves is ensuring that traffic flows to and from Gateway Load Balancer are symmetrical.
If you have two instances (A and B) in different AZs then Transit Gateway may well select a different path for traffic from A to B as compared to B to A. This could mean that traffic from A to B goes to Gateway Load Balancer Endpoint X; but traffic from B to A goes to Gateway Load Balancer Endpoint Y. And in that case they may (quite probably) be sent through different firewalls.
Firewalls are stateful. They really don't like it when traffic from A to B is seen but traffic from B to A is not. And vice versa. You'll have a situation where something stateless like ICMP (and some UDP traffic) works fine; but TCP traffic does not. The first firewall will see the TCP SYN from A to B but not see the SYN-ACK back from B. The second firewall will probably drop the SYN-ACK becuase it didn't see the SYN first. All sorts of things will go wrong.
Enabling Appliance Mode ensures that traffic flows from A to B and from B to A are routed to a Gateway Load Balancer Endpoint in the same VPC regardless of which Availability Zones instances A and B are in.
NLB has a worker node in each AZ . So if you have NLB with 2 AZs and it is an internet facing one. When you resolve you get two IPs . This scenario below: 1- session 1 resolves to IP1 and goes to AZ1 2- session 2 resolves to IP2 and goes to AZ2 stickiness is enabled and cross zone load balancing too.
Does this mean both sessions will be sent to the same backend?
Not necessarily. NLB uses a hash algorithm based on the protocol, source and destination IP, source and destination port and initial sequence number to determine the appropriate target. The session might get sent to the same target but it might not.
Relevant content
- asked 2 years ago
- asked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
Thanks for the response and I agree with you now that GWLB endpoints will not share session information. Is this also applicable for the Network Load balancer ? ...
I'm not sure I understand the part about "shared session information" and how that is applicable to NLB. NLB is stateful in that it sends all packets in a session (network stream, whatever you want to call it) to the same host. But different sessions (think additional calls to a target group of web servers behind the load balancer) may go to different targets.