Gateway Load Balancer is a fully-managed service enabling enterprises to deploy, scale, and enhance the availability of third-party network virtual appliances (NVAs) in Azure. Microsoft recently announced the general availability of Gateway Load Balancer in all public regions, Azure China cloud regions, and Azure Government cloud regions.
Earlier, the company released the public preview release of Gateway Load Balancer (GWLB), a new Azure Load Balancer SKU targeted for transparent NVA insertion supported by a growing list of NVA providers. According to the company’s blog post by program manager Annie Fang, GWLB offers the following benefits for NVA scenarios: source IP preservation, flow symmetry, lightweight NVA management at scale, and auto-scaling with Azure Virtual Machines Scale Sets (VMSS). Furthermore, she explains in the post:
With GWLB, bump-in-the-wire service chaining becomes easy to add on to new or existing architectures in Azure. This means customers can easily "chain" a new GWLB resource to both Standard Public Load Balancers and individual virtual machines with Standard Public IPs, covering scenarios involving both highly available, zonally resilient deployments and simpler workloads.
Source: https://azure.microsoft.com/en-us/blog/gateway-load-balancer-now-generally-available-in-all-regions/
In an earlier tech community article, Anavi Nahar, senior project manager of Azure Networking at Microsoft, further describes the concept of service chaining:
Once chained to a Standard Public Load Balancer frontend or IP configuration on a virtual machine, no additional configuration is needed to ensure traffic to and from the application endpoint is sent to the Gateway LB. Traffic flows from the consumer virtual network to the provider virtual network and then returns to the consumer virtual network. Gateway Load Balancer exchanges application traffic with the appliance in its backend pool using VXLAN encapsulation.
GWLB uses Virtual Extensible LAN (VXLAN) as an encapsulation protocol, which enables traffic packets to be encapsulated and decapsulated with VXLAN headers as they traverse the appropriate data path, all while retaining their original source IP and flow symmetry and avoiding the need for Source Network Address Translation (SNAT) or other complex configurations such as user-defined routes (UDRs).
The VXLAN tunnel interfaces are configured as part of the GWLB's back-end pool, allowing the NVAs to differentiate between "untrusted" and "trusted" traffic. These tunnel interfaces can be either internal or external, and each backend pool can have up to two. Typically, the external interface is used for "untrusted" traffic—traffic that originates on the internet and is directed to the appliance. On the other hand, the internal interface is used for "trusted" traffic—traffic from customers’ appliances to their applications.
Microsoft is not the only public cloud provider offering a Gateway Load balancer. Microsoft’s competitor in the public cloud space, AWS, also provides a Gateway Load balancer generally available since the end of November 2020.
Lastly, more details are available on the documentation pages and guidance through the quick start tutorials.