Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Products & Solutions

Positioning Zscaler Workload Communications for a Growing Business with AWS Gateway Load Balancer

March 20, 2023 - 4 min read

Zscaler Workload Communications helps businesses secure the connectivity of their cloud workloads. Whether connecting workloads to the internet, or to other cloud workloads, you can use Workload Communications to apply the appropriate ZIA and ZPA policies to defend against cyberthreats, eliminating lateral threat movement and data exfiltration.

Coupled with AWS Gateway Load Balancer (GWLB), businesses can now also gain additional scalability and availability, ensuring they are positioned to support their expanding cloud footprint.

What is AWS Gateway Load Balancer?

AWS Gateway Load Balancer (GWLB) combines both gateway and load balancing capabilities. As a gateway, GWLB provides connectivity and helps steer traffic between a source and a destination. As a load balancer, it helps distribute network tasks across a set of resources.

Generally, GWLB is used within AWS environments to distribute inbound or outbound traffic evenly across a fleet of virtual appliances. These appliances are then used to apply services against that traffic - such as Firewall or IDS/IPS inspection.

The advantage of GWLB is that it is an AWS native service – it is highly available, highly scalable, and can be inserted nearly anywhere within the environment. This means that businesses can worry less about building these aspects into their own infrastructure and focus on more business-critical decisions such as security policy.


How do Workload Communications and AWS Gateway Load Balancer work together?

About Workload Communications

As stated earlier, Zscaler Workload Communications enables businesses to secure the connectivity of their cloud workloads, whether to the internet or to other applications, wherever they reside. 

Under the hood, Workload Communications leverages lightweight virtual machines called Cloud Connectors to steer egress traffic from cloud workloads to Zscaler’s cloud platform, the Zero Trust Exchange. As traffic passes through the Zero Trust Exchange, all applicable business policies, such as those applying SSL inspection or Data Loss Prevention, are applied to help secure the business.

Where does Gateway Load Balancer Fit in?

A common architectural deployment model for Workload Communications is hub-and-spoke. In this model, traffic from VPCs housing workloads (spokes) is routed to a transit/egress/security VPC (hub) containing Cloud Connectors. 

With this model in mind, businesses must determine the best method to:

  • Get workload traffic from spoke VPCs to the hub VPC containing the Cloud Connectors
  • Distribute workload traffic across a fleet of Cloud Connector appliances

This is where Gateway Load Balancer comes in. 

To use Gateway Load Balancer in combination with Workload Communications, businesses will generally need to:

  • Place Gateway Load Balancer endpoints (GLWBe) around the cloud environment to accept traffic from workloads (this can be within workload VPCs, or even inside the transit/egress/security VPC)
  • Deploy a GLWB and register Cloud Connectors as its Target Group
  • Configure route tables for workload traffic to be directed to the GWLB


Figure: Hub-and-spoke with AWS Transit Gateway and GWLB



Figure: Hub-and-spoke with distributed GWLB

Though hub-and-spoke deployment models are, by far, the most common, keep in mind that Cloud Connectors can also be deployed adjacent to the cloud workloads they process traffic for, alongside GWLB. In fact, inserting appliances into the cloud environment behind GWLB is quite flexible, depending on the needs of the organization.


Figure: Co-located with GWLB

NOTE: Zscaler maintains an extensive library of AWS CloudFormation and Terraform scripts to do all of this for you! So, don’t fret if the above bullets seem a bit foreign or complex. Let our scripts do the work for you so that you can be guaranteed you’re following our best architectural practices.

Once completed, whenever workload traffic egresses, it will be received by the GWLBe and sent to the GWLB before being distributed across the Cloud Connectors and sent to the Zero Trust Exchange.

Why use Gateway Load Balancer with Workload Communications?

Security is critical for cloud workloads. With heightened risks from new and existing threats, businesses need to ensure that their workloads and data are protected. Workload Communications is able to remove these risks and protect businesses by securing the connectivity of their cloud workloads. Just as important is the ability to ensure the scalability and availability of the security protecting those cloud applications. 

This is the value that AWS Gateway Load Balancer provides and what many Zscaler customers are seeing when they combine it with Workload Communications to protect their cloud workloads.

Where can I learn more?

Learn how to deploy Workload Communications on AWS here.

form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.