Transparent GENEVE inspection behind AWS Gateway Load Balancer: the same L3/L4/L7 control and secure NAT egress, multi-AZ with per-AZ affinity, at a flat per-firewall price and no per-GB data-processing tax. Enforza is one of the few independent NVAs that can serve as a GWLB inspection appliance.
AWS charges for the GWLB and GWLBe the same way whatever you run behind them. The appliance is where the cost diverges: AWS Network Firewall adds per-AZ endpoint-hours and a per-GB tax; the mega-NGFW VMs add per-VM, vCPU-metered licences. Enforza is a flat per-firewall licence at $0/GB.
A meter that grows with Availability Zones, gigabytes and vCPUs — on top of AWS's own GWLB and GWLBe charges.
Flat, per-firewall licence — not vCPU-, instance- or IP-metered. Plus the Linux VM(s) you provision.
Be clear what this replaces: you still pay AWS's own GWLB and GWLBe hourly and data-processing charges — those apply to any appliance behind a GWLB. The flat Enforza licence replaces the appliance licence and the per-GB inspection tax a Network Firewall or mega-NGFW layer adds on top. AWS Network Firewall rates VERIFIED us-east-1, dated 2026-06-14 — directional and subject to change. Savings of 60–80% versus the cloud-native firewall plus data-processing charges are typical at modest egress; run your own numbers.
GWLB GENEVE-encapsulates each flow to the engine; the engine decapsulates, applies policy to the inner packet, source-NATs allowed egress, and returns replies through the tunnel — transparently. With cross-zone off, each flow stays in its own Availability Zone.
A workload sends internet-bound traffic; its route table points 0.0.0.0/0 at the AZ-local GWLB endpoint (GWLBe). No re-addressing, no proxy — inspection is inserted by a route change.
The GWLB GENEVE-encapsulates the flow on UDP/6081 and forwards it to the Enforza engine in the same Availability Zone — cross-zone off keeps each flow in its own AZ.
The engine decapsulates GENEVE, evaluates the inner packet through its L3/L4/L7 policy — egress, ingress and east-west, FQDN/SNI-based L7 without breaking TLS — then source-NATs allowed egress out via the appliance VPC internet gateway.
Replies arrive at the engine, are un-NAT'd, re-encapsulated into the original GENEVE flow, and returned via the GWLB and GWLBe to the originating workload — transparently, both ends unaware.
A GWLB appliance must terminate the GENEVE tunnel — decapsulate UDP/6081, preserve the inner packet's true source and destination, keep both directions of every flow pinned, and re-encapsulate replies. Most firewalls expect to be routed through on plain IP, not handed GENEVE-wrapped packets.
GWLB inspection targets are a short list — Palo Alto VM-Series, FortiGate-VM, Check Point CloudGuard, AWS Network Firewall. Enforza is one of the few independent NVAs that can serve as a GWLB inspection appliance.
You get the inspection capability teams normally reach a mega-NGFW for — at a flat per-firewall licence with no per-GB data-processing tax, not a per-VM vCPU-metered licence.
Scale is horizontal: add engines to the GWLB target group and GWLB load-balances flows across the healthy members, removing any that go unhealthy. With cross-zone off you get AZ affinity — no cross-AZ data-transfer on inspected traffic and an AZ-isolated blast radius.
The GWLB scenario ships as ready-to-run Terraform — appliance VPC, GWLB and GENEVE target group, spoke VPC with per-AZ GWLBe endpoints and route steering, and one engine per AZ. CloudFormation is not provided for this scenario yet.
A GWLB scenario builds the appliance VPC and internet gateway, the Gateway Load Balancer and GENEVE target group, the spoke VPC with per-AZ GWLBe endpoints and route steering, and one engine per AZ — both deployment-key and marketplace-AMI flavours.
The GWLB datapath runs on a Debian 12 (bookworm) or Ubuntu 22.04+ base. The engines bootstrap from the install script with a fleet deployment key, then register with the Enforza cloud.
Terraform apply, then enable the AWS GWLB connector on each engine in the console — that brings up the GENEVE datapath and the health checks go green. CloudFormation is not provided for this scenario yet.
A relatively short list, because the appliance must terminate the GENEVE tunnel. Palo Alto Networks VM-Series, Fortinet FortiGate-VM, Check Point CloudGuard, AWS Network Firewall, and Enforza all work as GWLB inspection appliances. Enforza is one of the few independent NVAs that can — it runs as a transparent GENEVE inspection appliance behind GWLB.
Run the NVA fleet in a dedicated appliance VPC behind a Gateway Load Balancer and its GENEVE target group, then place a GWLB endpoint (GWLBe) in each spoke VPC and point the workload route (0.0.0.0/0) at the AZ-local GWLBe. That route change inserts inspection transparently. For Enforza this ships as Terraform that builds the whole shape — appliance VPC, GWLB and target group, spoke VPC with per-AZ GWLBe endpoints, and the engines. CloudFormation is not provided for this scenario yet.
Yes — if it can decapsulate GENEVE (UDP/6081), preserve the inner packet, keep both directions of a flow pinned, source-NAT allowed egress, and re-encapsulate replies. Few firewalls do; that GENEVE datapath is what separates a GWLB-capable NVA from one that simply runs in a VPC. Enforza is one that does.
They are different layers. GWLB is the transport that steers traffic to and from inspection appliances using GENEVE; AWS Network Firewall is an appliance that can sit behind a GWLB (or be deployed via its own endpoints). You can run GWLB with a third-party NVA such as Enforza instead of Network Firewall — see the AWS Network Firewall alternative page for the cost wedge.
Yes. Enforza runs an engine per Availability Zone behind the GWLB. With cross-zone load balancing off, each AZ's traffic is inspected in-AZ, giving you AZ affinity, no cross-AZ data-transfer on inspected traffic, lower latency, and an AZ-isolated blast radius — losing one engine only affects its own zone.
Enforza is a flat per-firewall licence with no per-GB data-processing tax — the appliance cost does not grow with traffic, instance size, or the number of protected IPs. Be clear about what that replaces: you still pay AWS's own GWLB and GWLBe hourly and data-processing charges, which apply to any appliance you run behind a GWLB. What the flat licence replaces is the appliance licence and the per-GB inspection tax that an AWS Network Firewall or mega-NGFW layer adds on top — typically 60–80% below the cloud-native firewall plus its data-processing charges at modest egress. Run your own numbers in the savings calculator.
A transparent GENEVE inspection appliance behind AWS Gateway Load Balancer: the same L3/L4/L7 control and secure NAT egress, multi-AZ, at a flat per-firewall price with no per-GB data-processing tax. Start free, no card.
