Suricata as IPS in AWS with GWLB


Dear community & suricata-Team,

i’m trying to implement a setup with Suricata (v6.0.1-3 @ debian) in IPS-mode in AWS (instance with a single interface)

I’ve read multiple recommended scenario docs from AWS and as it looks like the “state of the art” how somebody should integrate an IDS-solution into a AWS-environment is by using the "Gateway Loadbalancer (GWLB) & it’s endpoints.

In short: GWLB sits between NAT/INTERNET-GW, encapsulates the traffic using GENEVE and forwards it to Suricata, suricata decapsulates & scans it, and if all ok, “puts the packet pack on to wire”. The packet is then sent back to GWLB which then goes to the internet.

( Documentation i consulted was:

  1. Getting started with Gateway Load Balancers - Elastic Load Balancing
  2. Building an Open Source IDS IPS service for Gateway Load Balancer | Networking & Content Delivery
  3. Introducing AWS Gateway Load Balancer: Supported architecture patterns | Networking & Content Delivery
    … and many more, but these here are the major one)

The setup in it’s very end looks like this here:

My main question at the moment is -
How does the GENEVE decoder / suricata with GENEVE decoder work? Namely - will suricata send the Geneve-re-encapsulated Traffic back to the “originator”(here - the gateway-loadbanancer) or do I have to take care about it?

My expectation was initialy that suricata IS doing that (sending backtraffic to the origination, namely GWLB) on it’s OWN, without any PREROUTING/POSTROUTING iptables rewrites.

But it does not happen, as i’ve looked up from couple of examples i found, it is something about the person setting up has to take care of.

Am i mistaking or is it really the case?

I know, the topic is not trivial and common, but am thankful for any hints.


AWS network firewall has Suricata integrated and supports Suricata rules, is there is a reason why you are not using AWS network firewall and doing you own deployment?

yes, a standalone solution is

  • much less vendor agnostic, which is required in my case
  • cost only a fraction of the AWS firewall
1 Like