Traffic coming from the internet destined for the Application Load Balancer (ALB) arrives at the internet gateway and is forwarded to a Gateway Load Balancer (GWLB) endpoint using the ingress route table. The GWLBendpoint forwards the traffic to the GWLB in the appliances VPC using AWS PrivateLink. The GWLBencapsulates the traffic in Generic Network Virtualization Encapsulation (GENEVE). GENEVE encapsulated traffic is sent for inspection to a security appliance. Once the traffic is inspected, it is sent back to the GWLB. This traffic is then returned to the GWLB endpoint in the Inspect subnet. The GWLBendpoint uses the inspect subnet route table to forward the traffic to the ALBin the public subnet. Lastly, the ALBforwards the traffic to one of its healthy instances.

http://chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://d1.awsstatic.com/architecture-diagrams/ArchitectureDiagrams/distributed-inspection-architectures-gwlb-ra.pdf?did=wp_card&trk=wp_card