ANS-C01 Exam Cram: AWS Load Balancing & High Availability
Design solutions that integrate load balancing to meet high availability, scalability, and security requirements
ANS-C01 Exam Cram: AWS Load Balancing & High Availability
This guide focuses on Domain 1.3: Designing Load Balancing Solutions. In the Advanced Networking Specialty exam, you must distinguish between Load Balancer types based on throughput, protocol (L3/L4/L7), and security requirements.
## Topic Weighting
| Domain | Task | Estimated Exam % |
|---|---|---|
| Domain 1: Network Design | 1.3 Load Balancing Solutions | ~8-10% |
| Domain 4: Security | 4.1 Security & Compliance | ~4-6% (as it relates to ELB) |
## Key Concepts Summary
1. Elastic Load Balancer (ELB) Comparison
- ALB (Layer 7): Handles HTTP/HTTPS/gRPC. Supports path/host-based routing, OIDC authentication, and WAF integration.
- NLB (Layer 4): Handles TCP/UDP/TLS. Offers static IP addresses, can handle millions of requests/sec with ultra-low latency, and supports PrivateLink.
- GWLB (Layer 3/4): Transparently funnels traffic to 3rd-party security appliances. Uses the GENEVE protocol (Port 6081).
2. High Availability (HA) Mechanisms
- Cross-Zone Load Balancing: When enabled, nodes distribute traffic evenly across all registered targets in all enabled AZs.
- ALB: Enabled by default.
- NLB: Disabled by default (charges apply for inter-AZ data transfer).
- Health Checks: Can be configured at the Target Group level (TCP, HTTP, HTTPS). NLB supports both active and passive health checks.
## Common Pitfalls
[!WARNING] The "Static IP" Trap Do NOT choose ALB if the requirement states the client needs to whitelist a single, unchanging IP address. ALB uses DNS names with dynamic IPs. Use NLB (which provides a static IP per AZ) or put a Global Accelerator in front of the ALB.
- Header Preservation: NLB preserves the Source IP by default. ALB does NOT; it uses
X-Forwarded-For. To see the source IP behind an ALB, your application must be configured to read that header. - MTU Issues: GWLB/Appliance integrations often fail due to MTU mismatches. Ensure the appliance and VPC support Jumbo Frames (9001 MTU) if required, but note that the GENEVE header adds overhead.
- Zonal Failover: ELBs are Regional but reside in specific Subnets. If an AZ goes down, Route 53 health checks must remove that AZ's IP from the DNS response if cross-zone is disabled.
## Mnemonics / Memory Triggers
- A-L-B (7 Letters-ish): Application, Layer 7, Authentication, ASM (WAF).
- N-L-B (4 Letters-ish): Network, Layer 4, Non-changing IP (Static).
- G-W-L-B: Geneve protocol, Gateway to security appliances.
- S-S-L (Sticky Sessions): Sticky = Session Affinity = Same target for duration of session.
## Formula / Equation Sheet
Load Balancer Selection Matrix
| Feature | Application (ALB) | Network (NLB) | Gateway (GWLB) |
|---|---|---|---|
| OSI Layer | Layer 7 | Layer 4 | Layer 3/4 |
| Target Types | IP, Instance, Lambda | IP, Instance, ALB | IP, Instance |
| Protocols | HTTP, HTTPS, gRPC | TCP, UDP, TLS | GENEVE (IP) |
| Static IP | No (Use Global Accel) | Yes (1 per AZ) | No |
| Security | WAF, Security Groups | Security Groups | Security Appliances |
| Termination | TLS Termination | TLS Termination/Pass | N/A (Transparent) |
## Worked Examples
Case: Hybrid Architecture Security
Scenario: A company needs to inspect all inbound traffic from an On-Premises data center via Direct Connect (DX) using a fleet of Checkpoint firewalls before it reaches an Internal ALB.
Solution Breakdown:
- Deploy Gateway Load Balancer (GWLB) in a security VPC.
- Deploy Firewall instances as targets in the GWLB Target Group.
- In the Application VPC, create GWLB Endpoints (GWLBE).
- Update the Subnet Route Table for the DX Gateway/Transit Gateway to route traffic to the GWLBE as the next hop.
- Traffic is encapsulated in GENEVE, sent to firewalls, inspected, and returned to the GWLBE for delivery to the ALB.
Visual: TLS Termination vs. Passthrough
\begin{tikzpicture}[node distance=2cm, every node/.style={draw, rectangle, align=center, fill=blue!10}] \node (client) [fill=green!10] {Client$HTTPS Request)}; \node (lb) [right of=client, xshift=2cm] {NLB$Layer 4)}; \node (target) [right of=lb, xshift=2cm] {EC2 Target$TLS Decryption)};
\draw[->, thick] (client) -- node[above, font=\scriptsize] {Encrypted (End-to-End)} (lb);
\draw[->, thick] (lb) -- node[above, font=\scriptsize] {TLS Passthrough} (target);
\node (note) [below of=lb, yshift=0.5cm, draw=none, fill=none, italic] {Note: NLB does not see the content};\end{tikzpicture}
## Practice Set
- Which header does ALB use to pass the client's original IP address to the backend?
- Answer:
X-Forwarded-For.
- Answer:
- To support PrivateLink for a service, which Load Balancer type must you use?
- Answer: Network Load Balancer (NLB).
- True/False: An NLB can have a Security Group attached.
- Answer: True (This is a relatively recent AWS update; previously NLBs relied only on target SGs).
- A company requires a fixed IP for a global application that uses an ALB. What service should be integrated?
- Answer: AWS Global Accelerator.
- What protocol does GWLB use to communicate with its targets?
- Answer: GENEVE (UDP Port 6081).
## Recall Blanks
- The _________ Load Balancer is best for path-based routing (e.g., /api vs /images).
- _________ load balancing ensures that traffic is distributed evenly even if AZs have an unequal number of instances.
- To preserve the source IP on an NLB when using a non-IP target, you should enable _________.
- _________ (SNI) allows a single Load Balancer listener to host multiple SSL certificates for different domains.
(Answers: Application, Cross-zone, Proxy Protocol, Server Name Indication)