AWS Elastic Load Balancing: Architecture, High Availability, and Security
Different types of load balancers and how they meet requirements for network design, high availability, and security
AWS Elastic Load Balancing: Architecture, High Availability, and Security
This study guide covers the architectural nuances of AWS Elastic Load Balancing (ELB) essential for the Advanced Networking Specialty. It focuses on selecting the right balancer type, ensuring high availability, and implementing robust security patterns.
Learning Objectives
After studying this guide, you should be able to:
- Differentiate between ALB, NLB, and GWLB based on OSI layers and use cases.
- Design highly available architectures using cross-zone load balancing and Route 53 integration.
- Implement security patterns including TLS termination, TLS passthrough, and WAF integration.
- Configure target groups and listeners for optimal performance and health monitoring.
Key Terms & Glossary
- Listener: A process that checks for connection requests using the protocol and port you configure.
- Target Group: A logical grouping of targets (EC2, IP, Lambda) to which the load balancer routes traffic.
- Cross-Zone Load Balancing: A feature that allows the load balancer to distribute traffic evenly across all registered targets in all enabled Availability Zones.
- SNI (Server Name Indication): An extension of TLS that allows a server to host multiple certificates on a single IP address.
- Sticky Sessions (Session Affinity): A mechanism to bind a user's session to a specific target to maintain state.
- GENEVE Protocol: The encapsulation protocol used by Gateway Load Balancers to wrap original traffic for inspection by virtual appliances.
The "Big Idea"
Load balancers are the intelligent gateways of an AWS architecture. They shift the burden of availability and security from individual servers to a managed fabric. Instead of managing complex failover scripts at the instance level, ELBs provide a unified entry point that integrates with Auto Scaling to ensure your application survives both traffic spikes and infrastructure failures.
Formula / Concept Box
| Metric/Constraint | Rule of Thumb |
|---|---|
| Subnet Size | Minimum /28 (16 IPs); Recommended /27 or larger (32+ IPs) for scaling. |
| ALB Layer | Layer 7 (Application) - Understands HTTP/HTTPS headers. |
| NLB Layer | Layer 4 (Transport) - Optimized for TCP/UDP/TLS performance. |
| GWLB Layer | Layer 3/4 - Transparently routes packets through 3rd party appliances. |
| Static IP | Only NLB provides a static IP address per Availability Zone. |
Hierarchical Outline
- I. Load Balancer Types
- Application Load Balancer (ALB)
- Layer 7 routing (Path-based, Host-based, Query-string).
- Native integration with AWS WAF.
- Network Load Balancer (NLB)
- Layer 4 high-performance (millions of requests/sec).
- Preserves Source IP addressing for backend targets.
- Gateway Load Balancer (GWLB)
- Deploy and manage a fleet of virtual appliances (Firewalls, IDS/IPS).
- Uses Gateway Load Balancer Endpoints (GWLBE) via PrivateLink.
- Application Load Balancer (ALB)
- II. High Availability (HA) Patterns
- Cross-Zone Load Balancing: Prevents uneven load if AZs have different numbers of targets.
- Route 53 Integration: Using health checks to failover between Regions or ELBs.
- Auto Scaling Groups (ASG): Dynamic attachment/detachment of targets based on health.
- III. Security & Encryption
- TLS Termination: Offloading SSL/TLS decryption to the ELB to save target CPU.
- TLS Passthrough: Encrypted traffic passed to targets (NLB only) for end-to-end encryption.
- ACM Integration: Centralized certificate management via AWS Certificate Manager.
Visual Anchors
Load Balancer Selection Logic
Layer 7 vs Layer 4 Encapsulation
\begin{tikzpicture}[node distance=1.5cm] \draw[thick] (0,0) rectangle (6,1) node[midway] {\textbf{Layer 4: TCP/UDP (NLB)}}; \draw[thick, fill=blue!10] (0,1.2) rectangle (6,2.2) node[midway] {\textbf{Layer 7: HTTP/HTTPS (ALB)}}; \draw[<->, thick] (7,0) -- (7,2.2) node[midway, right] {Increasing Intelligence}; \draw[->, thick] (-1,0.5) -- (0,0.5) node[left] {Packets}; \node at (3,-0.7) [align=center] {\small \textit{NLB focuses on Ports/IPs. ALB focuses on URL Paths/Headers.}}; \end{tikzpicture}
Definition-Example Pairs
- Path-Based Routing: Routing requests to different target groups based on the URL path.
- Example:
example.com/apigoes to the API Target Group, whileexample.com/imagesgoes to an S3-backed or specialized EC2 group.
- Example:
- TLS Termination: The load balancer decrypts incoming HTTPS traffic and sends it to the backend as plain HTTP (or re-encrypts).
- Example: An ALB handles the heavy math of SSL handshakes, allowing a fleet of small T3.micro instances to focus solely on running application code.
- Health Check Grace Period: The time the ELB waits before starting health checks on a newly launched instance.
- Example: A Java application takes 2 minutes to boot; setting a 180-second grace period prevents the ELB from marking it "Unhealthy" while it's still starting.
Worked Examples
Scenario: Global Real-time Gaming App
Requirement: The app requires ultra-low latency, handles millions of UDP packets per second, and needs a single static IP for whitelisting by corporate clients.
Solution Breakdown:
- Selection: Choose Network Load Balancer (NLB).
- Reasoning: Only NLB supports UDP and provides a Static IP (Elastic IP) per AZ. Its Layer 4 nature ensures the lowest possible latency compared to ALB.
- High Availability: Enable the NLB in at least three Availability Zones and use Cross-Zone Load Balancing to ensure even distribution if one AZ has fewer servers.
Scenario: Inspecting All Outbound Traffic
Requirement: All traffic leaving the VPC must pass through a fleet of Check Point firewalls for deep packet inspection.
Solution Breakdown:
- Selection: Gateway Load Balancer (GWLB).
- Implementation: Create a GWLB and register the firewall instances as targets. Create GWLB Endpoints in the application subnets. Update the Route Tables to point the default route (
0.0.0.0/0) to the GWLB Endpoint.
Checkpoint Questions
- Which load balancer type should you use if you need to route traffic based on the
User-AgentHTTP header? - True or False: A Network Load Balancer can be integrated with AWS WAF.
- What is the minimum recommended subnet mask size for an ELB deployment to ensure scaling room?
- How does a Gateway Load Balancer maintain the original packet information when sending it to a security appliance?
▶Click to see Answers
- ALB (Layer 7 understands headers).
- False (WAF integrates with ALB, CloudFront, and AppSync, but not NLB).
- /27 (Standard requirement is /28, but /27 is the recommended minimum for scaling).
- By using the GENEVE protocol to encapsulate the original IP packet.
Muddy Points & Cross-Refs
- Sticky Sessions vs. NLB: People often think NLBs don't support stickiness. They do support Session Affinity based on Source IP, but they don't support "Cookie-based" stickiness like ALBs do.
- Health Checks: Remember that health checks are performed by the Load Balancer, not the Auto Scaling Group. However, the ASG can be configured to use "ELB Health Checks" to replace instances.
- Cross-Refs: See Unit 4: Network Security for deeper details on AWS WAF and Route 53 for Latency-based and Geolocation routing patterns.
Comparison Tables
| Feature | ALB | NLB | GWLB |
|---|---|---|---|
| OSI Layer | 7 | 4 | 3 |
| Protocols | HTTP, HTTPS, gRPC | TCP, UDP, TLS | IP (GENEVE) |
| Static IP | No | Yes | No |
| Source IP Preservation | No (Use X-Forwarded-For) | Yes (Native) | Yes (via GENEVE) |
| WAF Integration | Yes | No | No |
| Latency | Higher (~ms) | Ultra-low (~μs) | Low |
| Best Use Case | Web Applications | High-perf / VoIP / Gaming | Security Appliances |