AWS Load Balancer Ecosystem & Service Integrations

This guide explores how Elastic Load Balancing (ELB) integrates with the broader AWS ecosystem to provide global scale, enhanced security, and container orchestration capabilities for the Advanced Networking Specialty (ANS-C01).

Learning Objectives

After studying this guide, you should be able to:

Design multi-region architectures using AWS Global Accelerator and ELB.
Implement AWS WAF rules to protect Application Load Balancers (ALB).
Configure Route 53 Alias records for seamless DNS-to-ELB resolution.
Orchestrate container traffic using the AWS Load Balancer Controller for EKS.
Manage automated SSL/TLS lifecycles via AWS Certificate Manager (ACM) integration.

Key Terms & Glossary

Anycast IP: An IP address assigned to multiple locations; AWS Global Accelerator uses this to route users to the nearest edge location.
Ingress Controller: A Kubernetes specialized controller (AWS Load Balancer Controller) that manages ALBs/NLBs for a cluster.
Alias Record: A Route 53 specific record type that points to AWS resources (like ELBs) and doesn't incur query charges.
TLS Termination: The process of decrypting encrypted traffic at the load balancer before sending it to the backend.
Target Group: A logical grouping of targets (EC2, Lambda, IP) that receive traffic from a load balancer.

The "Big Idea"

Elastic Load Balancing is rarely a standalone service. In a production-grade architecture, the Load Balancer acts as the central nexus connecting edge services (Global Accelerator, CloudFront, Route 53) to compute resources (EKS, EC2). Understanding these integrations is the key to passing the ANS-C01, as the exam focuses on how these components cooperate to solve high-availability and security requirements.

Formula / Concept Box

Integration	Primary Benefit	Layer
Route 53 + ELB	DNS Failover and Apex record support	Layer 7 / Layer 4
ACM + ALB	Offloaded SSL/TLS & Auto-renewal	Layer 7
WAF + ALB	Layer 7 security (SQLi, XSS protection)	Layer 7
Global Accelerator + NLB	Static Anycast IPs & Global failover	Layer 4

Hierarchical Outline

I. Edge & Global Connectivity
- AWS Global Accelerator: Provides two static Anycast IPs; improves performance by up to 60% using the AWS Global Network.
- Amazon CloudFront: Uses ELB as a custom origin; provides caching and edge security via Shield/WAF.
II. Identity & Security
- AWS WAF: Attaches Web ACLs directly to ALBs to filter malicious requests.
- AWS Certificate Manager (ACM): Centralized certificate management; integrated for easy listener configuration.
III. Compute & Orchestration
- Amazon EKS (Kubernetes): Uses the AWS Load Balancer Controller to provision ALBs (Ingress) and NLBs (Service Type: LoadBalancer).
IV. Domain Management
- Amazon Route 53: Uses Alias records to map zone apex (example.com) to ELB DNS names.

Visual Anchors

Global Traffic Flow with Global Accelerator

Loading Diagram...

EKS Ingress Controller Architecture

Compiling TikZ diagram…

⏳

Running TeX engine…

This may take a few seconds

Definition-Example Pairs

Service Integration: AWS WAF: Attaching a Web Access Control List to an ALB to block specific geography-based IP ranges.
- Example: An e-commerce site blocks traffic from specific regions known for high bot activity by applying a Geofence rule on the ALB's WAF attachment.
Service Integration: ACM: Using a managed certificate on an NLB listener for TLS termination.
- Example: A banking application uses ACM to issue a private certificate for an internal NLB to ensure end-to-end encryption without managing manual key rotations.

Worked Examples

Scenario 1: Provisioning EKS Ingress

To expose a set of Kubernetes pods via an Application Load Balancer, you must:

Install the AWS Load Balancer Controller via Helm in the EKS cluster.
Define an Ingress resource: Create a YAML file specifying kubernetes.io/ingress.class: alb.
Specify Subnets: Use annotations to tell the controller which subnets to use (e.g., alb.ingress.kubernetes.io/subnets).
Result: The controller automatically calls AWS APIs to create an ALB and Target Groups pointing to pod IPs.

Scenario 2: Global Failover with Route 53

To set up a multi-region active-passive failover:

Deploy an ALB in us-east-1 and another in us-west-2.
In Route 53, create two Alias A records for the same domain.
Set the routing policy to Failover.
Associate a Route 53 Health Check with the primary ALB. If the health check fails, Route 53 automatically updates DNS to point to the secondary ALB.

Checkpoint Questions

Why is an Alias record preferred over a CNAME for Route 53/ELB integration?
Can AWS WAF be attached to a Network Load Balancer (NLB)?
What is the primary benefit of using Global Accelerator in front of an ALB for a mobile app user in Australia accessing a server in the US?
Which EKS component is responsible for creating an NLB when a service is defined with type: LoadBalancer?

Muddy Points & Cross-Refs

Apex Record Limitation: Standard DNS does not allow a CNAME for the root domain (e.g., google.com). This is why Route 53 Alias records are critical—they allow the root domain to point to an ELB DNS name.
CloudFront vs. Global Accelerator: Both use edge locations. Use CloudFront for cacheable content (HTTP/S). Use Global Accelerator for non-HTTP protocols (TCP/UDP) or when you need static Anycast IPs for whitelisting.

Comparison Tables

WAF Deployment Comparison

Feature	WAF on CloudFront	WAF on Application Load Balancer
Edge/Region	Global (Edge Locations)	Regional
Best For	Global static/dynamic content	Regional apps / Internal apps
Inspection	Happens before reaching AWS network	Happens at the VPC entry point

Route 53 Record Types for ELB

Record Type	Description	Supports Apex?
CNAME	Standard DNS pointer to another name	No
Alias (A/AAAA)	AWS-internal pointer to resource	Yes