AWS Load Balancer Target Group Configurations

This guide explores the intricate configuration options for target groups within the AWS Elastic Load Balancing (ELB) ecosystem, specifically focusing on the advanced networking requirements for the ANS-C01 exam. Understanding the nuances between protocol types, target registration methods, and specialized protocols like GENEVE is critical for designing scalable, high-performance architectures.

Learning Objectives

By the end of this study guide, you should be able to:

• Differentiate between Instance and IP target types and identify when to use each.
• Configure target groups for Network Load Balancers (NLB) and Gateway Load Balancers (GWLB) using TCP, UDP, and GENEVE.
• Explain the role of connection draining and slow start mode in maintaining application availability.
• Evaluate the impact of sticky sessions and routing algorithms on traffic distribution.

Key Terms & Glossary

• Target Group: A logical grouping of targets (EC2 instances, IP addresses, or Lambda functions) that receive traffic from a load balancer listener.
• GENEVE (Generic Network Virtualization Encapsulation): The protocol used by Gateway Load Balancers to wrap original IP traffic and send it to security appliances.
• Deregistration Delay: Also known as connection draining; the time a load balancer waits for in-flight requests to complete before removing a target.
• Slow Start Mode: A period during which a newly registered target receives a linearly increasing share of traffic, preventing it from being overwhelmed by a sudden flood of connections.

The "Big Idea"

In AWS networking, the Target Group acts as the bridge between the entry point (the Load Balancer) and the compute resource. While the Load Balancer handles the "front-door" networking, the Target Group configuration dictates the "back-door" mechanics—how health is verified, how sessions are maintained, and how the underlying network packets are formatted. Choosing the wrong target type or protocol can lead to routing failures, loss of client IP visibility, or sub-optimal performance.

Formula / Concept Box

Hierarchical Outline

1. Target Registration Types
   • Instance ID: Routes to the primary ENI on an EC2 instance. Source IP is preserved by default on NLB.
   • IP Address: Routes to specific IP addresses. Allows routing to targets across VPC peering or Direct Connect.
   • Lambda Function: Specific to ALB for serverless compute.
   • Application Load Balancer: Using an ALB as a target for another ALB (zonal branching).
2. Protocol & Routing Mechanics
   • TCP/UDP/TLS: Layer 4 configurations for NLB. High performance, no header inspection.
   • GENEVE: Layer 3 encapsulation for Gateway Load Balancers. Preserves the entire packet (L2-L7).
3. Traffic Management Features
   • Sticky Sessions: Binding a client to a specific target via cookies (ALB) or Client IP (NLB).
   • Routing Algorithms: Round Robin (default) vs. Least Outstanding Requests (ALB only).

Visual Anchors

Traffic Routing Logic

Instance vs. IP Target Modes

Definition-Example Pairs

• Configuration: Deregistration Delay

  • Definition: The amount of time the load balancer keeps a connection open for a target that is being deregistered or failing a health check.
  • Example: An e-commerce checkout service sets a delay of 300 seconds to ensure a customer completing a purchase doesn't have their TCP connection cut mid-transaction when an Auto Scaling Group scales in.

• Configuration: Proxy Protocol v2

  • Definition: A header used to transport connection information such as source and destination IP/port through an NLB to the target when using TCP/UDP.
  • Example: An NLB with a TCP listener needs to pass the original client's public IP to a backend logging server that doesn't support the X-Forwarded-For header.

Worked Examples

Scenario: Setting up a GWLB for Security Inspection

Problem: You need to inspect all traffic entering your VPC using a pool of third-party firewalls.

Step-by-Step Breakdown:

1. Deploy Appliances: Launch EC2 firewall instances in a dedicated "Security VPC."
2. Create Target Group: Select the GENEVE protocol and the IP target type.
3. Register Targets: Add the private IPs of the firewall appliances to the target group.
4. Health Check: Configure a TCP health check on the specific port the appliance uses to signal readiness.
5. Route Traffic: Use VPC Ingress Routing to send traffic to the GWLB Endpoint (GWLBe) which then forwards to the GENEVE target group.

Checkpoint Questions

1. Which target type is required if you want to load balance traffic to an on-premises server connected via Direct Connect?
2. What is the primary benefit of using Slow Start Mode for a newly launched EC2 instance in a target group?
3. Which ELB type and protocol should be used for a payload that must be inspected at Layer 3 without changing the packet headers?
4. True or False: An NLB using an Instance target type preserves the source IP address of the client.

Muddy Points & Cross-Refs

• Source IP Preservation: This often confuses students. NLBs preserve source IP for Instance targets but do NOT necessarily preserve it for IP targets unless specific conditions (like local-target-only or specific protocols) are met. Always check if Proxy Protocol v2 is required for your backend to see the client IP.
• Health Check Port vs. Traffic Port: Target groups allow you to define a health check port that is different from the port where the application receives traffic. This is useful for instances where the management port is separate from the data port.

Comparison Tables

Target Type Comparison