AWS Load Balancing and Traffic Distribution Patterns

This study guide covers the critical architectural patterns for Elastic Load Balancing (ELB) within the AWS ecosystem, focusing on high availability, security, and performance optimization for the Advanced Networking Specialty exam.

Learning Objectives

After studying this guide, you should be able to:

• Differentiate between ALB, NLB, and GWLB based on OSI layer and use case.
• Design multi-tier load balancing architectures using internal and external ELBs.
• Configure advanced features like session affinity, cross-zone load balancing, and TLS termination.
• Integrate ELB with edge services like Global Accelerator, CloudFront, and Route 53.
• Implement logging and monitoring for traffic distribution troubleshooting.

Key Terms & Glossary

• Listener: A process that checks for connection requests using a configured protocol and port.
• Target Group: A logical grouping of targets (EC2, IP, Lambda) to which the load balancer routes traffic.
• Session Affinity (Sticky Sessions): A mechanism to bind a user's session to a specific target for the duration of the session.
• Cross-Zone Load Balancing: Distributing traffic evenly across all registered targets in all enabled Availability Zones (AZs).
• SNI (Server Name Indication): An extension to TLS that allows multiple certificates to be served from a single listener.

The "Big Idea"

Load balancing is not just about distributing traffic; it is the foundational anchor for elasticity and fault tolerance. By decoupling the entry point (the LB DNS) from the backend compute (EC2/Containers), AWS allows for seamless scaling (Auto Scaling integration) and self-healing (Health Checks). In complex networking, the load balancer acts as the primary tool for abstraction, allowing architects to change backend infrastructure without impacting the client's connection string.

Formula / Concept Box

Hierarchical Outline

• I. ELB Types and Use Cases
  • ALB (Layer 7): Best for microservices, container-based apps, and path/host-based routing.
  • NLB (Layer 4): Best for extreme performance, ultra-low latency, and static IP requirements.
  • GWLB (Layer 3): Best for deploying 3rd party virtual appliances (Firewalls, IDS/IPS).
• II. Connectivity Patterns
  • External (Internet-Facing): Public IP nodes; targets can be private.
  • Internal: Private IP nodes; used for inter-tier communication (e.g., App to DB).
• III. Advanced Configuration
  • Routing Algorithms: Round Robin (ALB/NLB), Least Outstanding Requests (ALB).
  • Proxy Protocol: Used by NLB to pass client connection info (IP/Port) to the backend.
  • TLS termination vs. Passthrough: Balancing security (encryption to the instance) vs. overhead (offloading to ELB).
• IV. Integrations
  • Global Accelerator: Provides static Anycast IPs to route traffic to the nearest regional ELB.
  • WAF: Integrated directly with ALB to filter malicious web traffic.

Visual Anchors

Multi-Tier Traffic Flow

This flowchart illustrates how traffic moves from the public internet through different tiers of load balancing.

Gateway Load Balancer Packet Flow

This TikZ diagram visualizes the "bump-in-the-wire" pattern of GWLB using GENEVE encapsulation.

Definition-Example Pairs

• Host-based Routing: Routing traffic based on the HTTP Host header.
  • Example: Routing api.example.com to Target Group A and mobile.example.com to Target Group B on the same ALB.
• Cross-Zone Load Balancing: Distributing traffic across all targets in all enabled AZs regardless of which AZ the LB node is in.
  • Example: If AZ-A has 2 instances and AZ-B has 8, enabling cross-zone ensures each of the 10 instances receives 10% of the traffic.
• TLS Termination: The process of decrypting SSL/TLS traffic at the load balancer.
  • Example: An ALB handles the heavy CPU work of the SSL handshake and sends plain HTTP to backend EC2 instances to save compute resources.

Worked Examples

Scenario: Setting up a Highly Available 3-Tier Web App

Requirement: A public web site that must be secure, handle 100k requests/sec, and communicate with a backend application tier that should not be internet-accessible.

1. Public Tier: Create an External ALB. Place its nodes in at least two Public Subnets.
2. Security: Attach an ACM Certificate to the ALB listener on port 443. Configure a redirect from port 80 to 443.
3. Web Tier: Place Web Instances in Private Subnets. Configure the ALB Target Group to use these instances. Ensure the Security Group for the Web Tier only allows traffic from the ALB's Security Group.
4. App Tier: Create an Internal NLB. This provides a consistent private DNS/IP for the Web Tier to call.
5. Integration: Use Route 53 Alias records to point www.example.com to the External ALB DNS name.

Checkpoint Questions

1. Which load balancer type should you choose if your application requires a single static Elastic IP address per Availability Zone?
2. What protocol does the Gateway Load Balancer use to communicate with security appliances?
3. True/False: An internal load balancer can have targets located in a different VPC via VPC Peering or Transit Gateway.
4. How does the Proxy Protocol help a backend server behind an NLB?

▶Click for Answers

1. Network Load Balancer (NLB).
2. GENEVE (Port 6081).
3. True (using IP-type target groups).
4. It allows the backend server to see the source IP address and port of the original client, which is otherwise lost in Layer 4 load balancing.

Muddy Points & Cross-Refs

• TLS Passthrough vs. Termination: Remember that NLB can pass encrypted traffic directly to the instance (Passthrough). Use this if you have strict compliance requirements where data cannot be decrypted anywhere except the final destination.
• Subnet Capacity: ELBs require a minimum of 8 available IP addresses in their subnets to scale effectively. If your subnet is too small, the ELB may fail to scale during traffic spikes.
• Cross-Ref: For global distribution beyond a single region, study AWS Global Accelerator (which uses NLB endpoints) and Amazon CloudFront.

Comparison Tables

Internal vs. External Load Balancers

Sticky Sessions (Session Affinity)