Integrating Load Balancers with Existing Application Deployments

This study guide covers the critical aspects of integrating AWS Elastic Load Balancing (ELB) into modern application architectures, focusing on selection criteria, service integration, and advanced configuration for high availability and security.

Learning Objectives

After studying this guide, you should be able to:

• Differentiate between ALB, NLB, and GWLB based on OSI layer and use case.
• Configure load balancers to integrate with Auto Scaling groups and Kubernetes (EKS).
• Implement security features including TLS termination, ACM integration, and AWS WAF.
• Manage traffic flow using advanced routing algorithms and session affinity.

Key Terms & Glossary

• Target Group: A logical grouping of targets (EC2 instances, containers, IP addresses) that receive traffic from a load balancer.
• GENEVE Protocol: (Generic Network Virtualization Encapsulation) A protocol used by Gateway Load Balancers (GWLB) to encapsulate original IP traffic, operating on UDP port 6081.
• Session Affinity (Sticky Sessions): A mechanism that binds a user's session to a specific target to ensure all requests from that user during a session are sent to the same target.
• TLS Termination: The process of decrypting encrypted traffic at the load balancer level before passing it to backend targets.
• Cross-Zone Load Balancing: A setting that allows a load balancer node to distribute traffic evenly across all registered targets in all enabled Availability Zones.

The "Big Idea"

Load balancers act as the "Traffic Cop" of your infrastructure. Instead of connecting clients directly to servers, the load balancer provides a stable DNS entry that decouples the consumer from the compute. This allows you to scale, patch, and replace backend resources without ever interrupting the user experience. Integration is not just about moving traffic; it's about building a resilient bridge between the network and the application code.

Formula / Concept Box

Hierarchical Outline

1. Load Balancer Selection Strategy
   • Layer 7 (ALB): Content-based routing (path, host, query string).
   • Layer 4 (NLB): Low latency, static IP support, handling millions of requests.
   • Layer 3 (GWLB): Transparent inspection for virtual appliances.
2. Integration with Compute
   • Auto Scaling Groups (ASG): Dynamic registration/deregulation of instances.
   • Amazon EKS: Using the AWS Load Balancer Controller to provision ALBs via Ingress.
   • Serverless: ALB integration with AWS Lambda for request-based execution.
3. Security and Encryption
   • ACM Integration: Automated SSL/TLS certificate management.
   • TLS Passthrough: Using NLB to pass encrypted traffic directly to targets for end-to-end encryption.
   • WAF: Protecting ALBs from common web exploits (SQLi, XSS).

Visual Anchors

Load Balancer Traffic Flow

Gateway Load Balancer Architecture

Definition-Example Pairs

• Content-Based Routing: Routing requests based on specific parts of the HTTP header.
  • Example: Routing all requests to example.com/api/* to a specific microservice target group, while example.com/images/* goes to an S3-backed target group.
• Proxy Protocol: A header added to the request that carries connection information (like the source IP) through the load balancer to the backend.
  • Example: Using Proxy Protocol with an NLB to allow a backend logging server to see the actual client IP address instead of the NLB's private IP.
• Zonal DNS Entry: A DNS record that points specifically to a load balancer node in a single Availability Zone.
  • Example: Using a zonal DNS entry to ensure traffic stays within the same AZ to reduce cross-AZ data transfer costs.

Worked Examples

Integrating ALB with Amazon EKS

Scenario: You have a Kubernetes cluster and want to expose a web service using an AWS Load Balancer.

1. Install Controller: Install the AWS Load Balancer Controller into the EKS cluster. This is an open-source add-on.
2. Define Ingress: Create a Kubernetes Ingress resource.
3. Annotation: Add the annotation alb.ingress.kubernetes.io/scheme: internet-facing to the manifest.
4. Result: The controller automatically provisions an ALB in AWS, creates target groups pointing to the EKS pods, and updates the ALB listeners based on your manifest rules.

Checkpoint Questions

1. Which load balancer type should you choose if your application requires a static IP address for the entry point?
2. What is the default port used by the GENEVE protocol for Gateway Load Balancers?
3. How does the ALB handle requests that need to trigger a serverless backend?
4. What is the primary difference between TLS Termination and TLS Passthrough?

Muddy Points & Cross-Refs

• ALB vs. NLB for Low Latency: While ALB is feature-rich, it adds more latency than NLB because it operates at Layer 7 and must parse the application headers. For high-frequency trading or gaming, NLB is preferred.
• GENEVE vs. VXLAN: GENEVE is used by GWLB because it is extensible. Unlike standard VXLAN, it can carry system state information within the headers, which is vital for third-party security appliances to maintain context.
• Legacy Warning: You may see references to Classic Load Balancers (CLB). These were retired in 2022 and should no longer be considered for new deployments.

Comparison Tables

Configuration Options: Sticky Sessions vs. Cross-Zone