Mastering AWS Load Balancing: Layer 3, 4, and 7 Deep Dive

This study guide covers the architectural nuances and implementation strategies for Elastic Load Balancing (ELB) within the AWS ecosystem, specifically focusing on the distinctions between Layer 4 (NLB), Layer 7 (ALB), and Layer 3 (GLB) load balancing.

---

Learning Objectives

By the end of this guide, you should be able to:

• Differentiate between ALB, NLB, and GLB based on the OSI model layers they operate on.
• Select the appropriate load balancer type based on application requirements (latency, throughput, protocol).
• Implement strategies for preserving client identity using X-Forwarded-For and Proxy Protocol.
• Configure cross-zone load balancing to optimize high availability across multiple availability zones (AZs).
• Understand SSL/TLS offloading benefits and centralized certificate management.

---

Key Terms & Glossary

• VIP (Virtual IP): A single entry-point IP address provided by the load balancer that abstracts multiple backend target servers.
• Connection Termination: The process where a load balancer ends a client connection and opens a new one to the backend (Primary characteristic of ALB).
• X-Forwarded-For (XFF): An HTTP header used by ALBs to pass the original client's IP address to the backend server.
• Proxy Protocol: A mechanism used by NLBs (Layer 4) to pass connection information (source/destination IP and port) to backends when header injection is impossible.
• GENEVE Protocol: The encapsulation protocol used by Gateway Load Balancers (Layer 3) to wrap original IP packets for inspection by security appliances.
• Deregistration Delay (Connection Draining): The period a load balancer keeps a connection open to a backend instance that is being removed to allow existing requests to complete.

---

The "Big Idea"

At its core, Load Balancing is the art of abstraction. It allows a system to appear as a single, highly available endpoint while distributing traffic across a fleet of resources that can scale or fail independently. The choice of where that abstraction happens in the OSI stack (Layer 3, 4, or 7) dictates the balance between performance (lower layers) and intelligence (higher layers).

---

Formula / Concept Box

---

Hierarchical Outline

1. Network Load Balancer (NLB) - The Speed Demon
   • OSI Layer 4: Operates at the Transport Layer (TCP/UDP).
   • Performance: Handles millions of requests per second with ultra-low latency.
   • Decision Logic: Based on Source/Dest IP and Port; no insight into payload data.
   • Certificate Management: Supports TLS offloading on Port 443 (centralized certs).
2. Application Load Balancer (ALB) - The Intelligent Proxy
   • OSI Layer 7: Operates at the Application Layer (HTTP/S).
   • Content Routing: Routes based on Host headers, URL paths, or Query strings.
   • Reverse Proxy Behavior: Terminates the client connection and starts a new one to the target.
3. Gateway Load Balancer (GLB) - The Security Hub
   • OSI Layer 3: Operates at the Network Layer (IP).
   • Connectivity: Reachable via Route Table entries rather than a standard VIP.
   • Encapsulation: Uses GENEVE to maintain original packet headers through appliances.
4. Configuration & Reliability Features
   • Cross-Zone LB: Distributes traffic evenly across all instances regardless of AZ distribution.
   • Subnetting: Requires at least a /28 subnet (minimum 8 IPs), but /27 is recommended for scaling.

---

Visual Anchors

OSI Layer Responsibility

Connection Termination Comparison

---

Definition-Example Pairs

• Term: Reverse Proxy
  • Definition: A server that sits in front of backend servers and forwards client requests to those servers, shielding them from direct internet exposure.
  • Example: An ALB acts as a reverse proxy by receiving HTTP requests for api.example.com and routing them to a specific backend pool based on the /v1/ path.
• Term: SSL/TLS Offloading
  • Definition: Moving the intensive task of decrypting traffic from the application servers to the load balancer.
  • Example: Installing a single certificate on an NLB port 443; the NLB decrypts the data and sends it as plain TCP to the backend, saving CPU cycles on the target servers.
• Term: Session Affinity (Sticky Sessions)
  • Definition: A feature that binds a user's session to a specific target so all requests from that user during the session are sent to the same target.
  • Example: An e-commerce site using an ALB to ensure a user's shopping cart data (stored locally on a server) stays accessible by keeping that user on the same server instance.

---

Worked Examples

Scenario 1: Preserving Client IP at Layer 7

Problem: A web server behind an ALB logs only the Load Balancer's private IP, making it impossible to perform geographic analytics on users. Solution:

1. Enable the X-Forwarded-For header processing on the ALB (Enabled by default).
2. Configure the web server (e.g., Nginx or Apache) to read the X-Forwarded-For header instead of the packet source IP.
3. The application now receives the original client IP in the HTTP request metadata.

Scenario 2: High-Performance TCP Application

Problem: A gaming application requires millisecond latency for millions of concurrent UDP connections. Solution:

1. Deploy a Network Load Balancer (NLB).
2. Set up a listener on the specific game port (e.g., UDP 30000).
3. Use Proxy Protocol v2 to pass source IP information to the gaming servers, as NLB does not support HTTP headers like XFF.

---

Checkpoint Questions

1. Which load balancer type is the only one to support gRPC and path-based routing?
2. If you need a static IP address for your load balancer to satisfy a client's firewall whitelist, which ELB type should you choose?
3. What is the default time for deregistration delay, and why is it used?
4. Why can't an NLB use the X-Forwarded-For header?
5. In a cross-zone load balancing setup with 2 instances in AZ-A and 4 instances in AZ-B, what percentage of traffic does each instance in AZ-A receive?

▶Click for Answers

1. Application Load Balancer (ALB).
2. Network Load Balancer (NLB).
3. 300 seconds. It ensures existing connections finish before an instance is terminated.
4. NLB operates at Layer 4 (Transport) and has no visibility into Layer 7 (Application) HTTP headers.
5. 16.6% (1/6th of the total traffic), because cross-zone LB distributes evenly across all 6 instances regardless of AZ.

---

Muddy Points & Cross-Refs

[!WARNING] L3 vs. L4 Confusion: Some documentation refers to NLB as a "Layer 3/4" load balancer because it routes based on IP (L3) and Port (L4). However, for the exam, remember that NLB is the L4 specialist, while Gateway Load Balancer (GLB) is the dedicated L3 specialist.

Common Pitfalls:

• Subnet Sizing: Don't use a /28 if you expect massive growth; once an ELB is deployed in a subnet, you cannot change the subnet size. Start with a /27.
• Security Groups: NLBs do not have security groups themselves (except in specific newer configurations); they rely on the security groups of the target instances.

---

Comparison Tables