Objective 1.3: Designing Integrated Load Balancing Solutions

This study guide focuses on designing high-availability, scalable, and secure architectures using AWS Elastic Load Balancing (ELB) services. It covers selection criteria, integration patterns, and security configurations essential for the AWS Certified Advanced Networking Specialty (ANS-C01) exam.

Learning Objectives

After studying this section, you should be able to:

• Select the appropriate load balancer (ALB, NLB, or GLB) based on OSI layer requirements (L3, L4, or L7).
• Integrate ELB with Auto Scaling, Route 53, and Edge services like CloudFront and Global Accelerator.
• Configure advanced features such as cross-zone load balancing, session affinity, and TLS termination.
• Design for high availability across multiple Availability Zones (AZs) and handle failover scenarios.
• Implement security layers using AWS WAF, Security Groups, and AWS Certificate Manager (ACM).

Key Terms & Glossary

• ALB (Application Load Balancer): Operates at Layer 7 (HTTP/HTTPS), supporting content-based routing and TLS termination.
• NLB (Network Load Balancer): Operates at Layer 4 (TCP/UDP/TLS), designed for ultra-high performance and static IP requirements.
• GLB (Gateway Load Balancer): Operates at Layer 3/4, used to deploy and scale third-party virtual appliances (firewalls, IDS/IPS) transparently.
• SNI (Server Name Indication): An extension of TLS that allows multiple domains to be served from a single load balancer listener using different certificates.
• Cross-Zone Load Balancing: Distributes traffic evenly across all registered targets in all enabled AZs, regardless of the number of targets per zone.
• Target Group: A logical grouping of resources (Instances, IP addresses, Lambdas) that receive traffic from a load balancer.

The "Big Idea"

In traditional networking, high availability was often managed via complex DNS configurations (like multi-value routing). In AWS, the Load Balancer acts as the central "traffic conductor." It decouples the client from the backend, providing a single DNS entry (or static IP) that masks the scaling and failure of individual backend resources. It is the primary integration point for scaling (Auto Scaling), security (WAF/ACM), and performance (Global Accelerator).

Formula / Concept Box

Hierarchical Outline

• I. Load Balancer Selection Criteria
  • Layer 7 (ALB): Used for advanced routing (path-based /api, host-based blog.example.com).
  • Layer 4 (NLB): Used for volatile traffic, gaming, or when static IPs are required by on-premises firewalls.
  • Layer 3 (GLB): Used for "Bump-in-the-wire" security appliances.
• II. Connectivity Patterns
  • Internal vs. External: Internal LBs use private IPs for east-west traffic; External LBs have public DNS names for north-south traffic.
  • Cross-Zone Balancing: Vital for uneven target distributions across AZs to prevent "hot" nodes.
• III. Security and Encryption
  • TLS Termination: ALB decrypts traffic to inspect headers (requires certificates in ACM).
  • TLS Passthrough: NLB passes encrypted bits directly to targets; targets handle decryption.
  • Integration: Using AWS WAF with ALB to block SQL injection and XSS.
• IV. Advanced Integrations
  • AWS Global Accelerator: Provides 2 static Anycast IPs to route traffic over the AWS backbone to the nearest healthy ALB/NLB.
  • Route 53: Use Alias records for LBs to enable health-check based failover.

Visual Anchors

Traffic Flow Comparison

Cross-Zone Load Balancing Mechanism

Definition-Example Pairs

• Sticky Sessions (Session Affinity): A mechanism to route a client to the same backend target for the duration of a session.
  • Example: A legacy shopping cart application that stores user progress in local server memory rather than a distributed database.
• Proxy Protocol: A header added to the TCP packet to carry connection information (like source IP) through a load balancer to the target.
  • Example: An NLB (which doesn't modify L7 headers) using Proxy Protocol v2 to tell an Nginx server the real client IP address.
• Host-Based Routing: Routing requests to different target groups based on the Host field in the HTTP header.
  • Example: orders.example.com routes to the Order Service Target Group, while images.example.com routes to the S3/Static Target Group.

Worked Examples

Problem 1: Choosing the right LB for High Throughput

Scenario: A financial application requires processing millions of small UDP packets per second with ultra-low latency and needs to whitelist specific source IPs on the corporate firewall.

Solution:

1. Identify the Layer: UDP requires Layer 4 support.
2. Identify Performance Needs: "Millions of packets" and "low latency" point to NLB.
3. Address Security: Static IP requirement is a native feature of NLB (1 EIP per subnet).
4. Outcome: Deploy an Internet-facing NLB with UDP listeners and Target Groups using IP-based targets.

Problem 2: Secure Content Distribution

Scenario: You need to serve a website globally, protect against SQL injection, and ensure traffic is encrypted from the client to the ALB and from the ALB to the instances.

Solution:

1. Edge: Use CloudFront for global caching.
2. Security: Associate AWS WAF with the ALB.
3. Encryption (Client to ALB): Install an SSL certificate on the ALB listener via ACM.
4. Encryption (ALB to Target): Configure the Target Group to use HTTPS (Port 443). The ALB will initiate a new TLS session with the backend instances.

Checkpoint Questions

1. Which load balancer is the ONLY one that supports static IP addresses per Availability Zone?
2. True or False: An Application Load Balancer can route traffic to an AWS Lambda function.
3. What protocol does the Gateway Load Balancer use to encapsulate traffic before sending it to security appliances?
4. If you have 2 instances in AZ1 and 8 instances in AZ2, should you enable Cross-Zone Load Balancing? Why?

▶Click for Answers

1. Network Load Balancer (NLB).
2. True. ALBs support Lambda as a target type.
3. GENEVE protocol.
4. Yes. Without it, the 2 instances in AZ1 would receive 25% of the total traffic each, while the 8 instances in AZ2 would only receive 6.25% each. Cross-zone ensures each of the 10 instances receives 10% of the traffic.

Muddy Points & Cross-Refs

• TLS Termination vs. Passthrough: If you need to inspect traffic (WAF/Path-routing), you must terminate TLS at the ALB. If the application is regulated (FIPS compliance) and the LB cannot see the data, use NLB with TLS Passthrough.
• IP vs. Instance Targets: Use IP targets if your backends are in a different VPC (via Peering/Transit Gateway) or on-premises (via Direct Connect).
• Further Study: Cross-reference with Route 53 Health Checks to understand how to failover between Regions if an entire ALB is unreachable.

Comparison Tables

Load Balancer Integrations