OSI Layer Load Balancing: Layers 3, 4, and 7

Learning Objectives\nBy the end of this study guide, you will be able to:

• Differentiate between Application Load Balancers (ALB), Network Load Balancers (NLB), and Gateway Load Balancers (GWLB) based on their OSI layer of operation.
• Explain the performance trade-offs between packet-level (Layer 4) and content-level (Layer 7) inspection.
• Identify the specific protocols supported at each layer (HTTP/S vs TCP/UDP/TLS vs GENEVE).
• Recommend the appropriate AWS Elastic Load Balancing (ELB) type based on specific workload requirements such as latency, scalability, and security.

Key Terms & Glossary

• OSI Model: A conceptual framework that standardizes the functions of a telecommunication or computing system into seven abstraction layers.
• SSL/TLS Offloading: The process of moving the decryption of HTTPS traffic from backend servers to the load balancer to reduce CPU load on the servers.
• SNI (Server Name Indication): An extension of the TLS protocol that allows multiple domains to be served from a single IP address using different certificates.
• GENEVE Protocol: A network virtualization overlay protocol used primarily by Gateway Load Balancers to wrap original IP packets.
• Target Group: A logical grouping of resources (instances, IP addresses, or lambdas) to which the load balancer routes traffic.

The "Big Idea"\nLoad balancing is not a "one size fits all" solution. In AWS networking, the choice of a load balancer depends on how deep into the network packet you need to look. If you need speed and millions of requests per second, you operate at Layer 4 (Transport). If you need to make decisions based on specific URLs or user cookies, you operate at Layer 7 (Application). For transparently inserting security appliances into your traffic flow, you operate at Layer 3 (Network).

Formula / Concept Box

Hierarchical Outline

• Layer 3: Network Load Balancing (Gateway Load Balancer)
  • Mechanism: Operates at the network layer to manage third-party virtual appliances.
  • Transparency: Acts as a transparent bump-in-the-wire; the source/destination IP remains unchanged.
• Layer 4: Transport Load Balancing (Network Load Balancer)
  • Efficiency: Views traffic at the packet level; does not look at the data payload.
  • Connectivity: Supports Static IPs and PrivateLink integration.
  • Scalability: Capable of handling millions of requests per second with ultra-low latency.
• Layer 7: Application Load Balancing (Application Load Balancer)
  • Intelligence: Performs Deep Packet Inspection (DPI) to see HTTP headers and content.
  • Flexibility: Enables path-based routing (e.g., /api vs /images) and host-based routing.
  • Security: Integrated with AWS WAF for application-layer protection.

Visual Anchors

Definition-Example Pairs

• Path-Based Routing: Routing requests to different target groups based on the URL path.
  • Example: A request to example.com/orders goes to the Order Service, while example.com/catalog goes to the Inventory Service.
• Static IP Support: The ability of a load balancer to maintain a fixed IP address for its lifetime.
  • Example: An NLB provides a static IP that a corporate client can hard-code into their firewall whitelist to allow secure access.
• SSL Termination: Decrypting the encrypted traffic at the load balancer level.
  • Example: An ALB handles the heavy CPU work of decrypting HTTPS traffic from users so the backend web servers only have to process simple HTTP requests.

Worked Examples

Example 1: High-Frequency Trading Platform

Requirement: The platform requires sub-millisecond latency and must handle sudden bursts of millions of concurrent TCP connections. Solution: Deploy a Network Load Balancer (Layer 4). Because it operates at the transport layer, it bypasses the heavy processing required for HTTP header inspection, providing the raw performance needed for financial data.

Example 2: Multi-Tenant SaaS Application

Requirement: A single load balancer must route traffic for customer-a.saas.com and customer-b.saas.com to different server clusters. Solution: Deploy an Application Load Balancer (Layer 7) using Host-based routing rules. The ALB inspects the Host header in the HTTP request to determine the appropriate target group.

Checkpoint Questions

1. Which load balancer type should you choose if your application uses a non-HTTP protocol like SSH or FTP?
2. What is the main benefit of SSL/TLS offloading for backend instances?
3. True or False: An NLB has visibility into the cookies within a user's request.
4. Which layer does the Gateway Load Balancer primarily operate at for forwarding traffic to security appliances?

Muddy Points & Cross-Refs

• Layer 3 vs. Layer 4 in NLB: While some documentation mentions NLB as Layer 3/4, it is primarily a Layer 4 device because it uses port numbers to make routing decisions. It only uses Layer 3 (IP) to identify the source and destination.
• Cross-Zone Load Balancing: A common point of confusion. By default, NLB has this disabled (it stays within an AZ for performance), whereas ALB has it enabled. This affects how traffic is balanced if one AZ has fewer healthy targets than another.

Comparison Tables