Skip to content

Loadbalancer

Basics

  • There are 3 typs of Elastic Load Balancers within AWS
  • They are split between V1 and V2
  • Classic Load Balancer is a V1 product. They are not real layer 7 devices. They lack features and have limitations like need 1 SSL per Load Balancer
  • Application Load Balancer(ALB) is a version 2 layer 7 (Application Layer) Load Balancer. They support Http(s) and WebSockets
  • Network Load Balancer(NLB) are also version 7 Load Balancers but they support TCP, TLS & UDP
  • V2 LB support Target Groups & Rules

ELB Architecture

  • Accept connections from customers and distribute them to registered backends
  • While deciding on LB configuration one needs to decide IPV4 or dual protocol,AZs, internet facing or internal
  • Once a subnet it picked, AWS places one more or more LB nodes in those subnets.
  • When LB is created it generates an A record DNS Name. This name resolves to the LB nodes. Any incoming requsts using this A record are distributed equally all the LB nodes
  • If LB is internet facing then nodes are given public & private IP addresses, for internal LB nodes have private ip addresses only
  • LB nodes are configured with listeners that accept requests on a port and protocal , also respond on a port & protocol
  • An internet facing load balancer can connect to Private as well as Public EC2 instances. i.e instances don't have to have public IP addresses
  • LB needs 8 or more free ip addresses in the subnet in which it is provisioned. i.e. atleast a /28 subnet. This leaves no room for any other ip addresses. AWS recommends /27 subnet
  • Cross Zone LB allows every LB node can distribute load equally amongst all available backends in all AZs. This ensure more even distribution of load especially if compute is unevenly spread between AZs

ALB

  • L7 LB that listens to Http or HTTPS or websockets
  • It does not understand any other L7 protocol like SMTP, SSH or custom L7 prootocol. It can not use TCP, UDP or TLS i.e. Non L7 listeners
  • ALB can understand content types, cookies, custom headers, user loacation & app behaviour
  • All connections are terminated on ALB. So unbroken SSL is not possible.Hence end to end unbroken SSL encryption is not possible with ALB
  • Since connection terminat on ALB . SSL Certificates are necessary if HTTPs is used
  • ALBs are slower than NLB
  • Health checks can only evaluate application i.e. L7 health
  • One can define rules to direct connections which arrive at listener. Rules have priorities
  • Rule conditions can include http headr, host header, http request method, path pattern, querry string , source ip
  • Rules can perform actions like forward, redirect, fixed response , authenticate using oidc or cognito

NLB

  • NLBs ar L4 devices.so they respond to TCP,TLS,UDP, TCP_UDP etc
  • NLBs cant handle any of the HTTP concepts like headers cookies etc
  • Really fast i.e millions of rps and have 25% of ALB latency
  • NLBs can be allocated with static IPs
  • They can forward TCP to instances. Hence one can get unbroken encryption as they are not terminated at LB
  • Used with Private Link to provide services to other VPCs