Service 28

Elastic Load Balancing

NetworkingLoad BalancerNetwork

Elastic Load Balancing (ELB) spreads incoming traffic across registered targets — instances, containers, IPs, or Lambda functions — health-checks them, and removes unhealthy ones automatically. It also terminates TLS, supports sticky sessions, integrates with WAF, and exposes per-target metrics.

ELB comes in four flavors for four problems. For new work the rule is simple: ALB for HTTP/HTTPS, NLB for TCP/UDP and extreme throughput, GWLB for inline appliances, and never the legacy Classic Load Balancer.

The Four Types

Application Load Balancer (ALB) is Layer 7 (HTTP/HTTPS) with rich routing on path, host, header, method, and query string — the default for web apps, microservices, and APIs. Network Load Balancer (NLB) is Layer 4 (TCP/UDP/TLS) for very high throughput, low latency, static IPs per AZ, and non-HTTP protocols.

ALBLayer 7 · HTTP/HTTPS

Content-based routing on path, host, and header; WebSocket; built-in Cognito auth. The default for web apps, microservices, and APIs.

NLBLayer 4 · TCP/UDP

Extreme throughput, low latency, static IP per AZ, source-IP preserved. For non-HTTP protocols.

GWLBLayer 3 · IP

Inserts third-party firewall and inspection appliances transparently into the traffic path.

Gateway Load Balancer (GWLB) inserts third-party firewalls and inspection appliances into VPC traffic at Layer 3. Classic Load Balancer (CLB) is legacy — use only for existing EC2-Classic-era workloads.

ALB and NLB Details

ALB listeners on 80/443 (HTTPS terminating TLS via ACM) carry priority-ordered rules routing to target groups, each with its own health check; it supports WebSocket, HTTP/2 to clients, and built-in Cognito/OIDC authentication. NLB preserves the client source IP by default, offers static IPs that clients can whitelist, and supports TLS termination or passthrough plus UDP.

Slow start (ALB) ramps traffic to newly healthy targets so they can warm caches before taking full load.

Cross-Zone Load Balancing

Cross-zone load balancing decides whether a load-balancer node sends to targets in all AZs or only its own. For ALB it is always on and free; for NLB and GWLB it is off by default, and turning it on rebalances traffic but adds cross-AZ data-transfer charges.

The practical trap: with uneven target counts (5 in one AZ, 1 in another) and cross-zone off, the lone target gets the same total share as all five combined. Spread targets evenly across AZs or accept the cross-AZ bill.

ALB vs NLB vs GWLB

ALB — Layer-7 HTTP/HTTPS with content-based routing and authentication. The default for web apps and APIs.

NLB — Layer-4 TCP/UDP for extreme throughput, low latency, static IPs, and source-IP preservation.

GWLB — Layer-3 insertion of third-party firewall/inspection appliances into the traffic path.

Common Mistakes

Forgetting NLB cross-zone load balancing is off by default, leaving one AZ doing most of the work.
Choosing a Classic Load Balancer for new work instead of ALB or NLB.
Using an ALB for a non-HTTP TCP/UDP protocol that needs an NLB, or vice versa.
Serving production traffic over plain HTTP instead of an HTTPS listener with an ACM certificate.
Setting health-check thresholds too aggressive, causing targets to flap in and out of rotation.
Putting an ALB in front of every microservice inside one cluster instead of using service-mesh or native service discovery.

Best Practices

Pick the load balancer by protocol: ALB for HTTP, NLB for TCP/UDP, GWLB for inline appliances.
Spread targets evenly across AZs; enable cross-zone on NLB only when you accept the data-transfer cost.
Always use HTTPS listeners with an ACM certificate and redirect HTTP to HTTPS.
Set conservative health-check thresholds to avoid flapping.
Store access logs in S3 for every production load balancer.
For DDoS or WAF protection, put CloudFront in front of the ALB rather than WAF alone.

Comparable services GCP Cloud Load BalancingAzure Azure Load Balancer, Application Gateway

Knowledge Check

Which load balancer fits a high-throughput TCP service that needs a static IP clients can whitelist?

Network Load Balancer (NLB) — Layer 4, high throughput, static IP per AZ
Application Load Balancer (ALB) — Layer 7 HTTP with one static IP per AZ
Gateway Load Balancer (GWLB) — Layer 3 with a whitelistable IP
Classic Load Balancer (CLB) — the high-throughput TCP choice

What is the default state of cross-zone load balancing for an NLB?

Off — each node serves only its own AZ unless you enable it and accept cross-AZ charges
On and free by default, spreading every node's traffic evenly across all AZs like the ALB does
On, but only when the listener is configured to use the encrypted HTTPS protocol
Off, and there is no way to ever enable it

Which load balancer offers content-based routing on path and host header plus built-in Cognito authentication?

Application Load Balancer (ALB) at Layer 7
Network Load Balancer (NLB) at Layer 4
Gateway Load Balancer (GWLB) at Layer 3
Classic Load Balancer (CLB)

What is Gateway Load Balancer used for?

Inserting third-party firewall and IDS appliances inline in the VPC traffic path
Serving HTTP web applications with host-header and URL path-based routing rules
Terminating TLS for static websites at the edge before forwarding on to the origin
Round-robin DNS resolution across multiple Regions

You got correct