Elastic Load Balancing
Managed load balancers — ALB, NLB, and GWLB covering target groups, listeners, sticky sessions, cross-zone balancing, and health checks.
Overview
Elastic Load Balancing (ELB) automatically distributes incoming traffic across multiple targets — EC2 instances, containers, IP addresses, or Lambda functions — across one or more Availability Zones for high availability and fault tolerance.
AWS offers three load balancer types: Application Load Balancer (ALB) for HTTP/HTTPS, Network Load Balancer (NLB) for TCP/UDP/TLS at ultra-low latency, and Gateway Load Balancer (GWLB) for inline third-party virtual appliances.
Core Concepts
| Concept | Description |
|---|---|
| Load Balancer | The entry point that receives and distributes traffic to registered targets |
| Listener | Checks for connection requests on a configured protocol and port; routes to target groups |
| Target Group | A set of registered targets (instances, IPs, Lambda) with health check configuration |
| Target | An individual destination (EC2 instance, IP address, Lambda function, or ALB) |
| Health Check | Periodic probes to determine if a target is healthy and eligible to receive traffic |
| Availability Zone | ELB distributes traffic across all enabled AZs |
| Cross-Zone Load Balancing | Distributes traffic evenly across all targets in all AZs, not just within each AZ |
| Sticky Sessions | Binds a user's session to a specific target using cookies (application or duration-based) |
ALB vs NLB vs GWLB
| Feature | ALB (Application) | NLB (Network) | GWLB (Gateway) |
|---|---|---|---|
| OSI Layer | Layer 7 (HTTP/HTTPS) | Layer 4 (TCP/UDP/TLS) | Layer 3 (IP) + Layer 4 |
| Protocol | HTTP, HTTPS, gRPC, WebSocket | TCP, UDP, TLS | GENEVE encapsulation |
| Performance | Good; processes HTTP headers | Ultra-low latency; millions of req/sec | Transparent inline inspection |
| Static IP | No (use Global Accelerator for static) | Yes — one static IP per AZ | No |
| SSL/TLS termination | Yes (ACM integration) | Yes (TLS listener) | N/A |
| Routing | Path, host, header, query string, source IP | Port-based only | N/A (transparent pass-through) |
| Target types | Instance, IP, Lambda | Instance, IP, ALB | Instance, IP |
| Use case | Web apps, microservices, APIs | Gaming, IoT, financial, static IP needs | Firewalls, IDS/IPS, deep packet inspection |
SAA/SAP Tip: Choose ALB for HTTP/HTTPS workloads that need path-based or host-based routing. Choose NLB when the question mentions "ultra-low latency," "millions of requests," "static IP," or non-HTTP protocols like TCP/UDP.
ALB Routing Rules
ALB supports advanced content-based routing via listener rules:
| Condition Type | Routes Based On | Example |
|---|---|---|
| Path | URL path | /api/* → API target group |
| Host header | Domain name in Host header | api.example.com → API TG |
| HTTP header | Custom header value | X-Custom: mobile → Mobile TG |
| HTTP method | GET, POST, etc. | POST → Write TG |
| Query string | Query parameter key/value | ?platform=mobile → Mobile TG |
| Source IP | Client IP CIDR | 10.0.0.0/8 → Internal TG |
Actions: Forward, Redirect (301/302), Fixed Response (e.g., 503 maintenance page), Authenticate (Cognito/OIDC).
Health Checks
| Setting | ALB | NLB |
|---|---|---|
| Protocol | HTTP, HTTPS | TCP, HTTP, HTTPS |
| Path | Configurable (e.g., /health) | Configurable for HTTP/HTTPS checks |
| Interval | 5–300 seconds | 10 or 30 seconds |
| Healthy threshold | 2–10 consecutive successes | 2–10 |
| Unhealthy threshold | 2–10 consecutive failures | 2–10 |
Exam Trap: NLB health checks can use TCP (connection only) or HTTP/HTTPS. If targets use HTTP but the health check is TCP, a half-open or crashed application may still appear "healthy." Use HTTP health checks to verify application-level health.
Sticky Sessions (Session Affinity)
| Cookie Type | Generated By | Duration | Use Case |
|---|---|---|---|
| Duration-based | ELB | 1 s – 7 days | Simple session pinning |
| Application-based | Application | Set by application cookie | Application-managed sessions |
Exam Trap: Sticky sessions can cause uneven load distribution. If one target accumulates long-lived sessions, it may become overloaded while others are idle. For stateless architectures, store session data in ElastiCache or DynamoDB instead.
Cross-Zone Load Balancing
| Load Balancer | Default | Cost |
|---|---|---|
| ALB | Enabled | Free |
| NLB | Disabled | Charged per inter-AZ GB transferred |
| GWLB | Disabled | Charged per inter-AZ GB transferred |
Without cross-zone balancing, traffic is distributed only among targets within the same AZ as the load balancer node — leading to imbalanced load if AZs have different numbers of targets.
Connection Draining (Deregistration Delay)
When a target is deregistered or becomes unhealthy, ELB allows in-flight requests to complete before removing it.
- Default: 300 seconds
- Set to 0 for instant deregistration (useful for short-lived tasks)
- Critical for graceful shutdowns during deployments and scale-in
Common Use Cases
- Multi-tier web applications — ALB routes
/api/*to backend services and/*to frontend servers. - Microservices — ALB host-based routing directs
auth.example.comandorders.example.comto different target groups. - TCP/UDP services — NLB for gaming servers, IoT endpoints, or financial trading platforms requiring static IPs.
- Hybrid targets — NLB with IP-based targets to route to on-premises servers via Direct Connect.
- Inline security appliances — GWLB transparently routes traffic through firewalls or IDS/IPS before reaching targets.
- SSL offloading — ALB terminates TLS, reducing certificate management and compute on backend instances.
SAA/SAP Exam Tips
SAA/SAP Tip: When a question requires a static IP address for a load balancer, the answer is NLB (one Elastic IP per AZ) or NLB fronting an ALB. ALB does not support static IPs natively.
Exam Trap: ALB targets can include Lambda functions — a single ALB can serve both container-based and serverless targets using different target groups and routing rules.
SAA/SAP Tip: GWLB appears in security-focused questions: "inspect all traffic with a third-party firewall" or "inline IDS/IPS." It uses GENEVE encapsulation and is transparent to the application.
Cross-Cloud Equivalents
| Provider | Service / Solution | Notes |
|---|---|---|
| AWS | Elastic Load Balancing | Baseline |
| Azure | Azure Application Gateway (L7) / Azure Load Balancer (L4) | Separate services for L4 and L7 |
| GCP | Google Cloud Load Balancing | Global by default; supports L4 and L7 |
| On-Premises | NGINX, HAProxy, F5 BIG-IP | Software or hardware load balancers |
Pricing Model
| Dimension | ALB | NLB |
|---|---|---|
| Fixed hourly charge | ~$0.0225/hr | ~$0.0225/hr |
| Usage metric | LCU (Load Balancer Capacity Unit) | NLCU (Network LCU) |
| LCU/NLCU includes | New connections, active connections, processed bytes, rule evaluations | New connections/flows, active connections/flows, processed bytes |
| Data processing | Included in LCU | Included in NLCU |
GWLB uses GWLBE (Gateway Load Balancer Endpoint) pricing: per hour + per GB processed.
Related Services / See Also
- Amazon EC2 — common target for load balancers
- AWS Auto Scaling — scales targets behind load balancers
- Amazon Route 53 — DNS Alias records pointing to ALB/NLB
- Amazon CloudFront — CDN that can use ALB as an origin
- AWS WAF and Shield — WAF rules attached to ALB for L7 protection
- AWS Certificate Manager — free TLS certificates for ALB/NLB listeners
AWS Direct Connect and Site-to-Site VPN
Hybrid connectivity — dedicated private connections vs encrypted tunnels, covering VGW, Transit Gateway, DX Gateway, and failover patterns.
Amazon Route 53
Managed DNS service — domain registration, routing policies, health checks, hosted zones, and DNS failover for high-availability architectures.