logo

Hi to everyone,

I recently crafted an article on Network Load Balancers, now supporting security Groups and I thought I would take the time to also talk about the different types of Load balancers that AWS Provide and the key use cases for each. I will ignore the Classic Load Balancer since the general recommendation is to not use it.

Types of Load Balancers

AWS provide for 3 different types of Load Balancer. These are

  • Application Load Balancer – Layer 7 HTTP/HTTPS Load Balancer
  • Network Load Balancer (NLB) – Layer 4 TCP/UDP Based Load Balancer.
  • Gateway Load Balancer – GENEVE Protocol compatible Load Balancer

Application Load Balancer (ALB)

Application Load Balancer operates on Layer 7 of the OSI Stack which is the application layer. Because it operates at this level is design to use the HTTP Packet headers to determine how it handles traffic. As it is a Layer 7 Load balancer it only handles HTTP/HTTPS Packets. That does NOT limit it to the standard HTTP and HTTPS Ports (80 and 443 respectively) but it is designed in a way to handle this type of traffic and not other traffic (such as VOIP traffic over UDP).

Capabilities

Application Load Balancers has some nice key features that I wanted to mention (plus many others worth looking into):

  • Web Application Firewall Support is available as WAF is a Layer 7 security mechanism
  • Redirect request to another URL is a handy feature if you are migrating services to a new domain/url as well as cases where you want to perform a HTTP to HTTPS redirection
  • support for X-Forward-For and X-Forward-Proto HTTP Headers to help with passing information from the client.
  • Sticky Sessions which help with user session handling
  • Path Based Routing Support which allows different paths ie /server or /server2 to be directed to different target groups.
  • Application Access Logs can be captured and stored in S3 which can help with troubleshooting and security investigations.

Application Load Balancer is most commonly used as the Front End Load Balancer for a Web Application. For Security you would add a Web Application Firewall, TLS Certificates and appropriate security policy (it is generally recommended to use the latest security policy and keep it up to date as this will ensure that less secure ciphers are not accepted along with less secure TLS versions).

Back end targets can be IP Based, EC2 based (including attaching an Auto Scaling Group), etc.  Application Load Balancers can also be used in Containerised Architectures.

You can associate an Application Load Balancer as a Route 53 Target through an Alias Resource and use a TLS Certificate provisioned by AWS Certificate Manager to provide for a relatively low cost managed front end solution.

Considerations

 The main thing to be aware of is that ALBs don’t allow for Elastic IPs. This is a feature of Network Load Balancers and if that is something that is required (rare that it would be required) you can put a Network Load Balancer in front of the application Load Balancer.

 

Network Load Balancer (NLB)

Network Load Balancers operate at Layer 4 (Transport Layer) of the OSI Stack. Because it operates at this level it has not got support for Web Application Firewalls but it can be protected by Network Firewalls as part of secure architecture. Unlike the ALBs which use information in the HTTP Packets to help with forwarding traffic, the NLB primarily uses the IP based forwarding. is design to use the HTTP Packet headers to determine how it handles traffic. As it is a Layer 7 Load balancer it only handles HTTP/HTTPS Packets. That does NOT limit it to the standard HTTP and HTTPS Ports (80 and 443 respectively) but it is designed in a way to handle this type of traffic and not other traffic (such as VOIP traffic over UDP).

Capabilities

Application Load Balancers has some nice key features that I wanted to mention (plus many others worth looking into):

  • Static IP Support for external facing NLBs which can be help if you have clients who need to whitelist IP addresses for their services.
  • Global Accelerator Integration allows for performance improvements of traffic, particularly for clients further away.
  • Support for TCP/UDP is a main differentiator between the NLB and the ALB. ALB’s only function with HTTP/HTTPS which means it will only support TCP Ports as Web Applications only operate in TCP. 
  • Security Group Support (NEW) allows you to protect NLBs with security Group rules instead of just firewalls/NACLs, etc

Network Load Balancers can be considered faster than Application Load Balancers because it needs less time to determine forwarding (as it doesn’t read headers or other information)

Back end targets can be IP Based, EC2 based (including attaching an Auto Scaling Group), etc. Network Load Balancers can also be used in a Container Architecture or as part of a Private Link Endpoint Service.

A Network Load Balancer can also be a target for an AWS Route 53 DNS Record (Alias Record).

Considerations

Unlike with Application Load Balancers where Cross zone Load Balancing is enabled by default, it can be enabled for a Network Load Balancer. Because it is optionally turned on there are network traffic charges that may apply if you balance from a Load balancer in one availability zone to a target in another availability zone.

Gateway Load Balancer

A Gateway Load Balancer is a nifty (but niche) type of Load Balancer that can be used with Firewall architectures. An example reference architecture that will benefit from a Gateway Load Balancer is when you want to direct all VPCs via centralised Firewalls (AWS Network Firewall or 3rd Party) in a network VPC. You would support this by adding a Gateway Load Balancer with a connection to each VPC and route 0.0.0.0/0 via that Load Balancer through a firewall before it is allowed.

Capabilities

Application Load Balancers has some nice key features that I wanted to mention (plus many others worth looking into):

  • Scalable which allows it to handle higher traffic flow as needed in combination with appropriate appliance capability for traffic inspection.
  • GENEVE Protocol support allows it to work with many firewall appliance vendors such as Palo Alto, Fortinet, etc. 

 

Considerations

This firewall is used primarily for traffic inspection and centralised traffic flow via security appliances. It’s not used for direct application configuration

 

Wrap Up

Load Balancers are an important architectural component and the 3 modern Load Balancer types supported by AWS have really good capabilities scalable pricing. From a Pricing Point of view there is a small hourly charge for the Load Balancer itself and then costs scale based on how much traffic it needs to process