Skip to content

Load Balancers

This lesson explores AWS Elastic Load Balancers and their configuration for high availability, auto-scaling, and fault tolerance in cloud environments.

In this lesson, you'll explore AWS Elastic Load Balancers (ELB) and learn how to configure them for high availability, auto-scaling, and fault tolerance in your cloud environments.

Why Load Balancers?

Imagine hosting your web application on a single EC2 instance at public IP 1.1.1.1. If that instance fails, your site goes offline. To add redundancy, you deploy instances across multiple Availability Zones:

  • EC2 A: 1.1.1.1
  • EC2 B: 2.2.2.2
  • EC2 C: 3.3.3.3

Which IP address should your users access? Manually switching between IPs is cumbersome and exposes internal details. A load balancer provides a single, stable endpoint that intelligently distributes requests to healthy backends.

The image illustrates an Elastic Load Balancer (ELB) in AWS, showing a user querying which IP to send data to, with three availability zones each having a different IP address.

Once deployed, the ELB abstracts individual instance IPs and automatically routes traffic:

The image illustrates an Elastic Load Balancer (ELB) setup in AWS Cloud, showing how traffic is distributed from a single IP address to multiple availability zones with different IPs.

Types of AWS Load Balancers

AWS provides three managed load-balancing options to suit different workloads:

Load Balancer Type OSI Layer Protocols SSL Termination Use Case
Classic Load Balancer (CLB) 4 & 7 HTTP, HTTPS, TCP, SSL Yes (one certificate) Legacy workloads
Application Load Balancer (ALB) 7 HTTP, HTTPS, WebSockets Yes (multiple) URL/path-based routing
Network Load Balancer (NLB) 4 TCP, UDP No Ultra-low latency transport load

1. Classic Load Balancer (CLB)

The original AWS load balancer supports HTTP, HTTPS, TCP, and SSL but lacks modern features like multiple certificates and advanced routing.

Classic Load Balancer is considered legacy. AWS recommends using Application Load Balancer (ALB) or Network Load Balancer (NLB) for new deployments.

The image is an illustration of the Classic Load Balancer (CLB) by AWS, noting it was the first load balancer introduced by AWS and is not recommended for use. It includes a simple diagram showing the CLB distributing traffic to two applications.

2. Application Load Balancer (ALB)

ALBs operate at the application layer (Layer 7) and excel at HTTP, HTTPS, and WebSocket traffic. They provide content-based routing and host/path-based rules:

  • URL path and host header conditions
  • HTTP methods, headers, query strings, source IP
  • HTTP redirects and custom responses
  • Application-level health checks

The image is an infographic about Application Load Balancer (ALB), highlighting its support for HTTP/HTTPS/WebSockets, functioning at the application layer (layer 7), and request forwarding based on URL path conditions, host domain, and HTTP fields.

The image is an infographic about Application Load Balancer (ALB), highlighting its support for HTTP/HTTPS/WebSockets, functioning at the application layer, request forwarding based on specific conditions, and performing application-specific health checks.

ALB Traffic Flow and SSL Termination

Application Load Balancers terminate SSL/TLS connections, decrypting traffic at the edge. Your SSL certificates reside on the ALB, and you can choose to forward decrypted traffic to backends over HTTP or re-encrypt using HTTPS.

Ensure your backend instances are configured to handle re-encrypted HTTPS if you require end-to-end encryption.

The image illustrates the flow of data through an Application Load Balancer (ALB), showing SSL/TLS termination at the ALB and the transition from encrypted to unencrypted data.

3. Network Load Balancer (NLB)

Operating at the transport layer (Layer 4), NLBs handle millions of requests per second with ultra-low latency. They forward TCP/UDP connections directly to targets without TLS termination.

  • High throughput and low latency
  • Static IP support and Elastic IP attachment
  • Basic transport-level health checks (TCP)

The image is an informational graphic about Network Load Balancers (NLB), highlighting features such as load balancing traffic based on TCP/UDP, suitability for non-HTTP/HTTPS applications, speed, basic health checks, and TCP connection forwarding.

ELB Architecture in a VPC

When you create an ELB, AWS launches a load-balancer node in each selected subnet (one per AZ). Clients resolve the ELB’s DNS name, and AWS distributes traffic across all nodes, which in turn forward requests to registered targets.

The image illustrates the architecture of Elastic Load Balancers within a Virtual Private Cloud (VPC), showing public and private subnets across two availability zones. It includes a DNS record creation for the ELB and load balancer nodes in each public subnet.

Cross-Zone Load Balancing

By default, each ELB node only routes traffic to targets in its own Availability Zone, which can cause uneven distribution if instance counts differ. Enabling cross-zone load balancing ensures each node spreads requests across all zones evenly.

Cross-zone load balancing can improve utilization but may incur additional inter-AZ data transfer charges.

The image illustrates a cross-zone load balancing setup within a Virtual Private Cloud (VPC), showing traffic distribution between two availability zones, each with load balancing nodes and instances.

Public vs. Private Load Balancers

When deploying an ELB, you specify subnets:

  • Public Load Balancer: Internet-facing on public subnets
  • Private Load Balancer: Internal-only on private subnets

The image compares public and private load balancers, highlighting that public load balancers are deployed on public subnets for internet access, while private load balancers are deployed on private subnets for access within an organization's AWS network.

The image illustrates the difference between private and public subnets in AWS Cloud, showing that a private load balancer is not accessible from the internet, while a public subnet is.

Example: Multi-Tier Application

Consider a two-tier application in a VPC across two Availability Zones:

  1. API Layer
  2. EC2 instances hosting your public API

  3. Internet-facing public ALB distributes incoming user traffic

  4. Database Layer

  5. EC2 instances running database or business logic
  6. Internal private ALB restricts access to only the API servers

This setup exposes your frontend securely while keeping your backend protected.

The image illustrates an ELB (Elastic Load Balancer) architecture within a Virtual Private Cloud (VPC), showing how load balancers in public subnets forward requests to resources in private subnets.

Listeners and Target Groups

Listeners and target groups define how ELBs receive and route traffic:

  • Listeners: Check for incoming connections on a specific protocol and port. ALB listeners support content-based rules (host, path, headers).
  • Target Groups: Logical groups of endpoints (EC2 instances, IPs, ECS tasks, Lambda functions). Each listener rule forwards traffic to one or more target groups, with configurable health checks.

The image illustrates a network architecture with listeners and target groups, showing how load balancers forward requests to resources like ECS and Lambda functions.

Summary

  • ELBs distribute traffic across multiple targets and AZs automatically.
  • Supports EC2 instances, IP addresses, containers (ECS), and Lambda functions.
  • Classic (CLB): Legacy; limited features, one SSL cert.
  • Application (ALB): Layer 7 routing with advanced rules and TLS termination.
  • Network (NLB): Layer 4 transport load balancing with ultra-low latency.
  • Cross-zone load balancing for even traffic distribution across AZs.
  • Listeners parse connections; target groups manage backend health and routing.

The image is a summary slide about Elastic Load Balancing (ELB), highlighting its traffic distribution capabilities, types, and a note on outdated CLBs.

The image is a summary slide comparing Application Load Balancers (ALBs) and Network Load Balancers (NLBs), highlighting their functions and differences in handling HTTP/HTTPS traffic.

References

  • ELB auto-distributes incoming traffic accros multiple targets in multiple Availabitiliy Zones
  • Distributes traffic to EC2 instances, IPs, and Lambda functions
  • Three types of ELB: Classic, Application, Network
  • CLBs are outdated and should be avoided
  • ALB functions on application layer and forwards HTTP/HTTPS traffic
  • NLB can forward non-HTTP/HTTPS traffic
  • NLBs are faster than ALBs
  • HTTP/HTTPS is always terminated on ALB and not NLB
  • Cross-Zone Load Balancing equally distributes traffic across aall instances in all AZs
  • A listener matches traffic based on rules and handles connection requests
  • Target groups route requests to registered EC2 instances based on specified protocol and port

This hands-on tutorial guides setting up an AWS Application Load Balancer to distribute HTTP requests across two EC2 web servers running Nginx.

In this hands-on tutorial, you’ll set up an AWS Application Load Balancer (ALB) to distribute HTTP requests across two EC2 web servers running Nginx, each in a different Availability Zone. By the end, you’ll have a resilient, internet-facing load balancer serving content from both servers.

Prerequisites

Make sure you already have:

  • Two t2.micro EC2 instances (web-server-1, web-server-2) with Nginx and distinct landing pages.
  • A VPC configured with an Internet Gateway.
  • Two public subnets in us-east-1a and us-east-1b.
Resource Description Details
EC2 Instances Web servers web-server-1 (us-east-1a), web-server-2 (us-east-1b)
VPC Virtual Private Cloud Includes an Internet Gateway and public subnets
Public Subnets Hosts web servers 10.0.201.0/24 (AZ a), 10.0.202.0/24 (AZ b)

EC2 Instances

Our EC2 console shows both instances running:

The image shows an AWS EC2 Management Console with two running instances, "web-server1" and "web-server2," both of type t2.micro. The details of "web-server2" are displayed, including its instance ID, public IP address, and status checks.

Visiting web-server-1 confirms Nginx is up:

The image shows a web page with a message indicating that "server1" is running, confirming the successful installation of the Nginx web server. It includes links for online documentation and support.

And web-server-2 is similarly healthy:

The image shows an AWS EC2 Management Console with two running instances, "web-server1" and "web-server2," both of type t2.micro, with status checks passed and no alarms. Monitoring graphs for CPU utilization and network activity are displayed below.

Network Layout

Your VPC’s public subnets:

The image shows an AWS Management Console screen displaying the subnets section of a VPC dashboard, listing two subnets with their details such as VPC ID, IPv4 CIDR, and availability zones.

  • web-us-east-1a: 10.0.201.0/24
  • web-us-east-1b: 10.0.202.0/24

These subnets host your web servers and route traffic through the Internet Gateway.

Step 1: Create Dedicated Subnets for the Load Balancer

Add two new public subnets—one in each AZ—for the ALB:

  1. In the VPC console, click Create Subnet.
  2. Configure:
  3. LB-us-east-1a: us-east-1a, 10.0.101.0/24
  4. LB-us-east-1b: us-east-1b, 10.0.102.0/24

The image shows a screenshot of the AWS Management Console, specifically the VPC (Virtual Private Cloud) setup page, where subnet settings are being configured. It includes fields for VPC ID, associated CIDRs, subnet name, availability zone, and IPv4 CIDR block.

After creation, verify you have four public subnets:

The image shows the AWS Management Console displaying the VPC dashboard with a list of subnets. A notification at the top indicates that a new subnet has been successfully created.

Step 2: Verify Public Subnet Configuration

Confirm each new subnet’s route table includes a default route (0.0.0.0/0) to the Internet Gateway—this makes the ALB internet-facing.

Select LB-us-east-1a (and LB-us-east-1b) to inspect its Route Table:

The image shows an AWS VPC Management Console displaying a list of subnets, with details of a selected subnet including its ID, state, and availability zone.

Step 3: Create the Application Load Balancer

  1. In the EC2 console, go to Load BalancersCreate Load BalancerApplication Load Balancer.
  2. Set:
  3. Name: web-lb
  4. Scheme: Internet-facing
  5. IP address type: IPv4
  6. VPC: demo
  7. Select subnets LB-us-east-1a and LB-us-east-1b.

The image shows a comparison of three types of AWS load balancers: Application Load Balancer, Network Load Balancer, and Gateway Load Balancer, each with a brief description and a "Create" button.

Configure the ALB network mapping:

The image shows a configuration page for creating an application load balancer in the AWS Management Console, with options for naming, scheme selection, IP address type, and network mapping.

Attach a security group allowing HTTP (80) and HTTPS (443):

The image shows a screenshot of the AWS Management Console, specifically the section for configuring security groups for a load balancer. It includes options to select or create security groups and displays a dropdown list of available groups.

Step 4: Configure Listener and Target Group

Listener

Add an HTTP listener on port 80:

The image shows an AWS Management Console interface for configuring a load balancer, including settings for security groups and listener routing with HTTP protocol on port 80.

Target Group

  1. Create a new target group:
  2. Target type: Instances
  3. Name: web-targets
  4. Protocol: HTTP
  5. Port: 80
  6. VPC: demo
  7. Health check path: /

The image shows a screenshot of the AWS Management Console, specifically the section for creating a target group for a load balancer. It includes options for setting the target group name, protocol, port, VPC, and protocol version.

  1. Register web-server-1 and web-server-2 on port 80:

The image shows an AWS Management Console interface, specifically the section for creating a target group for load balancing, with two instances listed as targets.

  1. Back in the ALB wizard, set web-targets as the default action for the HTTP listener:

The image shows an AWS Management Console interface for configuring listeners and routing for a load balancer, with options for HTTP and HTTPS protocols. It includes settings for ports, default actions, and listener tags.

  1. Review and create the ALB:

The image shows an AWS Management Console screen for configuring a load balancer, displaying sections for basic configuration, security groups, network mapping, and listeners and routing.

Step 5: Test the Load Balancer

Wait until the ALB status is active, then copy its DNS name:

The image shows an AWS EC2 Management Console displaying details of a load balancer named "web-lb," which is active and internet-facing, with information about its VPC, availability zones, and other settings.

From your terminal or browser:

bash theme={null} curl http://<load-balancer-dns-name>

Refreshing the request should alternate responses between server1 and server2, confirming traffic distribution.

Best Practice: Secure Your Web Servers

Currently, both web servers have public IPs:

The image shows an AWS EC2 Management Console with a list of instances, some running and some terminated. The user is searching for instances with the state "running."

To harden your architecture:

  1. Move web servers into private subnets.
  2. Keep the ALB in public subnets.
  3. Configure the web servers’ security group to accept traffic only from the ALB’s security group.

This ensures all external requests pass through the ALB, improving security and isolation.