Elastic Load Balancer Documentation

Overview

Elastic Load Balancing automatically distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, IP addresses, Lambda functions, and virtual appliances. Elastic Load Balancing offers four types of load balancers Application Load Balancer, Network Load Balancer, Gateway Load Balancer, and Classic Load Balancer.

Application Load Balancer

Application Load Balancer operates at the request level (layer 7), routing traffic to targets (EC2 instances, containers, IP addresses, and Lambda functions) based on the content of the request. Application Load Balancer helps to simplify and improve the security of your application using the latest SSL/TLS ciphers and protocols.
Layer-7 Load Balancing
You can load balance HTTP/HTTPS traffic to targets - Amazon EC2 instances, microservices, and containers based on request attributes (such as X-Forwarded-For headers).
Security

When using Amazon Virtual Private Cloud (VPC), you can create and manage security groups associated with Elastic Load Balancing to provide additional networking and security options. You can configure an Application Load Balancer to be Internet facing or create a load balancer without public IP addresses to serve as an internal (non-internet-facing) load balancer.

 
Application Load Balancer supports implementation of Desync protections based on the http_desync_guardian library With this feature, customer’s can improve the security of their applications against HTTP vulnerabilities. Customers have the capability to choose their level of tolerance to suspicious requests based on their application architecture.
Outposts Support
Application Load Balancer supports AWS Outposts. Customers can provision application Load Balancers on supported instance types and the Application Load Balancer will auto scale up to the capacity available on the rack to meet varying levels of application load without manual intervention. Customers can also get notifications to help them navigate their load balancing related capacity needs. Customers can use the same AWS Console, APIs, and CLI to provision and manage Application Load Balancers on Outposts as they do today with Application Load Balancers in the Region.
HTTPS Support
An Application Load Balancer supports HTTPS termination between the clients and the load balancer. Application Load Balancers also offer management of SSL certificates through AWS Identity and Access Management (IAM) and AWS Certificate Manager for pre-defined security policies.
HTTP/2 and gRPC Support

HTTP/2 is a new version of the HyperText Transfer Protocol (HTTP) that uses a single, multiplexed connection to allow multiple requests to be sent on the same connection. It also compresses header data before sending it out in binary format and supports SSL connections to clients.

Application Load Balancer can route and load balance gRPC traffic between microservices or between gRPC enabled clients and services. This allows for the introduction of gRPC traffic management in the architectures without changing any of the underlying infrastructure on the customers’ clients or services. gRPC uses HTTP/2 for transport. It has features like binary serialization and support for numerous languages.
TLS Offloading
You can create an HTTPS listener, which uses encrypted connections (also known as SSL offload). This feature enables traffic encryption between your load balancer and the clients that initiate SSL or TLS sessions. Application Load Balancer supports client TLS session termination. This enables you to offload TLS termination tasks to the load balancer, while preserving the source IP address for your back-end applications. You can choose from predefined security policies for your TLS listeners to assist you in  meeting certain compliance and security standards. AWS Certificate Manager (ACM) or AWS Identity and Access Management (IAM) can be used to manage your server certificates.
 
You can use SNI to serve multiple secure websites using a single TLS listener. If the hostname in the client matches multiple certificates, the load balancer selects the certificate to use based on a smart selection algorithm.
Sticky Sessions
Sticky sessions are a mechanism to route requests from the same client to the same target. Application Load Balancers support both duration-based cookies and application-based cookies. Sticky sessions are enabled at the target group level. You can use a combination of duration-based stickiness, application-based stickiness, and no stickiness across all of your target groups.
Native IPv6 Support
Application Load Balancers support native Internet Protocol version 6 (IPv6) in a VPC. This will allow clients to connect to the Application Load Balancer via IPv4 or IPv6.
Request Tracing
The Application Load Balancer injects a new custom identifier “X-Amzn-Trace-Id” HTTP header on all requests coming into the load balancer. Request tracing allows you to track a request by its unique ID as it makes its way across various services that make up the bulk of traffic for your websites and distributed applications. You can use the unique trace identifier to help uncover performance or timing issues in your application stack at the granularity of an individual request.
Redirects
Application Load Balancer can redirect an incoming request from one URL to another URL. This includes the capability to redirect HTTP requests to HTTPS requests, which enables you to improve browsing security, while being able to achieve improved search ranking and SSL/TLS score for your site. You can also use redirects to send users to a different web site; for example, redirecting from an old version of an application to a new version.
Fixed Response
Application Load Balancer can control which client requests are served by your applications. This enables you to respond to incoming requests with HTTP error response codes and custom error messages from the load balancer itself, without forwarding the request to the application.
WebSockets Support
WebSockets allows a server to exchange real-time messages with end-users without the end users having to request (or poll) the server for an update. The WebSockets protocol provides bi-directional communication channels between a client and a server over a long-running TCP connection.
Server Name Indication (SNI)
Server Name Indication (SNI) is an extension to the TLS protocol by which a client indicates the hostname to connect to at the start of the TLS handshake. The load balancer can present multiple certificates through the same listener, which enables it to support multiple websites using a single listener. Application Load Balancers also support a smart certificate selection algorithm with SNI. If the hostname indicated by a client matches multiple certificates, the load balancer determines the certificate to use based on multiple factors including the capabilities of the client.
IP addresses as Targets
You can load balance applications hosted in AWS or on-premises using IP addresses of the application backends as targets. This allows load balancing to an application backend hosted on a IP address or interface on an instance. Each application hosted on the same instance can have an associated security group and use the same port. You can also use IP addresses as targets to load balance applications hosted in on-premises locations (over a Direct Connect or VPN connection), peered VPCs and EC2-Classic (using ClassicLink). The ability to load balance across AWS and on-premises resources helps you migrate-to-cloud, burst-to-cloud or failover-to-cloud.
Lambda functions as Targets

Application Load Balancers support invoking Lambda functions to serve HTTP(S) requests enabling users to access serverless applications from HTTP clients, including web browsers. You can register Lambda functions as targets for a load balancer and leverage the support for content-based routing rules to route requests to different Lambda functions. You can use an Application Load Balancer as a common HTTP endpoint for applications that use servers and serverless computing.

Content-based Routing

If your application is composed of several individual services, an Application Load Balancer can route a request to a service based on the content of the request such as Host field, Path URL, HTTP header, HTTP method, Query string or Source IP address.

Host-based Routing: You can route a client request based on the Host field of the HTTP header allowing you to route to multiple domains from the same load balancer.

Path-based Routing: You can route a client request based on the URL path of the HTTP header.

HTTP header-based routing: You can route a client request based on the value of a standard or custom HTTP header.

HTTP method-based routing: You can route a client request based on a standard or custom HTTP method.

Query string parameter-based routing: You can route a client request based on a query string or query parameters.

Source IP address CIDR-based routing: You can route a client request based on the source IP address CIDR from where the request originates.

Containerized Application Support

Application Load Balancer provides container support by load balancing across multiple ports on a single Amazon EC2 instance. ECS allows you to specify a dynamic port in the ECS task definition, giving the container an unused port when it is scheduled on the EC2 instance. The ECS scheduler adds the task to the load balancer using this port.

Web Application Firewall
You can use AWS WAF to protect your web applications on your Application Load Balancers. AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources.
Slow Start Mode with Load-Balancing Algorithm
Application Load Balancer supports a round-robin load-balancing algorithm. Additionally, Application Load Balancer supports a slow start mode with the round-robin algorithm that allows you to add new targets without overwhelming them with a flood of requests. With the slow start mode, targets warm up before accepting their fair share of requests based on a ramp-up period that you specify. Slow start is useful for applications that depend on cache and need a warm-up period before being able to respond to requests with optimal performance.
User Authentication

You can offload the authentication functionality from your apps into Application Load Balancer. Application Load Balancer will authenticate users as they access cloud applications. Application Load Balancer is integrated with Amazon Cognito, which allows end users to authenticate through social identity providers such as Google, Facebook, and Amazon, and through enterprise identity providers such as Microsoft Active Directory via SAML or any OpenID Connect-compliant identity provider (IdP). If you have a custom IdP solution that is OpenID Connect-compatible, Application Load Balancer can also authenticate enterprise users by directly connecting with your identity provider.

Network Load Balancer

Network Load Balancer operates at the connection level (Layer 4), routing connections to targets (Amazon EC2 instances, microservices, and containers) within Amazon VPC, based on IP protocol data. Network Load Balancer is capable of handling millions of requests per second while maintaining low latencies. Network Load Balancer is optimized to handle sudden and volatile traffic patterns while using a single static IP address per Availability Zone. It is integrated with other popular AWS services such as Auto Scaling, Amazon EC2 Container Service (ECS), Amazon CloudFormation, and AWS Certificate Manager (ACM).
Connection-based Layer 4 Load Balancing
You can load balance both TCP and UDP traffic, routing connections to targets - Amazon EC2 instances, microservices, and containers.
TLS Offloading
Network Load Balancer supports client TLS session termination. This enables you to offload TLS termination tasks to the load balancer, while preserving the source IP address for your back-end applications. You can choose from predefined security policies for your TLS listeners in to assist you in meeting certain compliance and security standards. AWS Certificate Manager (ACM) or AWS Identity and Access Management (IAM) can be used to manage your server certificates.
 
You can use SNI to serve multiple websites using a single TLS listener. If the hostname in the client matches multiple certificates, the load balancer selects the certificate to use based on a smart selection algorithm.
Sticky Sessions
Sticky sessions (source IP affinity) are a mechanism to route requests from the same client to the same target. Stickiness is defined at the target group level.
Low Latency
Network Load Balancer offers low latencies for latency-sensitive applications.
Preserve source IP address
Network Load Balancer preserves the client side source IP allowing the back-end to see the IP address of the client. This can then be used by applications for further processing.
Static IP support
Network Load Balancer automatically provides a static IP per Availability Zone (subnet) that can be used by applications as the front-end IP of the load balancer.
Elastic IP support
Network Load Balancer also allows you the option to assign an Elastic IP per Availability Zone (subnet) thereby providing your own fixed IP.
DNS Fail-over
If there are no healthy targets registered with the Network Load Balancer or if the Network Load Balancer nodes in a given zone are unhealthy, then Amazon Route 53 will direct traffic to load balancer nodes in other Availability Zones.
Integration with Amazon Route 53
In the event that your Network Load Balancer is unresponsive, integration with Route 53 will remove the unavailable load balancer IP address from service and direct traffic to an alternate Network Load Balancer in another region.
Integration with AWS Services
Network Load Balancer is integrated with other AWS services such as Auto Scaling, Elastic Container Service (ECS), CloudFormation, Elastic BeanStalk, CloudWatch, Config, CloudTrail, CodeDeploy, and AWS Certificate Manager (ACM).
Long-lived TCP Connections
Network Load Balancer supports long-lived TCP connections.
Central API Support

Network Load Balancer uses the same API as Application Load Balancer. This will enable you to work with target groups, health checks, and load balance across multiple ports on the same Amazon EC2 instance to support containerized applications.

Zonal Isolation
The Network Load Balancer is designed for application architectures in a single zone. If something in the Availability Zone fails, Network Load Balancer will fail-over to other healthy Availability Zones. While we recommend customers configure the load balancer and targets in multiple AZs for achieving high availability, Network Load Balancer can be enabled in a single Availability Zone to support architectures that require zonal isolation.

Gateway Load Balancer

Gateway Load Balancer helps you to deploy, scale, and manage your third-party virtual appliances. It gives you one gateway for distributing traffic across multiple virtual appliances, while scaling them up, or down, based on demand. This helps to remove potential points of failure in your network and increases availability.

You can find, test, and buy virtual appliances from third-party vendors directly in AWS Marketplace. This integrated experience assists you in the deployment process..

 
Scale your virtual appliance instances automatically
 
Gateway Load Balancer works with AWS Auto Scaling groups and lets you to set target utilization levels for your virtual appliance instances. This helps you set the optimal amount of resources for your use case. When traffic increases, additional instances are created and connected to the Gateway Load Balancer. When traffic returns to normal levels, those instances are terminated.
 
Bring higher-availability to your third-party virtual appliances
 
Gateway Load Balancer helps improve availability and reliability by routing traffic flows through healthy virtual appliances, and rerouting flows when a virtual appliance becomes unhealthy. Gateway Load Balancer runs health checks on each virtual appliance instance on a configurable cadence. If the number of consecutive failed tests exceed a set threshold, the appliance will be declared unhealthy and traffic will no longer be routed to that instance.
 
Monitor continuous health and performance metrics
 
You can monitor your Gateway Load Balancer using CloudWatch per Availability Zone metrics. These include the total number of ENIs/interfaces, IP addresses of ENIs/interfaces, number of packets in/out, number of bytes in/out, packet errors, and packet drops, load balancer metrics (such as the number of target appliance instances, target health status, healthy/unhealthy target count, current number of active flows, max flows, and processed bytes), and VPC Endpoint metrics (such as the number of Gateway Load Balancer Endpoint mappings).
 
Simplify deployment with AWS Marketplace
 
Deploying a new virtual appliance can be as simple as selecting it in AWS Marketplace. This further simplifies deployment.
 
Ensure private connectivity over the AWS network using Gateway Load Balancer Endpoints
 
Used by Gateway Load Balancer to connect to sources and destinations of network traffic, Gateway Load Balancer Endpoints are a new type of VPC endpoint. Powered by PrivateLink technology, it connects Internet Gateways, VPCs, and other network resources over a private connection.

Classic Load Balancer

Classic Load Balancer provides basic load balancing across multiple Amazon EC2 instances and operates at both the request level and connection level. Classic Load Balancer is intended for applications that are built within the EC2-Classic network.
Layer 4 or Layer 7 Load Balancing
You can load balance HTTP/HTTPS applications and use Layer 7-specific features, such as X-Forwarded and sticky sessions. You can also use strict Layer 4 load balancing for applications that rely purely on the TCP protocol.
SSL Offloading
Classic Load Balancer supports SSL termination, including offloading SSL decryption from application instances, centralized management of SSL certificates, and encryption to back-end instances with optional public key authentication. Flexible cipher support allows you to control the ciphers and protocols the load balancer presents to clients.
IPv6 Support
Classic Load Balancer supports the use of both the Internet Protocol version 4 and 6 (IPv4 and IPv6) for EC2-Classic networks.

Additional Information

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.