AWS Application Load Balancer (ALB) introduction

Application Load Balancer

This type of load balancer operates at Layer 7 (Application layer) of the OSI model. It is called an application load balancer because it can evaluate some complex routing logic based on the contents of the HTTP request. Rather than just network-level metadata like IP addresses and ports.

How does ALB work?

After receiving a request, the load balancer evaluates the configured listener rules (it is a list of rules in priority order) and determines which rule to apply. After selecting an appropriate rule, the load balancer selects a target from the target group for the rule action.

The default routing algorithm is round-robin.

Routing requests to different target groups

• Routing based on URL paths (/products, /orders)
• HTTP headers, query strings (example.com/users?id=123)
• Host name (user.example.com & admin.example.com)

ALB is a great fit for microservices and container-based applications (Docker, Amazon ECS).

It has a port mapping feature to redirect HTTP requests to a dynamic port in ECS.

It focuses on application-level traffic, so it supports application-specific use cases like WebSockets, HTTP/2, path-based, and host-based routing, which are essential for modern applications.

Target groups

Target groups that can be routed to is in the following list:

• EC2 instances
• ECS tasks
• Lambda functions
• IP addresses (private IP)

ALB can route to multiple target groups, and the health checks are at the target group level.

More information

ALB has a fixed hostname (xxx.region.elb.amazonaws.com)

The application servers can get the IP of the client via the X-Forwarded-For header.

We can also get Port (X-Forwarded-Port) and proto (X-Forwarded-Proto)

Practice

Launch 2 EC2 instances

These instances must use the same security groups that allow HTTP and SSH traffic from any IP (for learning purposes, not recommended in production)

In the Advanced Details -> User data, paste the following command

sudo yum update -y
sudo yum install -y httpd
sudo systemctl start httpd
sudo systemctl enable httpd
sudo echo "<h1> Hello world $(hostname -f)</h1>" | sudo tee var/www/html/index.html        

?Launch the two instances

Access them via public IP at your browser, for example (in my case): https://54.206.90.12

You can see the "Hello world" text. If your browser is still loading, check your security group whether it was set up properly. If you cannot see the "Hello world" text, Connect to these instances by using EC2 instance connect and run the User data script manually.

?

?

Now we want that we use only one URL, and we can access these instances and balance the load between them.

Create a load balancer

Choose Create Application Load Balancer

?Choose the default VPC and select all the AZs

Create a new security group for the load balancer

Allow all traffic from HTTP for all inbound and outbound rules. And then create the security group.

Now in the Create ALB screen, choose the recently created security group

?In Listeners and routing, choose the Create target group to create a target group.

In the Specify group details step, I will let all options by default.

In step 2, register two EC2 instances that we recently created

?Back to the Create ALB screen, select the recently created target group

Then create the load balancer.

Wait for its state to change to active.

Then copy the DNS name, and paste it into the browser.

As you can see, we can connect to our EC2 instance through the ALB DNS name.

If we refresh a few more times, we can see the IP is changed, indicating that the traffic is load-balanced across our two EC2 instances.

?

We can check whether the target group is healthy or not by going to EC2 -> Target Group

If I stop an instance, then the Health status of that instance will not be healthy anymore. And the response comes only from the healthy instance.

Advanced practice with ALB

Set up a security group for the EC2 instances to allow only traffic from the ALB.

Now we want our two EC2 instances to only be accessed from the load balancer, how to do that?

Change the security group inbound rules of these instances

Choose the ALB security group for the inbound rule of the security group of the EC2 instances. now I cannot access the instance directly anymore.

However, if I use the ALB URL, I can still get the response from the EC2 instances.

Set up listener rules

Go to the ALB info -> listener info -> Add rule

In step 2, I will create a new Path condition, the value is '/ec2instances'

In step 3, choose redirect to URL, fill YouTube URL to the Full URL field

In step 4, I will let the priority be 1, lower number means higher priority.

And then create the rule.

After creating the rule, put the /youtube path after the ALB URL in the browser search bar, then we will automatically be redirected to the youtube home page.