AWS Elastic Load Balancer

Introduction

• Are servers that forward traffic to multiple servers.
• Is managed service
• Can integrate with many AWS services: EC2, ASG, ECS, ACM, CloudWatch, Route 53, WAF, Global Accelerator

Heath check

? Health Checks are crucial for Load Balancers

? They enable the load balancer to know if the instances it forwards traffic to are available to reply to requests

? The health check is done on a port and a route (health is common)

? If the response is not 200 (OK), then the instance is unhealthy

Types

• Clasic Load balancer: support HTTP, HTTPS, TCP, SSL
• Application Load Balancer: HTTP, HTTPS, Websocket.
• Network Load Balancer: TCP, TLS, UDP
• Gateway Load Balancer: Operate at layer 3 (Network Layer)

=> Recommend using newer generation LB as they provide more features.

• Some LBs can be set up as internal or external ELBs.

Application Load Balancer

• Layer 7 (HTTP)
• Load balancing to multiple HTTP applications across machines (target groups)
• Load balancing to multiple applications on the same machine (containers)
• Support HTTP/2 and Websocket.
• Support redirects (from HTTP to HTTPS)

Type of routing

• Path-based routing
• Host-based routing
• Routing based on query string and headers
• Has port mapping feature to direct to dynamic port in ECS

Target group types:

• EC2 instances
• ECS tasks
• Lambda functions - HTTP request is translated into JSON event.
• IP addresses - must be private
• ALB can route to multiple target groups
• Health checks are at the target group level.

Point to know

• Fixed hostname
• The application servers don't see the IP of the client directly
• The true IP of the client is inserted in the header X-Forwarded-For
• We can also get the Port by X-Forwarded-Port and proto X-Forwarded-Proto

Network Load Balancer

• Network load balancers (Layer 4) allow to forward TCP & UDP traffic to your instance.
• Handle millions of requests per second.
• Less latency ~100 ms (~400 ms for ALB)
• NLB has one static IP per AZ and supports assigning EIP (helpful for whitelisting specific IP).
• NLB is used for extreme performance, TCP or UDP traffic.
• Not included in AWS Free Tier

Price is based on:

• $0.0225 per Load Balancer hour (or partial hour)
• $0.006 per NLCU-hour (or partial hour)
• $0.006 per NAT Gateway hour (or partial hour)
• $0.01 per Elastic IP address associated with a Network Load Balancer per hour (or partial hour)

Target groups

• EC2 instances
• IP Addresses must be private IPs
• Application Load Balancers

Gateway Load Balancer

• Operate at layer 3 (Network Layer)
• Deploy and manage a fleet of 3rd party network virtual appliances in AWS
• Examples: Firewalls, Intrusion Detection Systems, Deep Packet Inspection systems, payload

Target groups

• EC2 instances
• IP addresses must be private IPs

Sticky sessions

• The same client is always redirected to the same instance behind a load balancer.
• This works for Classic Load Balancers and Application Load Balancers, and Network Load Balancers.
• The "cookie" is used to track the instance that has an expiration date to control.

Application-based cookies

• Custom cookie
• Application generates cookies
• It can include any custom attribute required by the application.
• The cookie name must be specified for each target group
• Don't use AWSALB, AWSALBAPP, or AWSALBTG they are reserved and used by ELB.
• Application cookie
• Generated by the load balancer.
• Cookie name is AWSALBAPP

Duration-based cookies

• The cookie is generated by the load balancer.
• Cookie name is AWSALB for ALB, AWSELB for ELB

To enable a sticky session, we need to enable it in the target group.

The steps are as follows:

1. Create a target group
2. Edit the target group
3. Select Action on the target group then Edit attributes
4. Enable the sticky session

Cross-zone Load Balancing

• By default, the load balancer will distribute traffic evenly across all registered instances in all AZs.
• It is possible to enable or disable cross-zone load balancing.
• This is done at the target group level.

Application Load Balancer

• This feature is enabled by default. This can enabled at ALB or target group level.
• No charges for inter-AZ data. By default, you will be charged for data transfer between AZs.

Network Load Balancer & Gateway Load Balancer

• This feature is disabled by default. This can be enabled at the target group level.
• You pay charges for inter-AZ data transfer.

Classic Load Balancer

• Disabled by default
• No charges for inter AZ data if enabled.

SSL/TLS

• Allows traffic between your clients and your LB to be encrypted in transit(in-flight).
• SSL refers to Secure Socket Layer, used to secure the connection between the client and the server.
• TLS refers to Transport Layer Security, the successor of SSL.
• Nowadays, TLS certificates are used for encryption. but people still refer as SSL.
• Public SSL certificates are issued by Certificate Authorities (CA) like Let's Encrypt, Digicert, GoDaddy, etc.
• SSL certificates have an expiration date and must be renewed.

• The load balancer uses X.509 certificate
• You can manage certificatte using ACM (AWS Certificate Manager)

HTTP listener:

• You must specify a default certificate
• You can add an optional list of certs to support multiple domains.
• Clients can use SNI to specify the hostname they reach.

SNI - Server Name Indication

• SNI solves the problem of loading multiple SSL certificates onto one webserver(serve multiple websites)
• It's a new protocol that allows the client to specify the hostname it's trying to connect to at the start of the handshake process.
• The server can then determine which certificate to use for the connection.
• SNI is an extension to the TLS protocol.
• SNI is now widely supported by web browsers and servers.
• ALB, NLB supports multiple listeners with multiple SSL certificates. Use SNI to make it works
• CLB supports one certificate.

Connection Draining

• The connection drain is rename to Deregistration Delay
• Connection draining ensures that the load balancer will complete in-flight requests made to instances that are deregistering or unhealthy.
• Time to complete the in-flight request before deregistering the instance.
• Stops sending new requests to the instance.
• The duration can be set between 1 and 3600 seconds. Default is 300 seconds.
• You can set this value to 0 to disable it.