Load Balancers — The Four ELBs
Load Balancers — The Four ELBs
Distributing traffic across backends, removing dead servers, and managing certificates from a single place are common needs across nearly every web service. AWS's seat for this is ELB (Elastic Load Balancing) — four flavors emerged at different times.
1. About the four ELBs
| Type | Released | Layer | Place |
|---|---|---|---|
| Classic LB (CLB) | 2009 | L4 + L7 (mixed) | Old standard. Not recommended for new builds. |
| Application LB (ALB) | 2016 | L7 (HTTP · gRPC · WebSocket) | HTTP-based workloads. |
| Network LB (NLB) | 2017 | L4 (TCP · UDP · TLS) | Very high throughput · static IP · non-HTTP. |
| Gateway LB (GWLB) | 2020 | L3 (IP packets) | Network appliances (firewalls · IDS). |
For new work, choose ALB or NLB.
2. L7 vs L4
L7 (Application Layer) — Parses and routes HTTP messages.
- Path-based routing (
/api/*→ A,/static/*→ B). - Host header-based.
- Cookies · query parameters.
- HTTPS termination (TLS termination).
- HTTP header transforms (
X-Forwarded-For·X-Forwarded-Proto).
ALB sits here. Response time is generally a bit longer than L4 due to parsing.
L4 (Transport Layer) — Sees only TCP/UDP connections. No payload parsing.
- Very low latency · high throughput.
- Static IP (Elastic IP attachable).
- Client IP preservation (with the Proxy Protocol option).
- TLS termination is also possible (NLB's TLS listener).
NLB sits here. Game servers · MQTT · gRPC direct exposure · socket servers.
L3 (Network Layer) — Forwards IP packets unchanged so security appliances (firewalls · IDS · DPI) can inspect them. GWLB sits here. Uses Geneve tunneling.
3. Target Group
The bundle of backends behind an LB. Instances, IPs, or Lambdas in the same Target Group share a health check rule.
| Target type | Notes |
|---|---|
| EC2 instance | By EC2 ID |
| IP | Any IP in the VPC (RDS too) |
| Lambda | ALB only, registered by function ARN |
| ALB | NLB targeting an ALB (since 2021) |
ALB can hold multiple Target Groups under one LB and route via listener rules.
4. Health Check · Sticky Session
Health Check — Periodic checks against a path/port. Traffic only goes to healthy targets.
- Verify HTTP
/healthreturns 200. - TCP connection check (NLB default).
- Healthy after a threshold of consecutive successes.
The endpoint itself should be lightweight. Heavy health checks unintentionally create load.
Sticky Session — Sends the same client's follow-up requests to the same backend:
- ALB — Self-issued cookie (
AWSALB) or application cookie. - CLB —
AWSELBcookie.
Only meaningful when session state lives in instance memory. With an external session store (Redis), stickiness is unnecessary.
5. X-Forwarded-For and client IP
ALB terminates TLS and creates a new TCP connection to the backend. From the backend's perspective, the source IP is ALB's. The client IP is added in X-Forwarded-For.
NLB preserves source IP in default mode. Note that backend SG evaluation now sees the client IP directly (NLB SG option added in 2023).
6. ACM · TLS termination
aws acm request-certificate \
--domain-name example.com \
--subject-alternative-names www.example.com \
--validation-method DNS
Attach a certificate to ALB · NLB (TLS listener) and let the backend speak plain text or use its own certificate. To encrypt internal traffic too, give the backend a certificate and use SSL passthrough (NLB) or re-encrypt (ALB).
7. Comparison with other LBs and proxies
| Tool | Category | Notes |
|---|---|---|
| HAProxy (2001) | LB | Very fast L4/L7. Self-hosted standard. |
| nginx (2004) | Reverse proxy + LB | Rich modules. Strong static files · cache. |
| traefik (2015) | Reverse proxy | Container-label-based dynamic config. |
| Caddy (2015) | Reverse proxy | Automatic HTTPS standard. |
| Envoy (2016) | Proxy | Service-mesh foundation. xDS API. |
| ALB · NLB · GWLB | Managed | AWS integration. Low operational burden. |
Decision factors:
- Operational burden — managed (ELB) vs self-hosted (HAProxy · nginx).
- Auto HTTPS — Caddy.
- Service mesh — Envoy + Istio · Linkerd.
- Container-label routing — traefik · Caddy + Docker.
8. ALB + Auto Scaling
Route 53 (Alias) → ALB → Target Group (Auto Scaling Group)
↓
N EC2 instances (with health checks)
When the ASG adds instances, they auto-register with the Target Group. Unhealthy ones get replaced.
NLB + static IP — When a firewall whitelists by static IP. ALB has variable IPs, so the same flow is hard (use Global Accelerator or NLB → ALB pattern).
ALB routing rule examples:
Host: api.example.comANDPath: /v1/*→ API Target GroupHost: web.example.com→ Web Target GroupPath: /admin/*AND Cognito auth passes → Admin Target Group
Rules evaluate by priority. The first match wins.
9. Common pitfalls
Idle timeout mismatch — ALB defaults to 60 seconds. If the backend's keep-alive is shorter, reused connections produce one-shot errors. Make backend keep-alive longer than ALB's.
Heavy health-check paths — Health checks that probe down to the DB unintentionally drive cost. Keep /health light and split deep checks separately.
NLB without SG (older behavior) — Pre-2023 NLBs had no SG; 2023 added the SG option.
WebSocket idle timeout — Long quiet periods drop the connection. Add heartbeats or extend timeouts.
Backend HTTPS certificate validation — Self-signed certs on the backend cause ALB validation failures.
ALB Host header — If the backend uses virtual hosts, verify X-Forwarded-Host or correct Host forwarding.
Lingering CLB — Old CLB infrastructure misses new features. Migrate gradually to ALB.
Closing thoughts
90% of the time, the answer for an LB is ALB or self-hosted Caddy/nginx. NLB earns its place when there is a clear reason — static IP, very high throughput, or non-HTTP. CLB is no longer adopted in new infrastructure.
Next
- ecs-fargate
- localstack-and-ministack
ELB user guide · ALB routing rules · ACM · HAProxy · nginx · Envoy · traefik · PROXY protocol v2 for reference.