Elastic Load Balancing (ELB)¶
What Is Elastic Load Balancing (ELB)?¶
Elastic Load Balancing (ELB) is AWS’s managed traffic distribution service.
It distributes traffic across multiple targets to improve:
- availability
- scalability
- resilience
- fault tolerance
ELB routes traffic to:
- EC2
- containers
- IP targets
- Lambda
Think of ELB as:
Intelligent traffic distribution and application entry point.
Why It Matters for Security¶
ELB helps organizations:
- reduce single points of failure
- centralize ingress
- terminate TLS
- protect backend systems
- improve availability
Security teams use ELB for:
- secure application publishing
- traffic control
- DDoS resilience
- controlled exposure
Core Concepts¶
- load balancing
- target groups
- health checks
- traffic distribution
- TLS termination
- application availability
Important Integrations¶
Amazon EC2¶
Common target for:
- applications
- backend services
Auto Scaling¶
Pattern:
ELB
↓
Auto Scaling
↓
Elastic Capacity
Very important architecture pattern.
AWS WAF¶
Supported with:
- ALB
Provides:
- Layer 7 protection
AWS Shield¶
Provides:
- DDoS protection
Shield Standard included.
AWS Certificate Manager (ACM)¶
Provides:
- TLS certificates
Amazon ECS / EKS¶
Supports:
- container ingress
AWS Global Accelerator¶
Supports:
- global acceleration
Amazon Cognito / OIDC¶
Supports:
- ALB native authentication
Very important modernization capability.
ELB Types¶
Application Load Balancer (ALB)¶
Layer:
Layer 7
Protocols:
- HTTP
- HTTPS
- WebSockets
- gRPC
Features:
- host routing
- path routing
- WAF integration
- Lambda targets
- native authentication
Use for:
- applications
- APIs
Network Load Balancer (NLB)¶
Layer:
Layer 4
Protocols:
- TCP
- UDP
- TLS
Features:
- static IP
- source IP preservation
- ultra-low latency
- Security Groups
Use for:
- high performance
- non-HTTP workloads
Gateway Load Balancer (GWLB)¶
Layer:
Layer 3–4
Features:
- transparent inspection
- appliance scaling
- GENEVE encapsulation
Use for:
- IDS
- IPS
- firewalls
Very important Security Specialty topic.
Classic Load Balancer (CLB)¶
Legacy.
Rarely recommended.
Security Features¶
Health Checks¶
ELB monitors:
- targets
- availability
Traffic goes only to:
- healthy targets
TLS Termination¶
Pattern:
User
↓ HTTPS
ELB
↓ HTTP/HTTPS
Backend
Benefits:
- centralized certificates
- simplified operations
Internal vs Internet-Facing¶
Internet:
Internet
↓
ELB
↓
Application
Internal:
Internal
↓
ELB
↓
Backend
Very important distinction.
Target Groups¶
Routes traffic using:
→ Target Groups
Supports:
- EC2
- IP
- Lambda
Very important identity.
Advanced Security and Operational Concepts¶
NLB Security Groups (Modern Trap)¶
Historically:
No Security Groups
Modern capability:
NLB
↓
Security Groups Supported
Traffic filtering can occur at:
- NLB
- backend SG
- NACL
Very important modernization.
Native Authentication on ALB¶
ALB supports:
- Amazon Cognito
- OIDC
Pattern:
User
↓
Authenticate
↓
ALB
↓
Application
Useful for:
- legacy apps
- centralized auth
Very important architecture capability.
Server Name Indication (SNI)¶
Supports:
- ALB
- NLB
Allows:
Single Listener
↓
Multiple Certificates
↓
Multiple Domains
Examples:
app1.example.com
app2.example.com
Very important TLS optimization.
Cross-Zone Load Balancing¶
ALB¶
Default:
Enabled
Managed automatically.
NLB¶
Default:
Disabled
Must enable.
GWLB¶
Default:
Disabled
Tradeoff:
| Enabled | Disabled |
|---|---|
| balanced | cheaper |
| cross-AZ | reduced transfer |
Very important operational nuance.
Sticky Sessions¶
Supports:
- session affinity
Useful for:
- legacy applications
Deregistration Delay¶
Pattern:
Remove Target
↓
Drain Connections
↓
Terminate
Useful for:
- deployments
- Auto Scaling
Preserve Client Identity¶
ALB:
X-Forwarded-For
NLB:
Original Source IP
Very important investigations topic.
TLS End-to-End Encryption¶
Need compliance?
User
↓ HTTPS
ELB
↓ HTTPS
Backend
Very common exam requirement.
GWLB and GENEVE¶
GWLB uses:
GENEVE
Port 6081
Purpose:
- encapsulation
- transparent inspection
- appliance scaling
Pattern:
Traffic
↓
GWLB
↓
GENEVE
↓
Firewall
Very important Security Specialty keyword.
Architecture Example¶
Secure Authenticated Application¶
flowchart LR
USER[Users]
ALB[Application Load Balancer]
AUTH[Cognito / OIDC]
WAF[AWS WAF]
ASG[Auto Scaling]
APP1[EC2]
APP2[EC2]
USER --> ALB
ALB --> AUTH
AUTH --> WAF
WAF --> ASG
ASG --> APP1
ASG --> APP2
classDef edge fill:#e3f2fd,stroke:#1565c0,color:#0d47a1;
classDef security fill:#e8f5e9,stroke:#2e7d32,color:#1b5e20;
class USER,ALB edge;
class AUTH,WAF,ASG,APP1,APP2 security;Use case: secure authenticated application delivery.
Traffic Distribution Workflow¶
sequenceDiagram
autonumber
participant USER
participant ELB
participant TG
participant TARGET
USER->>ELB: Request
ELB->>TG: Select target
TG->>TARGET: Forward
TARGET-->>USER: ResponseHealth Check Workflow¶
sequenceDiagram
autonumber
participant ELB
participant TARGET
ELB->>TARGET: Health check
alt Healthy
TARGET-->>ELB: Healthy
else Failed
ELB-->>TARGET: Remove
endAuthentication Workflow¶
sequenceDiagram
autonumber
participant USER
participant ALB
participant IDP
participant APP
USER->>ALB: Request
ALB->>IDP: Authenticate
IDP-->>ALB: Token
ALB->>APP: Forward
APP-->>USER: ResponseALB vs NLB vs GWLB¶
| Service | Layer | Best For |
|---|---|---|
| ALB | 7 | HTTP |
| NLB | 4 | TCP/UDP |
| GWLB | 3–4 | Appliances |
ELB vs API Gateway¶
| ELB | API Gateway |
|---|---|
| balancing | API management |
ELB vs CloudFront¶
| ELB | CloudFront |
|---|---|
| regional | global |
| routing | CDN |
Common Exam Traps¶
Trap 1 — WAF Uses ALB¶
Need WAF?
→ ALB
Trap 2 — NLB Preserves Source IP¶
Need client identity?
→ NLB
Trap 3 — GWLB Means GENEVE¶
GENEVE:
→ GWLB
Trap 4 — NLB Supports Security Groups¶
Modern capability.
Trap 5 — Need Authentication Without Code¶
→ ALB + Cognito
Trap 6 — TLS Termination ≠ End-to-End Encryption¶
Need backend TLS.
Trap 7 — Health Checks Control Routing¶
Only healthy targets receive traffic.
Trap 8 — Cross-Zone Defaults¶
ALB:
→ Enabled
NLB/GWLB:
→ Disabled
5-Second Recall¶
Identity¶
ELB = intelligent traffic distribution
Keywords¶
If the scenario mentions:
- load balancing
- target groups
- health checks
- TLS termination
Answer:
→ Elastic Load Balancing
Need HTTP Routing?¶
→ ALB
Need Static IP?¶
→ NLB
Need Security Appliances?¶
→ GWLB
Need Authentication?¶
→ ALB + Cognito
Need Multiple Certificates?¶
→ SNI
Quick Revision Notes¶
- load balancing
- target groups
- health checks
- ALB
- NLB
- GWLB
- WAF
- SNI
- GENEVE
- Cognito auth
- sticky sessions
- preserve source IP
- TLS termination
- cross-zone balancing