Elastic Load Balancer¶

TLDR¶

AWS family of load balancers. Is used to spread and control traffic to a vertically scaled infrastructure.

Features¶

• Server which forwards traffic to other services (e.g., EC2).
• Spread load.
• Expose single DNS access to whole clustered application.
• Seamlessly handle failures.
• Health checks.
• Provides HTTPS to instances.
• Enforce stickiness with cookies.
• High available across zones.
• Separate public traffic from private traffic.
• Can be setup as internal (private) or external (public).

General¶

• managed by aws

Compatible services¶

• EC2
• EC2 ASG
• ECS
• utils/ACM
• CloudWatch
• Route53
• WAF
• GlobalAccelerator

Health checks¶

• port and route

Classic Load Balancer (Deprecated)¶

• HTTP, HTTPS (layer 7), TCP (layer 4), SSL
• deprecated
• health checks TCP or HTTP based
• fixed hostname

Application Load Balancer (ALB)¶

• HTTP, HTTPS, web socket (layer 7)
• need target groups
• can use to target different containers on same machine
• good for ECS and docker
• port mapping feature
• fixed hostname
• app servers don't see the client IP directly
  • will be forwarded in “x-Forwarded-For” header
  • “X-Forwarded-Port” original Port
  • “X-Forwarded-Proto” original client protocol
• cannot attach elastic IP
• cross AZ load balancing enabled by default
• supports redirects (from HTTP to HTTPS e.g)

Target groups¶

• EC2 Instances
• ECS Tasks
• Lambda functions
• Private IP Addresses

Routing¶

• based on path
• based on hostname
• based on query

Network Load Balancer (NLB)¶

• TCP, TLS, UDP (Layer 4).
• High performance, millions of requests per second.
• Less latency, 100 ms vs. 400 ms from ALB.
• One static IP per AZ.
• support elastic IP.
• health checks with TCP, HTTP or HTTPS.
• Cross AZ load balancing is disabled by default.

Target Groups¶

• EC2 Instances
• Private IP Addresses
• Application Load Balancer (ELB)

Gateway Load Balancer (GLB)¶

• IP Protocol (layer 3, network).
• Support only TCP & UDP.
• Locked to single region.
• Deploy scale and manage a fleet of 3rd party network virtual appliances
  • Examples, Firewalls, Intrusion Detection, Deep Packet Inspection, payload manipulations.
• GENEVE Protocol on port 6081.

Functions¶

• Transparent Network Gateway, single entry exit for all traffic
• Load Balancer distributes to your check machines.

Target Groups¶

• EC2 Instances
• Private IPS

Security¶

• uses SecurityGroup

Sticky Session¶

• by default, requests are spread.
• Can cause unpredictable behavior when traffic pattern shifts very quickly.
• Can be enabled for ELB CLB and ALB.
• Controlled via cookie set by the ELB.
• Might bring imbalance to the nodes.
• Duration between 1second to 7 days.

Cookie Types¶

Application based custom cookie¶

• generated by the target
• can include any custom attributes
• cookie name is set in target group
• don't use the following names, there are reserved for use by ELB:
  • AWSALB.
  • AWSSALBAPP.
  • AWSSALBTG.

Application cookie¶

• generated by ELB.
• Cookie name is AWSALBAPP.

Duration Based Cookies¶

• generated by ELB.
• Name AWSALB or AWSELB for CLB.

Cross AZ Load Balancing¶

• distributes evenly across all AZ instances.
• If not enabled, distributes evenly across all AZ, but not instances.
• ALB always enabled no extra cost.
• NLB & GLB disabled by default cost extra.

SSL/ TLS¶

• ELB uses x.509 cert
• SSL allow traffic between clietns and load balancers to be encrypted in transit (in-flight encryption)
• can use AWS Certificate Manager (utils/ACM)
• can upload own certificates
• required for https listener
• can add multiple to support multiple domains
• can modify securitty policy to support older versions of SSL

SNI (Server Name Indication)¶

• clients can use this to specify the hostname they reach
• allows to load multiple certs on one web server https website on one server
• client indicateds hostname of the target server in inital handshake
• only for ALB or NLB or AWS CloudFront

CLB¶

• only one SSL cert.
• Must use multiple CLB if multiple domains via HTTPS.

ALB¶

• multiple listeners with multi SSL certs
• SNI.

NLB¶

• multiple listeners, multi certs.
• SNI.
• Used for routing TCP traffic (e.g., SSH)

Connection Draining/ Deregistration Delay¶

• Time to complete in flight request while instance is going to be no longer targeted by ELB.
• Between 0 and, 3600 seconds, default is 300 (5 minutes) Graceful shutdown period.
• Low value if requests are short.

Launch Template¶

• AMI
• Instance Type
• EC2 User Data
• SecurityGroup
• SSH Key Pair
• IAM Roles for the EC2
• Network and Subnets information
• ELB Information
• min max size
• scaling policies

CloudWatch Alarms¶

• monitor metric and scale out or in

Scaling Policies¶

Cooldown period¶

• After scaling no other scaling can be done for a period
• default 300 seconds (5 minutes)
• allows metrics to stabilized
• use AMIs to launch instances faster and use less cooldown period

Good Metrics To Check¶

• CPU Utilization
• Request Count per Target
• Average Network io
• Any custom metric via CloudWatch

Dynamic Scaling¶

Target Tracking¶

• I want CPU to stay around 50%
• no cooldown period

Simple Step Scaling¶

• when CPU > 70 add 2 && when CPU < 10% remove 2

Scheduled Actions¶

• based on time

Predictive Scaling¶

• Analyze historical load
• ML
• hands of approach