Load Balancers — The Four ELBs

Distributing traffic across backends, removing dead servers, and managing certificates from a single place are common needs across nearly every web service. AWS's seat for this is ELB (Elastic Load Balancing) — four flavors emerged at different times.

1. About the four ELBs

Type	Released	Layer	Place
Classic LB (CLB)	2009	L4 + L7 (mixed)	Old standard. Not recommended for new builds.
Application LB (ALB)	2016	L7 (HTTP · gRPC · WebSocket)	HTTP-based workloads.
Network LB (NLB)	2017	L4 (TCP · UDP · TLS)	Very high throughput · static IP · non-HTTP.
Gateway LB (GWLB)	2020	L3 (IP packets)	Network appliances (firewalls · IDS).

For new work, choose ALB or NLB.

2. L7 vs L4

L7 (Application Layer) — Parses and routes HTTP messages.

• Path-based routing (/api/* → A, /static/* → B).
• Host header-based.
• Cookies · query parameters.
• HTTPS termination (TLS termination).
• HTTP header transforms (X-Forwarded-For · X-Forwarded-Proto).

ALB sits here. Response time is generally a bit longer than L4 due to parsing.

L4 (Transport Layer) — Sees only TCP/UDP connections. No payload parsing.

• Very low latency · high throughput.
• Static IP (Elastic IP attachable).
• Client IP preservation (with the Proxy Protocol option).
• TLS termination is also possible (NLB's TLS listener).

NLB sits here. Game servers · MQTT · gRPC direct exposure · socket servers.

L3 (Network Layer) — Forwards IP packets unchanged so security appliances (firewalls · IDS · DPI) can inspect them. GWLB sits here. Uses Geneve tunneling.

3. Target Group

The bundle of backends behind an LB. Instances, IPs, or Lambdas in the same Target Group share a health check rule.

Target type	Notes
EC2 instance	By EC2 ID
IP	Any IP in the VPC (RDS too)
Lambda	ALB only, registered by function ARN
ALB	NLB targeting an ALB (since 2021)

ALB can hold multiple Target Groups under one LB and route via listener rules.

4. Health Check · Sticky Session

Health Check — Periodic checks against a path/port. Traffic only goes to healthy targets.

• Verify HTTP /health returns 200.
• TCP connection check (NLB default).
• Healthy after a threshold of consecutive successes.

The endpoint itself should be lightweight. Heavy health checks unintentionally create load.

Sticky Session — Sends the same client's follow-up requests to the same backend:

• ALB — Self-issued cookie (AWSALB) or application cookie.
• CLB — AWSELB cookie.

Only meaningful when session state lives in instance memory. With an external session store (Redis), stickiness is unnecessary.

5. X-Forwarded-For and client IP

ALB terminates TLS and creates a new TCP connection to the backend. From the backend's perspective, the source IP is ALB's. The client IP is added in X-Forwarded-For.

NLB preserves source IP in default mode. Note that backend SG evaluation now sees the client IP directly (NLB SG option added in 2023).

6. ACM · TLS termination

aws acm request-certificate \
  --domain-name example.com \
  --subject-alternative-names www.example.com \
  --validation-method DNS

Attach a certificate to ALB · NLB (TLS listener) and let the backend speak plain text or use its own certificate. To encrypt internal traffic too, give the backend a certificate and use SSL passthrough (NLB) or re-encrypt (ALB).

7. Comparison with other LBs and proxies

Tool	Category	Notes
HAProxy (2001)	LB	Very fast L4/L7. Self-hosted standard.
nginx (2004)	Reverse proxy + LB	Rich modules. Strong static files · cache.
traefik (2015)	Reverse proxy	Container-label-based dynamic config.
Caddy (2015)	Reverse proxy	Automatic HTTPS standard.
Envoy (2016)	Proxy	Service-mesh foundation. xDS API.
ALB · NLB · GWLB	Managed	AWS integration. Low operational burden.

Decision factors:

• Operational burden — managed (ELB) vs self-hosted (HAProxy · nginx).
• Auto HTTPS — Caddy.
• Service mesh — Envoy + Istio · Linkerd.
• Container-label routing — traefik · Caddy + Docker.

8. ALB + Auto Scaling

Route 53 (Alias) → ALB → Target Group (Auto Scaling Group)
                          ↓
                     N EC2 instances (with health checks)

When the ASG adds instances, they auto-register with the Target Group. Unhealthy ones get replaced.

NLB + static IP — When a firewall whitelists by static IP. ALB has variable IPs, so the same flow is hard (use Global Accelerator or NLB → ALB pattern).

ALB routing rule examples:

• Host: api.example.com AND Path: /v1/* → API Target Group
• Host: web.example.com → Web Target Group
• Path: /admin/* AND Cognito auth passes → Admin Target Group

Rules evaluate by priority. The first match wins.

9. Common pitfalls

Idle timeout mismatch — ALB defaults to 60 seconds. If the backend's keep-alive is shorter, reused connections produce one-shot errors. Make backend keep-alive longer than ALB's.

Heavy health-check paths — Health checks that probe down to the DB unintentionally drive cost. Keep /health light and split deep checks separately.

NLB without SG (older behavior) — Pre-2023 NLBs had no SG; 2023 added the SG option.

WebSocket idle timeout — Long quiet periods drop the connection. Add heartbeats or extend timeouts.

Backend HTTPS certificate validation — Self-signed certs on the backend cause ALB validation failures.

ALB Host header — If the backend uses virtual hosts, verify X-Forwarded-Host or correct Host forwarding.

Lingering CLB — Old CLB infrastructure misses new features. Migrate gradually to ALB.

Closing thoughts

90% of the time, the answer for an LB is ALB or self-hosted Caddy/nginx. NLB earns its place when there is a clear reason — static IP, very high throughput, or non-HTTP. CLB is no longer adopted in new infrastructure.

Next

• ecs-fargate
• localstack-and-ministack

ELB user guide · ALB routing rules · ACM · HAProxy · nginx · Envoy · traefik · PROXY protocol v2 for reference.