Network Load Balancer (NLB)
Welcome to CloudAffaire and this is Debjeet.
In the last blog post, we have discussed how to enable access logs in ALB.
In this blog post, we will start with Network Load Balancer.
What is Network Load Balancer?
A Network Load Balancer functions at the fourth layer of the Open Systems Interconnection (OSI) model. It can handle millions of requests per second. After the load balancer receives a connection request, it selects a target from the target group for the default rule. It attempts to open a TCP connection to the selected target on the port specified in the listener configuration.
For TCP traffic, the load balancer selects a target using a flow hash algorithm based on the protocol, source IP address, source port, destination IP address, destination port, and TCP sequence number. The TCP connections from a client have different source ports and sequence numbers, and can be routed to different targets. Each individual TCP connection is routed to a single target for the life of the connection.
For UDP traffic, the load balancer selects a target using a flow hash algorithm based on the protocol, source IP address, source port, destination IP address, and destination port. A UDP flow has the same source and destination, so it is consistently routed to a single target throughout its lifetime. Different UDP flows have different source IP addresses and ports, so they can be routed to different targets.
Elastic Load Balancing creates a network interface for each Availability Zone you enable. Each load balancer node in the Availability Zone uses this network interface to get a static IP address. When you create an Internet-facing load balancer, you can optionally associate one Elastic IP address per subnet.
Network Load Balancer Components:
- Listener: A listener checks for connection requests from clients, using the protocol and port that you configure, and forwards requests to a target group.
- Target Groups: Each target group routes requests to one or more registered targets, such as EC2 instances, using the TCP protocol and the port number that you specify. You can register a target with multiple target groups. You can configure health checks on a per target group basis. Health checks are performed on all targets registered to a target group that is specified in a listener rule for your load balancer.
Network Load Balancer Features:
Network Load Balancer operates at the connection level (Layer 4), routing connections to targets – Amazon EC2 instances, microservices, and containers – within Amazon Virtual Private Cloud (Amazon VPC) based on IP protocol data. Ideal for load balancing of both TCP and UDP traffic, Network Load Balancer is capable of handling millions of requests per second while maintaining ultra-low latencies. Network Load Balancer is optimized to handle sudden and volatile traffic patterns while using a single static IP address per Availability Zone. It is integrated with other popular AWS services such as Auto Scaling, Amazon EC2 Container Service (ECS), Amazon CloudFormation and AWS Certificate Manager (ACM).
- Connection-based Load Balancing: You can load balance both TCP and UDP traffic, routing connections to targets – Amazon EC2 instances, microservices, and containers.
- High Availability: Network Load Balancer is highly available. It accepts incoming traffic from clients and distributes this traffic across the targets within the same Availability Zone. The load balancer also monitors the health of its registered targets and ensures that it routes traffic only to healthy targets. When the load balancer detects an unhealthy target, it stops routing traffic to that target and reroutes traffic to remaining healthy targets. If all of your targets in one Availability Zone are unhealthy, and you have set up targets in another Availability Zone, Network Load Balancer will automatically fail-over to route traffic to your healthy targets in the other Availability Zones.
- High Throughput: Network Load Balancer is designed to handle traffic as it grows and can load balance millions of requests/sec. It can also handle sudden volatile traffic patterns.
- Low Latency: Network Load Balancer offers extremely low latencies for latency-sensitive applications.
- Preserve source IP address: Network Load Balancer preserves the client side source IP allowing the back-end to see the IP address of the client. This can then be used by applications for further processing.
- Static IP support: Network Load Balancer automatically provides a static IP per Availability Zone (subnet) that can be used by applications as the front-end IP of the load balancer.
- Elastic IP support: Network Load Balancer also allows you the option to assign an Elastic IP per Availability Zone (subnet) thereby providing your own fixed IP.
- TLS Offloading: Network Load Balancer supports client TLS session termination. This enables you to offload TLS termination tasks to the load balancer, while preserving the source IP address for your back-end applications. You can choose from predefined security policies for your TLS listeners in order to meet compliance and security standards. AWS Certificate Manager (ACM) or AWS Identity and Access Management (IAM) can be used to manage your server certificates. You can use SNI to serve multiple secure websites using a single TLS listener. If the hostname in the client matches multiple certificates, the load balancer selects the best certificate to use based on a smart selection algorithm.
- Health Checks: Network Load Balancer supports both network and application target health checks. Network-level health is based on the overall response of your target to normal traffic. If the target becomes unable, or too slow, to respond to new connections then the load balancer will mark the target as unavailable. Application-level health checks can also be used to go deeper. By periodically probing a specific URL on a given target, it can integrate the health of the actual application. For quick diagnosis and powerful debugging, full visibility into health checks and why they may be failing is also available through ‘reason codes’ in the Network Load Balancer API, and the Amazon CloudWatch metrics attached to target health checks.
- DNS Fail-over: If there are no healthy targets registered with the Network Load Balancer or if the Network Load Balancer nodes in a given zone are unhealthy, then Amazon Route 53 will direct traffic to load balancer nodes in other Availability Zones.
- Integration with Amazon Route 53: In the event that your Network Load Balancer is unresponsive, integration with Route 53 will remove the unavailable load balancer IP address from service and direct traffic to an alternate Network Load Balancer in another region.
- Integration with AWS Services: Network Load Balancer is integrated with other AWS services such as Auto Scaling, Elastic Container Service (ECS), CloudFormation, Elastic BeanStalk, CloudWatch, Config, CloudTrail, CodeDeploy, and AWS Certificate Manager (ACM).
- Long-lived TCP Connections: Network Load Balancer supports long-lived TCP connections that are ideal for WebSocket type of applications.
- Central API Support: Network Load Balancer uses the same API as Application Load Balancer. This will enable you to work with target groups, health checks, and load balance across multiple ports on the same Amazon EC2 instance to support containerized applications.
- Robust Monitoring and Auditing: Amazon CloudWatch reports Network Load Balancer metrics. CloudWatch provides metrics such as Active Flow count, Healthy Host Count, New Flow Count, Processed bytes, and more. Network Load Balancer is also integrated with AWS CloudTrail. CloudTrail tracks API calls to the Network Load Balancer.
- Enhanced Logging: You can use the Flow Logs feature to record all requests sent to your load balancer. Flow Logs capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data is stored using Amazon CloudWatch Logs.
- Access Logging: When TLS listeners are added to your Network Load Balancer, you can choose to enable Access Logs, which will be sent to an S3 bucket of your choice. Access Logs capture information about every TLS connection that your listener receives, providing visibility into both successful and failed TLS handshakes.
- Zonal Isolation: The Network Load Balancer is designed for application architectures in a single zone. If something in the Availability Zone fails, we will automatically fail-over to other healthy Availability Zones. While we recommend customers configure the load balancer and targets in multiple AZs for achieving high availability, Network Load Balancer can be enabled in a single Availability Zone to support architectures that require zonal isolation.
Hope you have enjoyed this article, In the next blog post, we will create our 1st Network Load Balancer.
To get more details on AWS ELB, please refer below AWS documentation