AWS: ELB
Created: September 27, 2020
- ELBs always connect to the private addresses of nodes.
- To communicate with nodes in private subnets, an ELB must be in a public subnet in the same AZ.
- Health Check can
- Target groups are created or attached when creating an ELB.
ALB
- Layer 7.
- HTTP/HTTPS.
- Can terminate SSL connections.
- Can route conditionally based on the contents of HTTP headers.
- The load balancer itself is addressed using DNS only.
Targets and target groups
- EC2 instances via instance ID.
- IP addresses. (Includes on-prem servers.)
- Lambda functions.
- Containers (indirectly).
Routing
- Path-based routing.
- URL path of the HTTP header.
- Route to different targets for different URLs.
- Host-based routing.
- Host field of the HTTP header.
- Multiple domains from the same load balancer.
- Query string parameter-based routing.
- A query string is part of URL set to pass parameters.
- Source IP address-based routing.
- CIDR of the originating device.
- HTTP header-based routing.
- Any standard or custom HTTP header field.
- HTTP method-based routing.
- Any standard for custom HTTP method.
NLB
- Layer 4.
- TCP, TLS, UDP, or TCP_UDP between the client and NLB.
- TCP or TCP_UDP between the NLB and targets.
- Can terminate SSL connections (more efficiently than an ALB).
- Higher performance and lower latency than an ALB.
- Can have an elastic IP address. One IP per AZ with nodes.
Tagets
- EC2 instances via instance ID.
- IP addresses.
- Microservices (indirectly).
- Containers (indirectly).
Health Checks
- Health checks are configurable per target group.
- Routing only occurs to healthy targts.
- If all targets are unhealthy, an ELB routes to all targets.
Status Checks
| Value | Description |
|---|---|
| initial | Target is being registered or initial health checks are occurring. |
| healthy | Self-explanatory. |
| unhealthy | Did not respond or health check fail. |
| unused | No target group. No listener rule. In an AZ that is not enabled. Stopped or terminated. |
| draining | Deregistering and connection draining. |
| unavailable | Health checks are disabled for the target group. |
Sticky Sessions
- ALB only.
- Configured in target groups.
- Achieved via setting a cookie with name “AWSALB”.
- If an instance is unhealthy, the stickiness is overriden.
- The stickiness duration is configurable.
Security groups and ELBs
- ELBs require correctly configured security groups.
- Use the principle of least privilege.
CloudWatch
- CloudWatch metrics for your Application Load Balancer.
- CloudWatch metrics for your Network Load Balancer.
- ELBs send metrics to CloudWatch every minute. Metrics are only sent when there are active requests.
Most notable metrics
-
BackendConnectionErrors
-
HealthyHostCount / UnhealthyHostCount
-
HTTPCode_Backend_2XX: successful request
-
HTTPCode_Backend_3XX: redirected request
-
HTTPCode_ELB_4XX client error
-
HTTPCode_ELB_5XX server error (generated by ELB)
-
Latency
-
RequestCount
-
SurgeQueueLength: the total number of requests (HTTP listener) or connections (TCP listener) that are pending routing to a healthy instance
-
SpilloverCount: the total number of requests that were rejected because the surge queue is full
Complete lists are available in the “CloudWatch metrics for your *** Load Balancer” links above.
Access logs
- Access logs are not enabled by default.
- When enabled, they give information about:
- The time of a request.
- The IP address of the client.
- Latency.
- Request paths.
- Server responses.
- Trace IDs.
- Access logs can optionally be stored in S3 for persistence.
CloudTrail and ELBs
- CloudTrail can captrue API calls to the ELB.
- The logs from CloudTrail can be stored in an S3 bucket.