Load Balancers High Availability

Using Load Balancers to Create Highly Available Environments

Highly Available Systems

When you design and build production-scale solutions, you should avoid single points of failure. For example, having one database and one application instance will cause application failure if either the database or instance fails.

High Availability Definition

A highly available system is one that can withstand some measure of degradation while remaining available:

Downtime is minimized as much as possible
Minimal human intervention is required to bring the system back to normal operating levels
A highly available system enables resiliency in a reactive architecture
A resilient workload can automatically recover when it’s stressed by load, attacks, or component failure

Availability Percentages

Percentage of uptime	Maximum downtime per year	Equivalent downtime per day
90%	36.5 days	2.4 hours
99%	3.65 days	14 minutes
99.9%	8.76 hours	86 seconds
99.99%	52.6 minutes	8.6 seconds
99.999%	5.25 minutes	0.86 seconds

Elastic Load Balancing (ELB)

Key Component

ELB solves the single point of failure problem for AWS services such as EC2 instances and containers. It is a key component of creating a highly available architecture.

Core Features

Distributes traffic across multiple targets in one or more Availability Zones
Can receive public or private traffic - load balancers can be external facing and distribute inbound public traffic, or internal facing and distribute private traffic
Monitors the health of registered targets with health checks
Routes traffic to only healthy targets
Scales based on incoming traffic - the ELB service scales your load balancer as your incoming traffic changes over time

Health Checks

To discover the availability of your EC2 instances, the load balancer periodically sends pings, attempts connections, or sends requests to test the EC2 instances. These tests are called health checks:

Each registered EC2 instance must respond to the target of the health check with an HTTP status code of 200 to be considered healthy
If an instance fails a health check, a notification is sent to the Amazon EC2 Auto Scaling group to replace the instance with a healthy instance

Types of AWS Load Balancers

ELB supports four types of load balancers, each load balancer receives a default DNS name:

Application Load Balancer

Layer 7 (Application Layer)

Used for HTTP and HTTPS traffic
Used for application architectures
Routes traffic based on content of the request
Supports Automatic Target Weights (ATW)

Network Load Balancer

Layer 4 (Transport Layer)

Used for TLS offloading, UDP, and static IP addresses
Used for millions of requests per second at ultra-low latency
Can handle millions of requests per second
Optimized to handle sudden and volatile network traffic patterns

Gateway Load Balancer

Layer 3 (Network Layer)

Used for third-party virtual appliance fleet using GENEVE protocol
Used to improve security, compliance, and policy controls
Deploy, scale, and manage virtual appliances like firewalls and intrusion detection systems

Classic Load Balancer

Layers 3 and 7 (Transport and Application)

Used for previous generation EC2-Classic networks
Used if upgrading to other load balancers is not feasible
Older implementation - AWS recommends using dedicated ALB or NLB when possible

Load Balancer Components

Load Balancer

A load balancer serves as the single point of contact for clients. The load balancer distributes incoming application traffic across multiple targets, such as EC2 instances, in multiple Availability Zones.

Listener

A listener checks for connection requests from clients by using the protocol and port that you configure:

The rules that you define for a listener determine how the load balancer routes requests to its registered targets
Each rule consists of a priority, one or more actions, and one or more conditions
You must define a default rule for each listener, and you can optionally define additional rules

TLS/SSL Certificates

Some listeners such as HTTPS and TLS listeners require TLS server certificates on your load balancer to ensure that traffic is protected in transit:

AWS Certificate Manager (ACM) is a service that you can use to provision, manage, and deploy public and private SSL/TLS certificates for use on AWS services such as load balancers
The load balancer uses a server certificate to end the frontend connection and then decrypt requests from clients before sending them to the targets
If you need to pass encrypted traffic to targets without the load balancer decrypting it, you can create a Network Load Balancer or Classic Load Balancer with a TCP listener

Target Groups

Each target group routes requests to one or more registered targets, such as EC2 instances, by using the protocol and port number that you specify:

You can register a target with multiple target groups
You can configure health checks for each target group
Health checks are performed on all targets registered to a target group that is specified in a listener rule for your load balancer

High Availability with Application Load Balancer and Amazon RDS Multi-AZ

An Application Load Balancer functions at the application layer, the seventh layer of the OSI model. After the load balancer receives a request, it evaluates the listener rules in order of priority to determine which rule to apply and then selects a target from the target group for the rule action.

Routing Configuration

You can configure listener rules to route requests to different target groups based on the content of the application traffic
Routing is performed independently for each target group even when a target is registered with multiple target groups
The default routing algorithm is round robin which routes each request to the next target in the group
Alternatively, you can specify the routing algorithm for the least outstanding requests

Eliminating Single Points of Failure

In a highly available architecture using Application Load Balancer:

Application Load Balancer 1

External facing, receives public HTTP and HTTPS traffic
Distributes traffic to Web tier target group
Fleet of EC2 instances in Auto Scaling group across AZ1 and AZ2
If health check fails, stops sending traffic and replaces unhealthy instances

High Availability with Network Load Balancer

Network Load Balancers can be used to expose a centralized service and function at the fourth layer of the OSI model. They can handle millions of requests per second.

Network Load Balancer Features

Support connections from clients over VPC peering, VPC endpoints, AWS managed VPN, AWS Direct Connect, and third-party VPN solutions
After receiving a connection request, it selects a target from the target group for the default rule
Attempts to open a TCP connection to the selected target on the port specified in the listener configuration

DNS Configuration

Each Network Load Balancer receives a default DNS name with the following syntax: name-id.elb.region.amazonaws.com

Example: my-load-balancer-1234567890abcdef.elb.us-east-2.amazonaws.com
If you’d prefer to use a DNS name that is easier to remember, you can create a custom domain name and associate it with the DNS name for your load balancer

Combining Load Balancers

You can create a target group with a single Application Load Balancer as the target and configure your Network Load Balancer to forward traffic to it:

The Application Load Balancer takes over the load balancing decision as soon as traffic reaches it
This configuration combines the features of both load balancers
You can use the layer 7 request-based routing feature of the Application Load Balancer in combination with features that the Network Load Balancer supports, such as endpoint services and static IP addresses

Security Service with Gateway Load Balancer

Security Solution

The Gateway Load Balancer is a specific security solution to scan incoming and outgoing traffic by using virtual appliances.

Gateway Load Balancer Operation

A Gateway Load Balancer operates at the third layer of the OSI model, the network layer:

It listens for all IP packets across all ports and forwards traffic to the target group that’s specified in the listener rule
It maintains stickiness of flows to a specific target appliance by using 5-tuple (for TCP/UDP flows) or 3-tuple (for non-TCP/UDP flows)
The Gateway Load Balancer and its registered virtual appliance instances exchange application traffic by using the GENEVE protocol

Traffic Flow Process

All traffic entering VPC 1 through the internet gateway is first routed to the Gateway Load Balancer endpoint in VPC 1
The traffic is then routed to the Gateway Load Balancer in VPC 2. The Gateway Load Balancer distributes the traffic to the Amazon EC2 security appliance for inspection. The security appliance responds to the Gateway Load Balancer, which returns the inspected traffic to the Gateway Load Balancer endpoint
The Gateway Load Balancer endpoint sends the traffic to the EC2 application instance

Similarly, all traffic leaving the EC2 application instance follows the same path as incoming traffic.

ELB distributes traffic across multiple targets in one or more Availability Zones and monitors the health of registered targets with health checks. An Application Load Balancer is used for application architectures and operates at the OSI model application layer (layer 7), while a Network Load Balancer is used for millions of concurrent, ultra-low latency requests and operates at the OSI model transport layer (layer 4). A Gateway Load Balancer is used to improve security, compliance, and policy controls and operates at the OSI model network layer (layer 3).