How_to_choose_the_right_load_balancer_for_your_AWS_workloads_NET202.pdf

How to choose the right
load balancer for your
AWS workloads
James Wenzel
N E T 2 0 2
Sr. Solutions Architect, ELB Team
AWS

Take a look at available load balancing tech on AWS
Break down what makes each unique
and where they fit in your workloads
Tie it all together
Agenda

What load balancing choices do we have?
Classic Load
Balancer
(CLB)
Layer 4/7
Targets
EC2-Classic
Protocols
TCP, SSL/TLS,
HTTP, HTTPS
Application Load
Balancer
(ALB)
Layer 7
Targets
IP, instances,
AWS Lambda,
containers
Protocols
HTTP, HTTPS, gRPC
Network Load
Balancer
(NLB)
Layer 4
Targets
IP, instances, ALB,
containers
Protocols
TCP, UDP, TLS
Gateway Load
Balancer
(GWLB)
Layer 3 gateway/
4 load balancer
Targets
IP, instances
Protocols
IP
AWS Global
Accelerator
TCP/UDP
Targets
IP, ALB, NLB
Protocols
TCP, UDP

Elastic Load Balancing Global Accelerator
Application Load
Balancer
(ALB)
Classic Load
Balancer
(CLB)
Network Load
Balancer
(NLB)
Gateway Load
Balancer
(GWLB)
AWS Global
Accelerator
Elastic Load Balancing (ELB) is a managed
regional service that leverages auto scaling
compute (CLB, ALB) or runs on the
AWS Hyperplane (NLB, GWLB) across
Availability Zones for resiliency

Elastic Load Balancing Global Accelerator
Application Load
Balancer
(ALB)
Network Load
Balancer
(NLB)
Gateway Load
Balancer
(GWLB)
AWS Global
Accelerator
Elastic Load Balancing (ELB) is a managed
regional service that leverages auto scaling
compute (CLB, ALB) or runs on the
AWS Hyperplane (NLB, GWLB) across
Availability Zones for resiliency
AWS Global Accelerator is a managed global
service that leverages globally distributed
points of presence (POPs) to bring your
customer traffic onto the AWS backbone
as quickly as possible

Lets take a closer
look at each type
of load balancer

Which load balancing technology
should we use?
Application
Load Balancer
AWS Lambda
Authentication
Layer 7 routing
Redirects, web sockets
HTTP2/gRPC
Web application firewall, AWS Outposts/AWS Local Zones
Containers
Targets Requires
Instances
IP
Cookie stickiness, HTTP Desync mitigation
Fixed response
Best option for the AWS Load Balancer Controller for containers

What are some workloads that
are the best fit for ALB?

Advertising technology
- Use cases: Ad repositories, ad exchange, bidding, A/B testing
- Recommended LB: ALB (Layer 7)
- Relevant features:
• ALB with path-based routing
• Weighted target groups (A/B testing)
• Least outstanding requests
• SSL termination, including SNI support
• Improved performance with connection pooling

Media and entertainment
- Use cases: control plane
- Recommended LB: ALB (layer 7)
- Relevant Features:
• Supports high number of concurrent
connections
• TLS and authentication offloading
• Advanced request routing

Application
Load Balancer
Availability Zone 2
Availability Zone 1
Private subnet Private subnet
Public subnet Public subnet
VPC CIDR 10.1.0.0/16
10.1.2.11/24 10.1.3.11/24
+ Expand + IPv6
IGW
ALB
10.1.0.11 10.1.1.11
The
internet

Application Load
Balancer and Lambda
Availability Zone 2
Availability Zone 1
VPC CIDR 10.1.0.0/16
10.1.2.11/24 10.1.3.11/24
+ Expand + IPv6
IGW
ALB
10.1.0.11 10.1.1.11
The
internet
AWS Lambda AWS Lambda
10.1.0.12 10.1.1.12

Application Load
Balancer, Lambda,
and containers
Availability Zone 2
Availability Zone 1
VPC CIDR 10.1.0.0/16 + Expand + IPv6
IGW
ALB
The
internet
Containers
Containers
10.1.0.11 10.1.1.11
10.1.0.12 10.1.1.12

Application Load
Balancer, Lambda,
containers & instances
Availability Zone 2
Availability Zone 1
IGW
ALB
The
internet
Containers
Containers
10.1.2.11/24 10.1.3.11/24
10.1.0.11 10.1.1.11
10.1.0.12 10.1.1.12
10.1.1.13
10.1.0.13

ALB: Recently launched features in 2021
Security and compliance
• Desync mitigation mode
• Non-CBC security policy
• Additional cert types via ACM
− RSA 3072, RSA 4096, and ECDSA
• Send TLS version and cipher suite to
backend targets
Protocols
• gRPC
• XFF header for source port
• IPv6
– IPv6 front end
– IPv6 targets from internet-facing ALBs
Routing
• AWS WAF fail open
• Application cookie stickiness
Additional capabilities
• Kubernetes integration (AWS
Load Balancer Controller)
• ALB as a target of NLB
− Static IP
− AWS PrivateLink integration
• ALB on the edge
– AWS Outposts

Let’s add ALB
to a workload

ALBs in a workload
Availability Zone 2
Availability Zone 1
ALB
10.1.0.11 10.1.1.11
IGW
10.1.2.11/24 10.1.3.11/24
Instance C Instance D
Availability Zone 2
Availability Zone 1
ALB
10.2.2.11/24 10.2.3.11/24
Availability Zone 2
Availability Zone 1
ALB
10.3.2.11/24 10.3.3.11/24
The
internet
Front end DB layer
API layer
On premises

should we use?
Connection-based
Layer 4 load balancing
PrivateLink support
Elastic IP support
Long-lived TCP connections
Low latency
Zonal isolation
Network
Load Balancer
Hybrid architecture support
Targets Requires
Containers
Instances
IP
ALB
AWS Fargate support direct to K8s pod

What are some workloads
that are the best fit for NLB?

Games
- Use cases: control channel, chat sessions,
game connectivity
- Recommended LB: NLB (Layer 4)
- Relevant Features:
• Static IP
• Long-lived UDP/TCP connection
• Low latency
• High connection rate

Data ingestion
- Use cases: data ingestion, data warehouse
• Single IP and port
• High throughput
• Instant scaling
• TLS termination
• PrivateLink instead of peering
• Long-lived connections

Internet of Things
- Use cases: IoT service front door – Telemetry,
logging/reporting, data polling
• Static IP for embedded devices
• Long-lived UDP/TCP connection
• Large number of concurrent connections

Media and entertainment
- Use cases: data plane
• Supports high number of concurrent
connections
• High throughput
• Scaling of nonstandard Layer 7 protocol
• Low latency

NLB
Availability Zone 2
Availability Zone 1
VPC CIDR 10.1.0.0/16
InstanceC
10.1.2.11/24
InstanceD
10.1.3.11/24
+ Expand + IPv6
IGW
EIP - 10.1.0.11 : xx.xx.xxx.xxx EIP - 10.1.1.11 : x.xxx.xx.xxx
NLB
10.1.0.11 10.1.1.11
The
internet

NLB and PrivateLink
AWS Region
Availability Zone 2
Private subnet
VPC CIDR 10.1.0.0/16
10.2.2..0/24
+ Expand + IPv6
Availability Zone 1
Private subnet
10.1.2..0/24
Availability Zone 1
Private subnet
VPC CIDR 10.1.0.0/16
10.2.2..0/24
+ Expand + IPv6
Availability Zone 1
Private subnet
10.1.2..0/24

What about hybrid
workloads and NLB?

Hybrid Architecture – Access from On-premises
10.1.3..0/24
VPC CIDR 10.1.0.0/16
10.1.2..0/24
VPC CIDR 10.1.0.0/16
10.1.2..0/24
Interface endpoint
Interface endpoint
AWS Region
VPC
Availability Zone 1
Availability Zone 2
Private subnet
Private subnet
Private subnet
Availability Zone 2
Availability Zone 1
Private subnet
VPC
On-premises
data center
On-premises
applications
AWS Direct Connect
(Private VIF)
VPN
Route 53
DNS
10.1.3..0/24

Private subnet
Private subnet
ALB as an NLB target with PrivateLink
10.1.2..0/24
VPC CIDR 10.1.0.0/16
10.1..3..0/24
AWS Region
VPC
Availability Zone 1
Availability Zone 2
Interface
endpoint
VPC
Availability Zone 1
Private subnet
VPC CIDR 10.1.0.0/16

Security and compliance
• ALPN support
• Non-CBC security policy
• TLS 1.3
Protocols
• UDP for IP targets
• IPv6 dual stack
Routing
• IP session affinity
• Terminate connections to
deregistered targets
Additional capabilities
• Kubernetes integration (AWS Load
Balancer Controller)
• Source IP preservation for IP targets
NLB: Recently launched features in 2021

Let’s add NLB
to our workloads

Add NLB
Availability Zone 2
Availability Zone 1
ALB
10.1.0.11 10.1.1.11
IGW
10.1.2.11/24 10.1.3.11/24
Availability Zone 2
Availability Zone 1
ALB
10.2.2.11/24 10.2.3.11/24
The
internet
Front end DB layer
API layer
On premises
Private subnet
172.16.0.10
ISV Server
Private subnet
172.16.1.10
ISV Server
PrivateLink ISV VPC
Availability Zone 1
VPC CIDR 172.16.0.1/16 +
Expand
Availability Zone 2
NLB VPCE
Availability Zone 2
Availability Zone 1
NLB
10.3.2.11/24 10.3.3.11/24

Did you notice the packets
with the red outline?
We will get to that!

should we use?
Gateway
Load Balancer
Bump in the wire
Packet preservation for inspection
PrivateLink GWLB endpoint
Multi-port to same instance
Route table entry
Auto scaling for packet processing
devices (firewall, IdP)
Targets Requires
Instances
IP

What are some workloads
that are the best fit for GWLB?

Metrics and inspection
- Use cases: metrics gathering
- Recommended LB: GWLB (Layer 3 GW, Layer 4 LB)
• Bump-in-the-wire functionality
• High throughput
• GENEVE headers
• Auto scaling of IDP devices

Security
- Use cases: packet inspection
- Recommended LB: GWLB (Layer 3 GW, Layer 4 LB)
• Auto scaling of security devices
• Total packet encapsulation
• Bump-in-the-wire functionality
• Low latency

What makes
GWLB different?

GWLB under the hood with GENEVE
VPC CIDR 10.1.0.0/16
54.239.17.6
Public subnet
10.1.0.11
Availability Zone 1
IGW
GWLB Availability Zone
Auto Scaling group
Auto Scaling group
GWLB
VPC CIDR 192.168.0/24
10.1.0.0/24 Local
0.00.0/0 GWLBE
Destination GW
Src IP=
10.0.11
Dst IP=
54.239.17.6
Payload
Outer Src IP =
192.168.1.10
Outer Dst IP =
FW IP Address
Metadata
Src IP=10.1.0.11 Dst IP=54.239.17.6
Payload
192.168.1.10
Outer Src IP =
FW IP Address
Outer Dst IP =
192.168.1.10
Metadata
Src IP=10.1.0.11 Dst IP=54.239.17.6
Payload
GWLB subnet
10.2.0.0/24 Local
0.0.0.0/0 IGW
Destination GW
Src IP=
10.1.0.11
Dst IP=
54.239.17.6
Payload
The
internet
Source
Instance
GWLBe

GWLB
Outer Src IP =
192.168.1.10
Outer Dst IP =
FW IP Address
Metadata
Src IP=10.1.0.11 Dst IP=54.239.17.6
Payload
Tunnel IPv4 Header:
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL |Type of Service| Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Time to Live |Protocol=17 UDP| Header Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Tunnel Source IPv4 Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Tunnel Destination IPv4 Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| UDP Source Port (undefined) | UDP Destination Port = 6081 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| UDP length | UDP Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Geneve Tunnel Header (for IPv4 payload):
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|V=0|Opt Len = 7|O|C| Rsvd. | Protocol Type = 0x0800 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Virtual Network Identifier (VNI) = 0 | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Geneve Tunnel Options:
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Class = 0x0108 | Type = 1 |R|R|R| Len = 2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 64-bit GWLBE ENI id |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 64-bit Attachment ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 32-bit Flow Cookie |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Original IPv4 Packet follows …
40 Octets
28 Octets
Traffic between GWLB and Appliances is
encapsulated in GENEVE packet

GWLB simple input
VPC CIDR 10.1.0.0/16
InstanceA
10.1.2.11/24
InstanceB
10.1.3.11/24
10.1.0.11 10.1.1.11
Availability Zone 1 Availability Zone 2
IGW
Auto Scaling group
Auto Scaling group
GWLB
GWLBE 1 GWLBE 2
The
internet
TLS inspection
happens on the
security devices
ALB

Lets add GWLB
to our workloads

Availability Zone 2
Availability Zone 1
ALB
10.1.0.11 10.1.1.11
IGW
10.1.2.11/24 10.1.3.11/24
Availability Zone 2
Availability Zone 1
ALB
10.2.2.11/24 10.2.3.11/24
The
internet
Front end DB layer
API layer
On premises
Services VPC
Availability Zone 1
VPC CIDR 192.168.0/24
Availability Zone 2
Auto Scaling group Auto Scaling group
GWLB
Private subnet
Private subnet
GWLBE 1
GWLBE 2
Availability
Zone
3
Private
subnet
TGWE
Add GWLB
Private subnet
172.16.0.10
ISV Server
Private subnet
172.16.1.10
ISV Server
PrivateLink ISV VPC
Availability Zone 1
VPC CIDR 172.16.0.1/16 +
Expand
Availability Zone 2
NLB VPCE
Availability Zone 2
Availability Zone 1
NLB
10.3.2.11/24 10.3.3.11/24

should we use?
AWS Global
Accelerator
Accelerate latency-
sensitive applications
Improve resiliency and
availability on a global scale
Simplified global
traffic management
Global set of anycast static
IP addresses
Targets Requires
IP
ALB
NLB

Why does Global
Accelerator matter?

Because we are on the internet, it’s accessible
from everywhere!
Not all of our customers will have the same experience
We need to replicate
our workload in
multiple regions for a
better customer
experience, while
maintaining control of
the traffic.

Easy traffic control –
Optimal endpoint selection
Optimal Region
Hash (5 tuple)
Region : us-west-1
Region : us-west-1
Src Port: 32759
Src IP: 1.2.3.4
Protocol: UDP/TCP
5 Tuple
Dest IP: 5.6.7.8
Dest Port: 80

Easy traffic control – Regional traffic dials
Region : us-east-1
Region : us-west-1
Dial values: min: 0%, max: 100%, default: 100%
ELB

Easy traffic control – Endpoint weights
Region : us-east-1
Region : us-west-1
Weights values: min: 0, max: 255, default: 128
ELB

Hash (2 tuple)
Easy traffic control – Client affinity
ELB
Optimal Region
Region : us-west-1
Region : us-west-1
Src Port: 32759
Src IP: 1.2.3.4
Protocol: UDP/TCP
2 Tuple
Dest IP: 5.6.7.8
Dest Port: 80

Let’s add Global Accelerator
to our workloads

Availab
ility
Zone 2
Availab
ility
Zone 1
Pri
vat
e
su
bn
et
Pri
vat
e
su
bn
et
Pri
vat
e
su
bn
et
Pri
vat
e
su
bn
et
VPC CIDR
10.2.0.0/16
+ Expand
+ IPv6
ALB
10.2.2.11/24 10.2.3.11/24
Availab
ility
Zone 2
Availab
ility
Zone 1
Pri
vat
e
su
bn
et
Pri
vat
e
su
bn
et
Pri
vat
e
su
bn
et
Pri
vat
e
su
bn
et
VPC CIDR
10.3.0.0/16
+ Expand
+ IPv6
ALB
10.3.2.11/24 10.3.3.11/24
Availabi
lity
Zone 2
Availabi
lity
Zone 1
Pri
vat
e
sub
net
Pri
vat
e
sub
net
Pu
blic
sub
net
Pu
blic
sub
net
VPC CIDR
10.1.0.0/16
+ Expand
+ IPv6
NLB
10.1.0.11 10.1.1.11
IGW
10.1.2.11/24 10.1.3.11/24
Availab
ility
Zone 2
Availab
ility
Zone 1
Pri
vat
e
su
bn
et
Pri
vat
e
su
bn
et
Pri
vat
e
su
bn
et
Pri
vat
e
su
bn
et
VPC CIDR
10.2.0.0/16
+ Expand
+ IPv6
ALB
10.2.2.11/24 10.2.3.11/24
Availab
ility
Zone 2
Availab
ility
Zone 1
Pri
vat
e
su
bn
et
Pri
vat
e
su
bn
et
Pri
vat
e
su
bn
et
Pri
vat
e
su
bn
et
VPC CIDR
10.3.0.0/16
+ Expand
+ IPv6
ALB
10.3.2.11/24 10.3.3.11/24
Availabi
lity
Zone 2
Availabi
lity
Zone 1
Pri
vat
e
sub
net
Pri
vat
e
sub
net
Pu
blic
sub
net
Pu
blic
sub
net
VPC CIDR
10.1.0.0/16
+ Expand
+ IPv6
NLB
10.1.0.11 10.1.1.11
IGW
10.1.2.11/24 10.1.3.11/24
3.10.3.125
3.10.3.125

A note about
infrastructure as code

A note about infrastructure as code

Thank you!

How_to_choose_the_right_load_balancer_for_your_AWS_workloads_NET202.pdf

Recommended

Recommended

More Related Content

Similar to How_to_choose_the_right_load_balancer_for_your_AWS_workloads_NET202.pdf

Similar to How_to_choose_the_right_load_balancer_for_your_AWS_workloads_NET202.pdf (20)

Recently uploaded

Recently uploaded (20)

How_to_choose_the_right_load_balancer_for_your_AWS_workloads_NET202.pdf