Load balancer basics (ALB and NLB)

Topic: Cloud aws core

Use an Application Load Balancer (ALB) or Network Load Balancer (NLB) to distribute traffic to EC2 or other targets. ALB is layer 7 (HTTP/HTTPS); NLB is layer 4 (TCP/UDP). Use this when exposing a multi-instance service or when you need TLS termination or path-based routing.

Intent: How-to

Quick answer

  • ALB: HTTP/HTTPS; supports path-based and host-based routing; TLS termination; health checks on HTTP. Use for web apps and APIs. NLB: TCP/UDP; low latency; preserves client IP; use for non-HTTP or when you need static IP or extreme performance.
  • Create load balancer in a VPC; put it in at least two subnets (different AZs). Create target group (instance type); register targets (instances or IP). Add listener (e.g. HTTPS 443) that forwards to the target group. Configure health check path and interval.
  • Security: use security group on ALB/NLB that allows only required ports from required sources; target group instances allow traffic from the ALB/NLB security group only.

Prerequisites

Steps

  1. Create load balancer

    EC2 -> Load Balancers -> Create. Choose ALB or NLB; select VPC and at least two subnets (different AZs). Assign security group (e.g. allow 80, 443 from 0.0.0.0/0 or from CloudFront).

  2. Create target group

    Target group -> Create; target type Instances; protocol and port (e.g. HTTP 80). Register instances (or use Auto Scaling to attach). Configure health check (path, interval, healthy threshold).

  3. Add listener

    Add listener to LB: e.g. HTTPS 443, default action forward to target group. Add certificate (ACM) for HTTPS. Optionally add rules (path /api -> different target group).

  4. Secure targets

    Target instances: security group allows traffic only from the LB security group on the target port. So only the LB can reach instances; no direct internet to instances.

Summary

Create an ALB or NLB in a VPC with subnets in multiple AZs; create a target group and register targets; add a listener and health check. Use this to load-balance traffic to multiple instances.

Prerequisites

Steps

Step 1: Create load balancer

Create ALB or NLB; select VPC and subnets; set security group.

Step 2: Create target group

Create target group; register instances; set health check.

Step 3: Add listener

Add listener (HTTP/HTTPS or TCP); attach certificate for HTTPS; point to target group.

Step 4: Secure targets

Restrict target security group to traffic from the LB only.

Verification

  • LB is in service; health checks pass; traffic reaches targets; targets are not directly exposed.

Troubleshooting

Unhealthy targets — Check health check path and port; check target security group allows LB. 502 — Target may be closing connection or returning errors; check target logs and listener config.

Next steps

Continue to