Skip to Content

Load Balancing: ALB & NLB

When to use

Distribute traffic across healthy instances, terminate TLS, and run health checks.

Analogy

ALB is a hotel concierge who seats guests at the first available clean table; NLB is a high-speed sorting machine that sprays packets to a fixed shelf.

Data-flow diagram

  Client --HTTPS--> ALB (Layer 7 HTTP)
                      1. parse path
                      2. select Target Group
                      3. health-check instances
                      4. forward to healthy instance
                      5. return response

Deep explanation

ALB routes by HTTP path/host/headers (Layer 7, ideal for microservices). NLB is TCP/UDP (Layer 4, super fast, preserves source IP). CLB is legacy - migrate. ALB supports sticky sessions, WAF integration, redirect actions, weighted target groups (canary/blue-green), and Lambda targets. Target Group backends: EC2, ECS tasks, EKS pods (via IP), or Lambda. Health checks (HTTP path + threshold) determine which targets receive traffic.

Examples

Example 1

aws elbv2 create-load-balancer --name myalb --type application \
  --subnets subnet-1a subnet-1b subnet-1c \
  --security-groups sg-alb

creates internet-facing ALB spanning 3 AZs (Multi-AZ is critical).

Example 2

aws elbv2 create-target-group --name mytg --protocol HTTP --port 8080 \
  --vpc-id vpc-... --health-check-path /healthz \
  --health-check-interval-seconds 30 --healthy-threshold-count 2

registers target group; /healthz every 30s; 2 consecutive successes = healthy.

Example 3

aws elbv2 create-listener --load-balancer-arn arn:aws:elasticloadbalancing:... \
  --protocol HTTP --port 80 \
  --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:...

adds HTTP:80 listener forwarding to the target group; use ACM for TLS.

Common mistake

Single-AZ load balancer; health-check path that always returns 200 (e.g. /) so unhealthy instances stay in rotation; missing idle timeout for long polling.

Key takeaway

ALB for HTTP, NLB for raw TCP/UDP; always span multiple AZs; configure health-check paths to a deep endpoint; enable access logs to S3; ACM for TLS; WAF for SQLi/XSS.

Production Failure Playbook

Failure scenario 1: all-instances-unhealthy-after-deploy

Failure scenario 2: stuck-on-classic-load-balancer