AWS: Network Load Balancer (NLB)

NLB Features

The TCP connections from a client have different spurce ports and sequence numbers, and can be routed to different targets.

*Each individual TCP connection is routed to a single target for the life of the connection

A Network Load Balancer operates at the Transport layer (Layer 4) only of the OSI model.

Supports TCP and TLS listeners for the client request.

NLB has a higher connection rates per second compared to other ELBs, it can handle millions of requests per second.

• Provider much lower latencies compared to other ELBs.

NLB

NLB Features and how it works

After the load balancer receives a connection request, it selects a target from the target group for the default rule. It attempts to open a TCP connection to the selected target on the port specified in the listener configuration.

As with any of the ELB types, Elastic Load Balancing creates an ENI for each enabled AZ.

The NLB can have targets referenced as EC2 Instance IDs or by IP address.

• The Targets by IP address can be outside of the VPC.
• You can either have all targets referenced by EC2 IDs or by IP Addresses, but not a mix and match in the same NLB.

NLB Static IP support per AZ

Support for static IP addresses for the load balancer.

• The load balancer node in each AZ will then use this ENI to get a static IP.
• When you create an Internet facing Network Load Balancer (NLB), you can optionally associate one Elastic IP address per NLB enabled subnet, as a static IPV4 address for the NLB node in that subnet.
• Any connection requests sent to the NLB’s IP address will spread traffic across the instances in all the VPC subnets in the AZ.
• You can also specify an existing Elastic IP for each AZ for even greater control.

With full control over the NLB addresses, it can be used in situations where:

• IP addresses need to be hard coded into DNS records.
• Customer firewall rules or similar needs.

NLB Features and how it works

As in other ELB types, NLB only supports TCP.

Support for routing requests to multiple applications on a single EC2 instance.

• You can register each instance or IP address with the same target group using multiple ports.

NLB supports load balancing to ECS containers.

• If you deploy multiple ECS services on an ECS instance, each receiving/listening on a different port, as in ALB, you can register the instance with the target group multiple times, each time with a different port from the ports used by the ECS services on the instance.

NLB supports monitoring the helath of each service independently,

• Health checks are defined at the target group level.
• Many Cloud Watch metrics are also supported and reported at the target group level.

NLB can be used with Auto Scaling to achieve dynamic scaling of targets services.

• You can do this if you are registering targets by instance ID not by IP address.

Network Load Balancers support connections from clients oevr:

• VPC peering
• AWS VPNs and
• Third party, VPN solutions

You enable one or more Availability Zones for your load balancer when you create it.

You cannot enable or disable Availability Zones for a Network Load Balancer after you create it.

Access logs, Delete protection and Cross Zone load balancing are disabled by default on NLB.

TLS Listeners

If the listener protocol is TLS, you must deploy exactly one SSL, server certificate on the listener.

• The certificate can be from ACM, uploaded tp ACM or IAM.

You can use WebSockets with your listeners.

When you create a listener, you specify a rule for routing requests. This rule forwards requests to the specified target group.

Target Types

NLB supports the following target types

Instances : The targets are specified by instance ID.

IP: The targets are specified by IP address

The supported CIDR blocks enable the registration of the following with a target group

• Classic Link instances,
• AWS resources that are addressable by IP address and port and
• On premises resources linked to AWS through AWS Direct Connect or a software VPN connection.

For IP target types

• The NLB can support 55,000 simultaneous connections or
• This is about 55000 connections per minute to each unique target
• Port allocation errors may happens beyond this limit.

Unlike ALB, NLBs do not support the lambda target type.

Instances in a peered VPC must be registered by IP address Traget types and Not instance IDs.

Request routing for Target group: Instance ID

Like in ALB,

For targets using an instance ID, traffic is routed to instances using the primary private IP address specified in the primary network interface for the instance.

If you specify targets using IP addresses,

• you can route traffic to an instance using any private IP address from one or more network interfaces.
• Since the IP address is differnet, this enables multiple applications on an instance to use the same port
• Obviously, each network interface can have its own security group.

In my next blog, I will continue the concept of NLB. Stay connected.

Thank you,

Bharathi.