The AWS application load balancer (ALB) is at the high end of the ELB family of load balancers. As the name indicates, it operates at the application layer, or layer 7, of the OSI stack and has a long list of features, as outlined in Figure 1.12. The listener supports unencrypted HTTP or encrypted HTTPS SSL/TLS traffic. On the back end, targets can include micro-services such as Lambda, containers such as Kubernetes or Docker, EC2 virtual servers, IP addresses, and both local and remote services inside and external to the AWS cloud. The ALB is supported in all AWS regions on the outposts on-premise AWS racks.
FIGURE 1.12 ALB features
Layer 7 application load balancing allows us to make connection decisions based on many different data points such as the URL, headers, cookies, or any other attribute.
ALBs can be either internal when configured with an internal VPC IP address or external to the Internet with a public-facing IP address. Security groups and access control lists can be configured in your VPC for security. When the ALB is external facing, AWS services such as Shield and Shield Advanced protect your deployment from external exploits from the Internet.
ALB supports the latest SSL/TLS security transforms and current features such as HTTP/2 that can use 256 sessions of a single connection from the client. Inter-service microservice communications can leverage the gRPC support now available in the application load balancer using HTTP/2.
HTTPS support is integrated with AWS Certificate Manager and IAM. SSL/TLS offload allows the load balancer to perform all encrypt and decrypt operations on the platform to reduce the encryption burden normally assumed by the target servers. Predefined policies can be used to simplify the security configuration process.
For sites that have multiple domains and secure websites behind a single IP address, there is SNI, which supports multiple SSL/TLS certificates. As we discussed previously, sticky session support is part of the ALB. Inside a VPC, IPv4 and IPv6 are supported. Application support includes trace support by using the x-Amzn-Trace-Id HTTP header and allows us to trace the data through the AWS site for troubleshooting and monitoring at the request level. Redirects from one URL to another are included and often used to redirect unencrypted HTTP port 80 traffic to HTTPS port 443 listeners to force client SSL/TLS connection encryption or from an old site to a new website under the same URL. WebSocket support, as we covered, is supported. IP addresses can be assigned as targets to route connections to on-site data center web targets or to specific interfaces on a large server that may have many IP addresses and interfaces. Lambda function invocation by the ALB allows Lambda services to be spun up based on the content of the incoming request. The load balancers can connect to the various microservices and change IP and port numbers dynamically to allow for completely serverless application deployments.
Content-based routing directs incoming requests to the desired backend locations by switching based on the host field, URL path, HTTP header, HTTP method, source IP address, or query string.
Container supports load balancing over many ports on the same EC2 instance. ALB is integrated with the Elastic Container Service (ECS) that is completely managed by AWS. There is an ECS scheduler that automatically adds a dynamic port in a container task definition.
The WAF can be implemented as a front end to the ALB for web protection from common exploits. Connections are round-robin with slow start connection support to prevent the web servers coming online from being overwhelmed with a flood of new connection requests.
User authentication on the load balancer offloads the operations from the individual target servers and centralizes administration from many servers to a single load balancer. Cloud authentication services are supported by Facebook, Google, and Amazon using Cognito as well as enterprise identities such as Auth and Microsoft Active Directory services using SAML and OpenID connectors.
ALB pricing is based on the hours (or partial hour) that the load balancer is operational and the number of capacity units used per hour.
Acedexam Training Policies
Learning resources
Other resources
Our Training Providers
