When connecting to an AWS load balancer I know each one has different protocols, e.g. Network Lb is TCP and UDP and Application Lb is Http/s, but is it written into the application code somewhere which protocol the app should connect with?
I’m in Devops and trying to better understand how these connections work as I’m looking to move away from Classic Lb
And so if I wanted to know if I should create an NLB or ALB, should I be asking developers which protocol the application uses to connect to the internet?
Network Load Balancers (NLB) are Layer 4 load balancers, meaning that they can route TCP and UDP traffic. Since HTTP/HTTPS goes over TCP, NLBs can be used for HTTP/HTTPS traffic as well.
Application Load Balancer (ALB) are layer 7 load balancers, they can route HTTP/HTTPS traffic only (no bare TCP traffic, no UDP).
Although both ALB and NLB can route HTTP/HTTPS traffic, the difference between them is that ALB can understand the HTTP protocol, meaning that we can have routing rules based on HTTP headers, path variables, query params, etc. This is not possible if we are using NLBs, network load balancers can route based on source/destination IP and ports.
As a rule of thumb, use a ALBs if you have mainly web applications and you need all the features that a L7 load balancer can provide. Use NLB for anything else.
Related
with this flow:
external world --> AWS API Gateway ---> VPC Link ---> Network Load Balancer ---> my single EC2 instance
How can I configure AWS Netword Load Balancer such that:
Requests to https://myapp.com is routed into port 80 of my EC2 instance.
Requests to https://myapp.com/api/* is routed into port 3000 of my EC2 instance.
?
Currently I have only configured one Listener on the NLB that listens on port 80 and all traffics from the API Gateway are routed to port 80 of my EC2 instance.
I have found that in Application Load Balancer, you can configure "Rules" that map path to different ports: Path based routing in AWS ALB to single host with multiple ports
Is this available with NLB?
This is not possible with the Network Load Balancer, because it operates on a level of the network stack that has no concept of Paths.
The NLB operates on Layer 4 and supports the protocols TCP and UDP. These essentially create a connection between ports on two machines that allow data to flow between them.
Paths as in HTTP(S) Paths are a Layer 5+ concept and belong to the HTTP Protocol. They're not available to the NLB because it can only work based on data that's guaranteed to be available there.
You can use an Application Load Balancer as the target for your Network Load Balancer and then configure the Path-based rules there, because the ALB is a layer 5+ load balancer and understands the Layer 5 protocol HTTP.
Here is a blog detailing this: Application Load Balancer-type Target Group for Network Load Balancer
I Would like to understand what is the difference between WAF, Security Group, and a routing table.
Let's say I have a VPC, 2 subnets (a private one) and I want to deploy a web application (UI and backend service and a database (RDS)), In this scenario where does WAF and security groups come into the picture.
Can someone help me to understand a use case?
HTTP protocol is built on top of the TCP protocol.
WAF inspects the HTTP traffic before it reaches your web application in order to block malicious web traffic.
In order to implement WAF in front of a containerized application (running on ECS for example) or in front of an application running on EC2 you should use an Application Load Balancer in front of the application servers and associate the WAF with that load balancer.
If your application runs on Lambda you can do the same but using API Gateway.
A Security Group accepts or blocks networking protocols such as TCP, UDP, ICMP - based on ports. Open up port 443 and 80 if you want to expose your web application.
Routing tables should be associated with your subnets so that the network traffic (TCP) can knows where to go.
Best practice is to put your application servers and databases in private subnets (with routing tables that does not route traffic from the Internet) and then put e.g Application Load Balancer in the public subnets in order to accept traffic from the Internet and route it to your private subnets.
We have one app deployed on an EC2 instance that can communicate inbound/outbound using HTTP, TCP, and UDP protocols.
One option could be to have an ALB for HTTP traffic and an NLB for TCP, UDP traffic.
The challenge is that the application allows the configuration of a single target FQDN so we can't target both the NLB and ALB based on the protocol.
As we don't want to go to classic ELB I'm wondering how others implemented a solution for similar challenges. Would AWS Global Accelerator help in such a case?
Even after a lot of googling, I could not find a simple answer to this question. All I could find was it's layer 4 load balancer that can handle millions of requests per second, and support for static/elastic ip. Could someone please give me an example where network load balancers are used in real life? A simple use case. When to pick network load balancer over application load balancer?
When compared to an Application Load Balancer a simple explanation goes like this: Network Load Balancer is used anywhere where the application behind the balancer doesn't work over HTTP(S), but uses some other protocol. Including, but not limited to:
Legacy applications that implement custom protocol.
NTP servers.
SMTP server.
Database servers.
MQTT brokers.
High performance queue servers (ActiveMQ, RabbitMQ, ZeroMQ etc.).
Message processing applications (think Kafka and Co.).
I would like to complement #Sergey list with few more scenarios where NLB is useful:
NLB provides static IP address, ALB does not. So use it when you require a static IP for your LB. Similarly, it is the only balancer that can use Elastic IP addresses.
Use NLB when you require end-to-end SSL encryption. ALB will always terminate SSL connection, which may be not desired due to strict security requirements.
NLB is the only balancer type that can be used for API Gateway VpcLink or VPC PrivateLink technologies.
NLB does not have Security Groups.
I am trying to set up an Elasticsearch container in AWS ECS while also listening to UDP.
Basically I want to route UDP traffic to a ECS through the Network Loadbalancer.
Is this possible with ECS?
According to the documentation the Network Load Balancers in EC2 support UDP, TCP and TLS, where as the Application Load balancers are for HTTP and HTTPS.
If you want both HTTP and UDP to be routed to the same instance I think you could setup two load balancers (one Application and one Network), or since HTTP uses TCP, you could probably just use the Network Load balancer and route both TCP and UDP traffic to that instance.