Amazon ELB

Amazon Elastic Load Balancing (ELB)

Amazon ELB sits in front of your services to spread traffic, terminate protocols, and keep things healthy. It’s powerful—but costs can jump with Load Balancer Capacity Units (LCUs/NLCUs/GLCUs), cross-AZ data transfer, and sprawling rule sets. This page blends Grok’s outline with a pragmatic, FinOps-oriented playbook: what you’re using, what you’re paying for, what to change, and which native tools help you do it quickly.

🚀 What is ELB?

Amazon Elastic Load Balancing (ELB) automatically distributes incoming application traffic across multiple targets (EC2, IPs, containers, and even Lambda for ALB) in one or more Availability Zones, improving scalability and resilience.

Features

Automatic scaling to handle variable load
Health checks; routes only to healthy targets
Tight Auto Scaling integration (scale out/in behind the LB)
TLS termination and offloading, modern TLS policies
Real-time metrics, access logs, and WAF/Shield integrations

Load balancer types

Application Load Balancer (ALB) — Layer 7 HTTP/HTTPS (incl. HTTP/2 & gRPC), rich routing
Network Load Balancer (NLB) — Layer 4 TCP/UDP/TLS, ultra-low latency, static IPs & client IP preservation
Gateway Load Balancer (GWLB) — Layer 3 appliance insertion via GENEVE (firewalls, IDS/IPS)

Classic Load Balancer (CLB) is legacy—plan migrations to ALB/NLB.

⚙️ Load balancer types — pick the right one

Type

Best for

Highlights

Watch-outs

ALB

Web/apps & APIs (HTTP/HTTPS/gRPC)

Host/path/header rules, Lambda targets, WAF, stickiness

LCUs bill on the max of new conns, active conns, bytes, and rule evaluations (big rule sets can spike cost).

NLB

High-throughput TCP/UDP/TLS, IoT, gaming

Static IPs, preserves client IP (instance targets), TLS termination

NLCUs bill on flows/connections/bytes; cross-zone adds inter-AZ transfer when enabled—use intentionally.

GWLB

Inline network appliances

Transparent insertion via GENEVE 6081; scale appliances across AZs

GLCUs + Gateway LB Endpoints are billed; account for encapsulation overhead (MTU).

Rule of thumb: HTTP features → ALB. Raw L4 performance or static IPs → NLB. Inline inspection → GWLB.

🧬 Capacity & protocol support (how you’re billed)

Unit

What it measures (simplified)

Practical guidance

LCU (ALB)

Max of new connections/sec, active connections, bytes processed, rule evaluations

Keep rule sets lean; enable HTTP/2 to reduce front-end connections; cache/compress to cut bytes.

NLCU (NLB)

Max of new flows/sec, active flows, bytes (varies by TCP/UDP/TLS)

Avoid unnecessary cross-zone; prefer zonal client↔target paths; test TLS only where needed.

GLCU (GWLB)

Max of connections and bytes through the appliance service

Scope inspection to the traffic that truly needs it; model endpoint (GWLBE) costs too.

Capacity is metered on peaks—optimize for the hottest dimension in your workload.

🏛️ Deployment options

Mode

When to use

Notes

Internet-facing

Public sites/APIs

Public DNS name; ACM certs for HTTPS.

Internal

Private services in VPC

No public DNS; use with PrivateLink, peering, TGW, or CloudFront (origin in VPC).

Cross-zone LB

Need even AZ spread under uneven target counts

On ALB it’s effectively always distributing; on NLB/GWLB it’s optional—turn on only with justification due to inter-AZ costs.

Integrate with Route 53 (weighted/latency/health-check routing) for global failover patterns.

🧠 ELB optimization strategy (FinOps + reliability)

Pick the right type

HTTP features (routing, WAF, Lambda targets, gRPC) → ALB
Raw TCP/UDP/TLS & static IPs → NLB
Inline inspection → GWLB (plan MTU with GENEVE)

Tame ALB LCUs

Consolidate rules; prefer a small set of host/path predicates over many overlapping rules.
Order rules from most-hit to least-hit; avoid “evaluate everything” patterns.
Enable HTTP/2 (and gRPC where appropriate) to lower front-end connection churn.

Control NLB costs

Keep cross-zone off unless you need it; align clients and targets by AZ.
Use TLS termination only where required (TLS has different NLCU thresholds than TCP/UDP).

Right-size targets & health

Target groups per service; scale with ASG; tune deregistration delay and health checks.
Enable stickiness only where you’ve proven it’s needed.

Data transfer discipline

Put compute and data in the same AZ; leverage CloudFront for internet clients to reduce origin bytes.

Review monthly

Inspect peaks in LCUs/NLCUs/GLCUs, RuleEvaluations, bytes, and cross-AZ transfer; prune rules and rebalance topology.

💸 Pricing model & common gotchas

Pay-as-you-go: per-hour balancer charge plus usage (LCU/NLCU/GLCU), plus standard data transfer.
No Savings Plans/RIs for ELB: cost control = right type + fewer rule evals/flows + less cross-AZ.
Cross-AZ data transfer still applies (especially with NLB when cross-zone is enabled).
Access logs & real-time logging add S3/Kinesis costs—scope them to what you’ll actually analyze.

Avoid hard-coding prices in docs—use your Region’s pricing pages or AWS Pricing Calculator.

⏱️ Automation patterns

Scale targets, not just LBs: Auto Scaling policies tied to target metrics (RPS, latency, CPU).
Blue/green & canaries: weight traffic across target groups or ALB rules; promote on health.
CI/CD cache-busting: immutable asset names → fewer invalidations and cleaner cache behavior (when fronted by CloudFront).
IaC (CloudFormation/Terraform/CDK): version listeners, rules, target groups; enforce rule-count guardrails.

🔒 Security & compliance

TLS with ACM; enforce modern policies; optionally mutual TLS.
AWS WAF on ALB for L7 protections; Shield for DDoS.
Private origins: ALB internal behind CloudFront + OAC to S3 or PrivateLink to services.
Access logs to S3 (lifecycle them); consider sensitive-field redaction upstream.

📊 Monitoring & tools

CloudWatch:
- ALB — RequestCount, RuleEvaluations, ActiveConnectionCount, TargetResponseTime
- NLB — ProcessedBytes, TCP/UDP_HealthyHostCount, connection/flow metrics
- GWLB — ProcessedBytes, endpoint metrics
Access logs: analyze top paths, rule hits, status spikes (Athena/OpenSearch).
Cost Explorer/CUR: break down hours vs LCU/NLCU/GLCU; watch DataTransfer-Regional-Bytes.

🧪 Practical selection cheat-sheet

Modern web/API: ALB + WAF; host/path routing; HTTP/2; gRPC where suitable; CloudFront in front.
High-perf L4: NLB (TCP/UDP/TLS) with static IPs; align clients/targets per AZ; enable cross-zone only if you must.
Security inspection: GWLB + appliances; share via Gateway LB Endpoints; validate MTU.
Legacy CLB: migrate to ALB/NLB.

✅ Checklist

Confirm the right ELB type for each workload.
Keep ALB rules lean; measure RuleEvaluations.
Co-locate clients & targets in-AZ; enable NLB cross-zone only with justification.
Turn on HTTP/2 (and gRPC where appropriate).
Tune health checks & deregistration delay; use stickiness only if required.
Scope access logging and set S3 lifecycle policies.
Review monthly: LCU/NLCU/GLCU peaks, bytes, and inter-AZ transfer.
Plan & execute CLB migrations.

References (add your org’s canonical links)

ELB pricing & calculator (LCU/NLCU/GLCU, data transfer)
ALB listeners/rules/target groups; HTTP/2 & gRPC; Lambda targets
NLB target groups; cross-zone behavior & regional data transfer considerations
GWLB + GENEVE design & Gateway LB Endpoints
WAF/Shield integrations; access log analytics runbooks; Curated CloudWatch dashboards

PreviousAmazon VPC NextAmazon Elasticache

Last updated 12 days ago