Summary

The AWS Application Load Balancer (ALB) is a Layer-7 load balancer that provides advanced request routing, SSL/TLS offloading, and robust security features for web applications and microservices.

Abstract

The AWS Application Load Balancer (ALB) operates at the application layer of the OSI model, offering sophisticated load balancing capabilities for HTTP and HTTPS traffic. It supports features such as Layer-7 routing, security groups, AWS WAF integration, HTTPS support with SSL/TLS offloading, sticky sessions, IPv6, HTTP/2, WebSockets, gRPC, redirects, fixed responses, SNI, and support for Lambda functions and content-based routing. ALB enhances application security by ensuring the use of the latest SSL/TLS ciphers and protocols and provides additional functionalities like user authentication and request tracing. It is designed to handle modern application architectures, including microservices and containerized applications, and is suitable for scenarios requiring advanced routing and SSL offloading.

Opinions

The ALB is considered beneficial for ensuring the use of the latest security ciphers and protocols, thus simplifying and improving the security of applications.
The use of AWS WAF with ALB is recommended for protecting web applications against common web exploits.
ALB's support for HTTP/2 and gRPC is seen as advantageous for modern application development, particularly for microservices architectures.
The native IPv6 support and ability to handle both HTTP and HTTPS traffic are viewed as essential features for current web standards and security practices.
The ALB's ability to serve multiple secure websites using a single TLS listener through SNI is appreciated for its efficiency and smart selection algorithm.
The integration with Amazon Cognito for user authentication is highlighted as a valuable feature for offloading authentication responsibilities from the application.
The content-based routing capabilities of ALB are praised for their flexibility in routing requests to different services or Lambda functions based on various attributes of the request.
The slow start mode is seen as a thoughtful feature to prevent overwhelming new targets with traffic spikes.
The use of ALB in AWS Outposts is noted as a significant advantage for providing a consistent hybrid experience across different environments.
The article suggests that ALB is typically used for web applications that require advanced load balancing and routing capabilities, especially for microservices and container-based applications.

AWS — Application Load Balancer (ALB) Overview

Introduction to AWS Application Load Balancer — What is ALB?

TL;DR

Application Load Balancer (ALB) works at the Layer-7 (Application layer - Request level) of the OSI model. ALB supports load balancing of applications using HTTP and HTTPS protocols.

ALB simplifies and improves the security of your application, by ensuring that the latest SSL/TLS ciphers and protocols are used at all times.

Read about Elastic Load Balancer (ELB) Overview.

Features

Layer-7 Load Balancing — You can load balance HTTP/HTTPS traffic to targets - EC2 instances, microservices, and containers based on request attributes.
Security Features — You can associate security groups with ALB to provide additional security options.
Web Application Firewall — You can use AWS WAF to protect your web applications on your ALB.
HTTPS Support — ALB supports HTTPS termination between the clients and the load balancer.
SSL/TLS Offloading — You can create an HTTPS listener, which uses encrypted connections (SSL offload). ALB supports client TLS session termination. AWS Certificate Manager (ACM) or IAM can be used to manage your server certificates. You can choose from predefined security policies for your TLS listeners in order to meet compliance and security standards.
Sticky Sessions — Sticky sessions are a mechanism to route requests from the same client to the same target. ALB supports both duration-based cookies and application-based cookies. Sticky sessions are enabled at the target group level.
Native IPv6 Support —ALB supports native IPv6 in a VPC. This will allow clients to connect to the ALB via IPv4 or IPv6.
HTTP/2 Support — HTTP/2 support is enabled natively on an ALB. Clients that support HTTP/2 can connect to ALB over TLS.
WebSockets Support — WebSockets and Secure WebSockets support is available natively and ready for use on ALB. It allows a server to exchange real-time messages with end-users without the end users having to request (or poll) the server for an update.
gRPC Support — ALB can route and load balance gRPC traffic between microservices or between gRPC enabled clients and services. gRPC uses HTTP/2 for transport and is becoming the protocol of choice for inter-service communications in microservices architectures.
Redirects — ALB can redirect an incoming request from one URL to another URL. For example, redirecting from HTTP to HTTPS and redirecting from an old version of an application to a new version.
Fixed Response — ALB can control which client requests are served by your applications. This enables you to respond to incoming requests with HTTP error response codes and custom error messages from the load balancer itself, without forwarding the request to the application.
Server Name Indication (SNI) — You can use SNI to serve multiple secure websites using a single TLS listener. Meaning, you can associate multiple certificates for the same domain to a secure listener. If the hostname in the client matches multiple certificates, the load balancer selects the best certificate to use based on a smart selection algorithm.
IP addresses as Targets — You can load balance any application hosted in AWS (Single VPC, Peered VPCs and EC2-Classic) or on-premises (over a Direct Connect or VPN connection) using IP addresses of the application backends as targets.
Lambda functions as Targets — You can register Lambda functions as targets for a load balancer and leverage the support for content-based routing rules to route requests to different Lambda functions over both HTTP and HTTPS protocol.
Content-based Routing — If your application is composed of several individual services, an ALB can route a request to a service based on the content of the request such as Host field, Path URL, HTTP header, HTTP method, Query string or Source IP address. Host-based Routing: You can route a client request based on the Host field of the HTTP header allowing you to route to multiple domains from the same load balancer. Path-based Routing: You can route a client request based on the URL path of the HTTP header. HTTP header-based routing: You can route a client request based on the value of any standard or custom HTTP header. HTTP method-based routing: You can route a client request based on any standard or custom HTTP method. Query string parameter-based routing: You can route a client request based on query string or query parameters. Source IP address CIDR-based routing: You can route a client request based on source IP address CIDR from where the request originates.
Containerized Application Support — ALB provides enhanced container support by load balancing across multiple ports on a single Amazon EC2 instance. ALB has also deep integration with the Amazon EC2 Container Service (ECS).
Slow Start Mode with Load-Balancing Algorithm — ALB supports a slow start mode with the round-robin algorithm that allows you to add new targets without overwhelming them with a flood of requests. With the slow start mode, targets warm up before accepting their fair share of requests based on a ramp-up period that you specify.
User Authentication — You can offload the authentication functionality from your apps into ALB. ALB will securely authenticate users as they access cloud applications. Application Load Balancer is seamlessly integrated with Amazon Cognito.
Request Tracing — ALB injects a new custom identifier “X-Amzn-Trace-Id” HTTP header on all requests coming into the load balancer. Request tracing allows you to track a request by its unique ID.
Outposts Support — ALB supports AWS Outposts, a fully managed service that extends AWS infrastructure, services, and tools to virtually any datacenter, co-location space, or on-premises facility for a truly consistent hybrid experience.

Key Points

ALB operates at request level.
You must specify two subnets from atleast two Availability Zones to increase avalibility of ALB.
You can specify only one subnet per Availability Zone.
You can perform load balancing for the TCP ports: 1–65535.
Cross-zone load balancing is already enabled by default on ALB.
Request tracing is enabled by default on ALB.
You can use AWS CloudTrail to get a history of ALB API calls made on account.
You are charged for each hour or partial hour that an ALB is running and the number of Load Balancer Capacity Units (LCU) used per hour.

Use Cases

Typically used for web applications, for advanced load balancing of HTTP and HTTPS traffic.
When you need advanced routing capabilities (e.g. host-based, path-based routing) targeted at delivery of modern application architectures, including Microservices and container-based applications.
When you need SSL offloading at load balancer level.

View more from Awesome Cloud

Happy Clouding!!!

Reference: AWS ALB