Elastic Load Balancer Flashcards
How many types of load balancers are available in AWS, and what are they called?
Three:
Classic Load Balancer (CLB)
Application Load Balancer (ALB)
Network Load Balancer (NLB)
When is a v1 load balancer recommended?
Trick question - they are not recommended. They should be avoided and/or migrated to v2.
What is the main difference between ALB and NLB?
The ALB is a true layer-7 load balancer which understands HTTP, HTTPS, WebSocket etc. The NLB is not a layer-7 device and only understands TCP, UDP and TLS.
When would you choose an ALB over an NLB?
If your application used HTTP, HTTPS, etc you would use an ALB.
What’s the difference between an Internet-facing and an Internal LB?
The internet-facing LB assigns public and private IP addresses to the nodes. The internal LB only assigns private IP addresses to the nodes.
True or False: an internal load balancer has private IPs, whereas an Internet-facing load balancer has public IPs.
False. An Internet-facing load balancer has public AND private IPs.
What happens if a load balancer node in a subnet fails?
The service will automatically recover by spinning up another node.
True or False: there can only be one LB node per subnet.
False.
There can be multiple nodes per subnet, because the service automatically scales out according to demand.
True or False: the DNS A-record for an ELB points to the ELB front-end interface.
False. The DNS A-record resolves to the IP addresses of all nodes.
What is the function of listeners?
A listener checks for connection requests from clients, using the protocol and port that you configure, and forwards requests to a target group.
Whereabouts in the ELB configuration are Rules defined?
In the Listener.
What is the function of a target group?
A target group routes requests to one or more registered targets, using the protocol and the port number that you specify.
True or False: You can have one or more listeners on a v2 Elastic Load Balancer
True.
True or False: You can register a target with multiple target groups.
True.
True or False: Health checks are configured on a per Target Group basis.
True.
Health checks are performed on all targets registered to a target group.
How many rules per listener can be configured on a Network Load Balancer?
One.
Each listener has one rule.
On an Application Load Balancer, how many rules per listener can be configured?
A minimum of one - the default rule - must be configured for each listener. Additional rules can also be configured.
True or False: Internet-facing LB nodes can only access public instances.
False. Internet-facing LB nodes can distribute requests across public and private instances.
True or False: ELBs can load-balance all sorts of AWS services, not just EC2 instances.
True.
When deploying an ELB into subnets, what’s the minimum number of free IP addresses that must be available in each subnet?
Eight.
What is the AWS recommended minimum subnet size for ELBs?
/27
True or False: a /28 is sufficient for deploying an ELB.
True. But remember that the official AWS recommended minimum is /27. If the exam question has both /27 and /28 as possible answers, then choose /27. If /27 is not a possible answer, then /28 is probably the right answer.
What is the typical use for an internal LB?
They are placed between application tiers, allowing scaling between application tiers.
What problem did the introduction of cross-zone load balancing solve, and how?
Originally, a LB node in an AZ could only distribute requests across the registered instances in that AZ. This could result in uneven load distribution, particularly if an AZ had fewer instances.
Cross-zone LB allows LB nodes to distribute requests across all registered instances in ALL availability zones.
What is cross-zone load balancing?
The ability to load balance across availability zones.
True or False: For ALBs, is cross-zone load balancing enabled by default?
Yes
True or False: For NLBs, is cross-zone load balancing enabled by default?
No
With NLBs there are two places where cross-zone load balancing can be configured. What are they?
- At the load-balancer level.
- At the target group level.
What is an ELB feature that can help with uneven distribution of load?
Cross-zone load balancing.
Can an internet facing LB distribute requests to private instances?
Yes
True or False: an internet facing LB cannot distribute requests to both private and public instances at the same time.
False. An internet facing LB can distribute requests to private or public instances. Instances do not have to be public in order to work with an internet-facing LB.
What does SNI mean and what does it do?
SNI = Server Name Identification.
It is an extension to the TLS protocol that allows a server to present multiple SSL/TLS certificates on the same IP address and port number.
True or False: NLBs can terminate TLS connections.
True.
The NLB can decrypt requests from clients before forwarding them to targets.
What two settings are required in order for an NLB to terminate TLS connections?
- An SSL certificate must be specified.
- Select TLS as the protocol.
True or False: to allow unbroken client-server encryption on an NLB, you need to create a TLS listener.
False. For unbroken encryption you should create a TCP listener.
Selecting TLS would result in the NLB terminating the encrypted connection, decrypting the client request then forwarding it to the server.
What protocols does an ALB not support?
It does not support any other protocols than HTTP and HTTPS.
Which type of load balancer supports connection draining?
Classic Load Balancer.
On an ALB, where is Deregistration Delay configured?
On the Target group.
When working with gRPC, which load balancer(s) can be used?
An ALB or NLB can be used, as gRPC uses HTTP as the underlying transport.
What do ELB security policies govern, and what part of ELB do they apply to?
They govern which protocols and ciphers are acceptable. They apply to the Listener.
With security policies, who controls the policy between the client and LB?
You do (as opposed to AWS)
With security policies, who controls the policy between the LB and Targets?
AWS controls this.
What is the 1 upside and 1 downside of newer security policies?
Upside: they are more secure.
Downside: they are less compatible.
Why might you want to choose an older ELB security policy?
In order to ensure compatibility, e.g. with older web browsers.
True or False: an ALB can be configured with TCP/UDP/TLS listeners.
False.
True or False: an NLB can be configured with TCP/UDP/TLS/TCP_UDP listeners.
True.
True or False: ALBs have higher performance than NLBs.
False. Because ALBs are layer 7 load-balancers, there’s more processing involved, and so they have higher latency.
True or False: NLBs have higher performance than ALBs.
True.
NLBs are layer 4 load-balancers and therefore do not do as much processing, resulting in higher performance compared to ALBs.
True or False: on an ALB, all incoming connections are terminated on the LB.
True.
What is the best load-balancer type for end-to-end encryption?
Network Load Balancer, because ALBs don’t support unbroken encryption.
How do you enable SSL pass-through mode on an ALB?
There is no such thing. ALBs do not support unbroken SSL/TLS between client and server.
What is required on an ALB if HTTPS is used?
An SSL certificate.
What order are ALB rules processed in?
Priority order.
What layer 7 protocols does an NLB support?
None. The NLB is a layer 4 load-balancer.
What protocols do NLB target groups support?
TCP, UDP, TLS, and TCP_UDP
What NLB setting enables rules for headers, cookies and session persistence?
No such thing - NLBs are not aware of these HTTP/S features as they are layer 4 load-balancers.
NLBs are faster than ALBs. NLBs typically have a latency that is what percentage of an ALB’s latency?
25% of an ALB’s latency.
What health check (protocols) does an NLB support?
HTTP, HTTPS and TCP
Why would you want to configure a static IP on an NLB?
For IP whitelisting purposes.
True or False: NLBs support unbroken encryption.
True.
What can be used with NLBs to provide services to other VPCs?
Private Link.
If your situation requires or uses ANY of these five things, you should choose an NLB over an ALB.
- Unbroken encryption.
- Static IP for whitelisting.
- Fastest possible performance.
- Non HTTP or HTTPS based protocol.
- Private Link to other VPCs.
True or False: Connection Draining is supported on all LB types.
False.
Connection Draining is only supported on the Classic Load Balancer.
What does Connection Draining do?
It gracefully removes connections when an instance is going out of service.
How does Connection Draining ensure that all connections are eventually terminated?
It prevents new connections from being established, whilst waiting for in-flight connections to complete. After a configurable timeout period (default = 300 sec) connections are terminated.
What is the ALB/NLB/GWLB equivalent of Connection Draining called?
De-registration Delay.
What are the minimum, maximum and default values of de-registration Delay?
0-3600 seconds, default = 300.
What does a de-registration delay of zero do?
It disables timed de-registration delay, preventing in-flight connections from being timed out.
What is X-Forwarded-For, and what is its purpose?
It’s an HTTP header used to identify the original IP address of a client connecting to a web server through an HTTP proxy or load balancer.
What would multiple IP addresses in an X-Forwarded-For header mean?
It would signify that the HTTP packet has passed through multiple proxies and/or load balancers.
In an X-Forwarded-For header how can you tell which IP address belongs to the originating host?
It is the left-most IP address in the list.
Which ELB types is X-Forwarded-For supported on?
ALB and CLB.
Which ELB types support the PROXY protocol?
CLB and NLB.
Which versions of the PROXY protocol are supported by which ELBs?
CLB supports v1 (human readable).
NLB supports v2 (binary encoded).
What does PROXY protocol do?
It is a way for a proxy server to communicate the original client IP address when forwarding connections to a server.
What layer does PROXY protocol operate on?
The transport layer.
True or false: The PROXY protocol is supported on all ELB types.
False. It is only supported on CLB and NLB.
Is PROXY protocol typically used with TCP, UDP or both?
TCP.
What does the Gateway Load Balancer (GWLB) do?
It distributes network traffic to ensure high availability and scalability for virtual appliances (eg. firewalls).
What protocol does the GWLB use to encapsulate traffic to the NVAs?
The GENEVE protocol.
Why does the GWLB use the GENEVE protocol to encapsulate traffic to the NVAs?
So that the traffic is completely unaltered, allowing it to be inspected in its original state.
Which VPC is the GWLB deployed into?
The same VPC as the security appliances.
