Elastic Load Balancer

Question 1

How many types of load balancers are available in AWS, and what are they called?

Answer 1

Three:
Classic Load Balancer (CLB)
Application Load Balancer (ALB)
Network Load Balancer (NLB)

Question 2

When is a v1 load balancer recommended?

Answer 2

Trick question - they are not recommended. They should be avoided and/or migrated to v2.

Question 3

What is the main difference between ALB and NLB?

Answer 3

The ALB is a true layer-7 load balancer which understands HTTP, HTTPS, WebSocket etc. The NLB is not a layer-7 device and only understands TCP, UDP and TLS.

Question 4

When would you choose an ALB over an NLB?

Answer 4

If your application used HTTP, HTTPS, etc you would use an ALB.

Question 5

What’s the difference between an Internet-facing and an Internal LB?

Answer 5

The internet-facing LB assigns public and private IP addresses to the nodes. The internal LB only assigns private IP addresses to the nodes.

Question 6

True or False: an internal load balancer has private IPs, whereas an Internet-facing load balancer has public IPs.

Answer 6

False. An Internet-facing load balancer has public AND private IPs.

Question 7

What happens if a load balancer node in a subnet fails?

Answer 7

The service will automatically recover by spinning up another node.

Question 8

True or False: there can only be one LB node per subnet.

Answer 8

False.
There can be multiple nodes per subnet, because the service automatically scales out according to demand.

Question 9

True or False: the DNS A-record for an ELB points to the ELB front-end interface.

Answer 9

False. The DNS A-record resolves to the IP addresses of all nodes.

Question 10

What is the function of listeners?

Answer 10

A listener checks for connection requests from clients, using the protocol and port that you configure, and forwards requests to a target group.

Question 11

Whereabouts in the ELB configuration are Rules defined?

Answer 11

In the Listener.

Question 12

What is the function of a target group?

Answer 12

A target group routes requests to one or more registered targets, using the protocol and the port number that you specify.

Question 13

True or False: You can have one or more listeners on a v2 Elastic Load Balancer

Answer 13

True.

Question 14

True or False: You can register a target with multiple target groups.

Answer 14

True.

Question 15

True or False: Health checks are configured on a per Target Group basis.

Answer 15

True.
Health checks are performed on all targets registered to a target group.

Question 16

How many rules per listener can be configured on a Network Load Balancer?

Answer 16

One.
Each listener has one rule.

Question 17

On an Application Load Balancer, how many rules per listener can be configured?

Answer 17

A minimum of one - the default rule - must be configured for each listener. Additional rules can also be configured.

Question 18

True or False: Internet-facing LB nodes can only access public instances.

Answer 18

False. Internet-facing LB nodes can distribute requests across public and private instances.

Question 19

True or False: ELBs can load-balance all sorts of AWS services, not just EC2 instances.

Answer 19

True.

Question 20

When deploying an ELB into subnets, what’s the minimum number of free IP addresses that must be available in each subnet?

Answer 20

Eight.

Question 21

What is the AWS recommended minimum subnet size for ELBs?

Answer 21

/27

Question 22

True or False: a /28 is sufficient for deploying an ELB.

Answer 22

True. But remember that the official AWS recommended minimum is /27. If the exam question has both /27 and /28 as possible answers, then choose /27. If /27 is not a possible answer, then /28 is probably the right answer.

Question 23

What is the typical use for an internal LB?

Answer 23

They are placed between application tiers, allowing scaling between application tiers.

Question 24

What problem did the introduction of cross-zone load balancing solve, and how?

Answer 24

Originally, a LB node in an AZ could only distribute requests across the registered instances in that AZ. This could result in uneven load distribution, particularly if an AZ had fewer instances.
Cross-zone LB allows LB nodes to distribute requests across all registered instances in ALL availability zones.

Question 25

What is cross-zone load balancing?

Answer 25

The ability to load balance across availability zones.

Question 26

True or False: For ALBs, is cross-zone load balancing enabled by default?

Answer 26

Yes

Question 27

True or False: For NLBs, is cross-zone load balancing enabled by default?

Answer 27

No

Question 28

With NLBs there are two places where cross-zone load balancing can be configured. What are they?

Answer 28

1. At the load-balancer level.
2. At the target group level.

Question 29

What is an ELB feature that can help with uneven distribution of load?

Answer 29

Cross-zone load balancing.

Question 30

Can an internet facing LB distribute requests to private instances?

Answer 30

Yes

Question 31

True or False: an internet facing LB cannot distribute requests to both private and public instances at the same time.

Answer 31

False. An internet facing LB can distribute requests to private or public instances. Instances do not have to be public in order to work with an internet-facing LB.

Question 32

What does SNI mean and what does it do?

Answer 32

SNI = Server Name Identification.
It is an extension to the TLS protocol that allows a server to present multiple SSL/TLS certificates on the same IP address and port number.

Question 33

True or False: NLBs can terminate TLS connections.

Answer 33

True.
The NLB can decrypt requests from clients before forwarding them to targets.

Question 34

What two settings are required in order for an NLB to terminate TLS connections?

Answer 34

1. An SSL certificate must be specified.
2. Select TLS as the protocol.

Question 35

True or False: to allow unbroken client-server encryption on an NLB, you need to create a TLS listener.

Answer 35

False. For unbroken encryption you should create a TCP listener.

Selecting TLS would result in the NLB terminating the encrypted connection, decrypting the client request then forwarding it to the server.

Question 36

What protocols does an ALB not support?

Answer 36

It does not support any other protocols than HTTP and HTTPS.

Question 37

Which type of load balancer supports connection draining?

Answer 37

Classic Load Balancer.

Question 38

On an ALB, where is Deregistration Delay configured?

Answer 38

On the Target group.

Question 39

When working with gRPC, which load balancer(s) can be used?

Answer 39

An ALB or NLB can be used, as gRPC uses HTTP as the underlying transport.

Question 40

What do ELB security policies govern, and what part of ELB do they apply to?

Answer 40

They govern which protocols and ciphers are acceptable. They apply to the Listener.

Question 41

With security policies, who controls the policy between the client and LB?

Answer 41

You do (as opposed to AWS)

Question 42

With security policies, who controls the policy between the LB and Targets?

Answer 42

AWS controls this.

Question 43

What is the 1 upside and 1 downside of newer security policies?

Answer 43

Upside: they are more secure.
Downside: they are less compatible.

Question 44

Why might you want to choose an older ELB security policy?

Answer 44

In order to ensure compatibility, e.g. with older web browsers.

Question 45

True or False: an ALB can be configured with TCP/UDP/TLS listeners.

Answer 45

False.

Question 46

True or False: an NLB can be configured with TCP/UDP/TLS/TCP_UDP listeners.

Answer 46

True.

Question 47

True or False: ALBs have higher performance than NLBs.

Answer 47

False. Because ALBs are layer 7 load-balancers, there’s more processing involved, and so they have higher latency.

Question 48

True or False: NLBs have higher performance than ALBs.

Answer 48

True.

NLBs are layer 4 load-balancers and therefore do not do as much processing, resulting in higher performance compared to ALBs.

Question 49

True or False: on an ALB, all incoming connections are terminated on the LB.

Answer 49

True.

Question 50

What is the best load-balancer type for end-to-end encryption?

Answer 50

Network Load Balancer, because ALBs don’t support unbroken encryption.

Question 51

How do you enable SSL pass-through mode on an ALB?

Answer 51

There is no such thing. ALBs do not support unbroken SSL/TLS between client and server.

Question 52

What is required on an ALB if HTTPS is used?

Answer 52

An SSL certificate.

Question 53

What order are ALB rules processed in?

Answer 53

Priority order.

Question 54

What layer 7 protocols does an NLB support?

Answer 54

None. The NLB is a layer 4 load-balancer.

Question 55

What protocols do NLB target groups support?

Answer 55

TCP, UDP, TLS, and TCP_UDP

Question 56

What NLB setting enables rules for headers, cookies and session persistence?

Answer 56

No such thing - NLBs are not aware of these HTTP/S features as they are layer 4 load-balancers.

Question 57

NLBs are faster than ALBs. NLBs typically have a latency that is what percentage of an ALB’s latency?

Answer 57

25% of an ALB’s latency.

Question 58

What health check (protocols) does an NLB support?

Answer 58

HTTP, HTTPS and TCP

Question 59

Why would you want to configure a static IP on an NLB?

Answer 59

For IP whitelisting purposes.

Question 60

True or False: NLBs support unbroken encryption.

Answer 60

True.

Question 61

What can be used with NLBs to provide services to other VPCs?

Answer 61

Private Link.

Question 62

If your situation requires or uses ANY of these five things, you should choose an NLB over an ALB.

Answer 62

1. Unbroken encryption.
2. Static IP for whitelisting.
3. Fastest possible performance.
4. Non HTTP or HTTPS based protocol.
5. Private Link to other VPCs.

Question 63

True or False: Connection Draining is supported on all LB types.

Answer 63

False.

Connection Draining is only supported on the Classic Load Balancer.

Question 64

What does Connection Draining do?

Answer 64

It gracefully removes connections when an instance is going out of service.

Question 65

How does Connection Draining ensure that all connections are eventually terminated?

Answer 65

It prevents new connections from being established, whilst waiting for in-flight connections to complete. After a configurable timeout period (default = 300 sec) connections are terminated.

Question 66

What is the ALB/NLB/GWLB equivalent of Connection Draining called?

Answer 66

De-registration Delay.

Question 67

What are the minimum, maximum and default values of de-registration Delay?

Answer 67

0-3600 seconds, default = 300.

Question 68

What does a de-registration delay of zero do?

Answer 68

It disables timed de-registration delay, preventing in-flight connections from being timed out.

Question 69

What is X-Forwarded-For, and what is its purpose?

Answer 69

It’s an HTTP header used to identify the original IP address of a client connecting to a web server through an HTTP proxy or load balancer.

Question 70

What would multiple IP addresses in an X-Forwarded-For header mean?

Answer 70

It would signify that the HTTP packet has passed through multiple proxies and/or load balancers.

Question 71

In an X-Forwarded-For header how can you tell which IP address belongs to the originating host?

Answer 71

It is the left-most IP address in the list.

Question 72

Which ELB types is X-Forwarded-For supported on?

Answer 72

ALB and CLB.

Question 73

Which ELB types support the PROXY protocol?

Answer 73

CLB and NLB.

Question 74

Which versions of the PROXY protocol are supported by which ELBs?

Answer 74

CLB supports v1 (human readable).
NLB supports v2 (binary encoded).

Question 75

What does PROXY protocol do?

Answer 75

It is a way for a proxy server to communicate the original client IP address when forwarding connections to a server.

Question 76

What layer does PROXY protocol operate on?

Answer 76

The transport layer.

Question 77

True or false: The PROXY protocol is supported on all ELB types.

Answer 77

False. It is only supported on CLB and NLB.

Question 78

Is PROXY protocol typically used with TCP, UDP or both?

Answer 78

TCP.

Question 79

What does the Gateway Load Balancer (GWLB) do?

Answer 79

It distributes network traffic to ensure high availability and scalability for virtual appliances (eg. firewalls).

Question 80

What protocol does the GWLB use to encapsulate traffic to the NVAs?

Answer 80

The GENEVE protocol.

Question 81

Why does the GWLB use the GENEVE protocol to encapsulate traffic to the NVAs?

Answer 81

So that the traffic is completely unaltered, allowing it to be inspected in its original state.

Question 82

Which VPC is the GWLB deployed into?

Answer 82

The same VPC as the security appliances.