ELB

Question 1

Which AWS service automatically distributes incoming application traffic across multiple targets and virtual appliances, both in AWS and on-premises environments?

Answer 1

The Elastic Load Balancer (ELB) abstracts customer traffic from infrastructure, allowing each tier to scale independently

Question 2

What are the different types of Elastic Load Balancers offered by AWS?

Answer 2

• Application Load Balancer (ALB)
• Network Load Balancer (NLB)
• Gateway Load Balancer (GLB)
• Classic Load Balancer (CLB) (deprecated)

Question 3

What are the primary considerations when configuring an ELB in AWS?

Answer 3

• Configured to operate in 2 or more AZs
• 1 or more ELB nodes are placed into a subnet in each AZ, and scale with load
• Configured with an (A) record DNS name resolved to ELB nodes

Question 4

How many IP addresses does an ELB require to operate?

Answer 4

ELB requires at least 8 free IP addresses to function and allow for scaling (/28 subnet is sufficient, but /27 or larger is preferred)

Question 5

What is the difference between a public-facing and an internal ELB?

Answer 5

• Internet-facing ELB receives traffic from the internet and can route traffic to public and private targets (EC2 instances), and ELB nodes have both public and private IP addresses
• Internal ELB receives traffic from internal services, generally used to separate different application tiers, and ELB nodes have private IP addresses only

Question 6

Which component of an ELB requires configuration to accept traffic on a specific port/protocol and communicate with targets on a port/protocol?

Answer 6

Listeners

Question 7

What key feature of an ELB ensures that incoming requests are evenly distributed across all registered instances in multiple AZs, enhancing fault tolerance and overall application responsiveness?

Answer 7

Cross-zone load balancing, each ELB node in every AZ can evenly distribute traffic to targets in different AZs

Question 8

Why is the Classic Load Balancer (CLB) not recommended for use?

Answer 8

Classic Load Balancers do not support Server Name Indication (SNI), requiring a separate CLB for each unique HTTPS name, in contrast, both ALB and NLB support rules, target groups, and host-based rules using SNI

Question 9

Does ALB support an unbroken connection from the customer to the application instance?

Answer 9

No, SSL/TLS is always terminated at the ALB, meaning there is no unbroken SSL connection from the client to the application instance, a new SSL connection is established between the ALB and the application instance

Question 10

What are the primary features of an ALB?

Answer 10

• Layer 7 load balancer
• Supports HTTP/HTTPS protocols and can inspect content types, cookies, custom headers, user location, and application behavior
• Does not support other Layer 7 protocols like SMTP, FTP, etc.
• Does not support TCP/UDP/TLS listeners
• Can evaluate application health
• Requires an SSL certificate for HTTPS
• Slower due to additional layers in the networking stack

Question 11

Which component of an ALB is responsible for handling connection requests using a specific protocol and port?

Answer 11

The Listener, where direct connections are received

Question 12

Which ALB component consists of a priority, one or more actions, and one or more conditions?

Answer 12

The Listener Rule, processed in sequence, with the default rule (catch-all) processed last

Question 13

What conditions can be set in a Listener Rule?

Answer 13

Conditions can include: host-header, http-header, http-request-method, path-patterns, query-strings, source-IP, and others

Question 14

What actions can a Listener Rule perform?

Answer 14

Actions can include: forward, redirect, fixed-response, authenticate-oidc, and authenticate-cognito

Question 14

What are the primary features of NLB?

Answer 14

• A Layer 4 load balancer (TCP/UDP/TLS/TCP_UDP)
• No visibility into or understanding of HTTP/HTTPS
  Does not support headers, cookies, or session stickiness
• Cannot evaluate application health, only performs ICMP checks and basic TCP handshakes
• Can use static IPs, useful for whitelisting
• Can forward TCP listeners to application instances, providing an unbroken SSL connection (end-to-end encryption)
• Extremely fast, handling millions of requests per second with 25% of the latency of an ALB

Question 15

When should an NLB be preferred over other types of load balancers?

Answer 15

• When end-to-end encryption (unbroken SSL connection) is required
• When static IPs for whitelisting are necessary
• When maximum performance is needed
• When HTTP or HTTPS is not required
• When using PrivateLink to provide services to other VPCs
  For all other scenarios, use an ALB

Question 16

What options does ELB offer for handling secure connections?

Answer 16

SSL Bridging (ALB)
SSL Pass-Through (NLB)
SSL Offload/Termination (ALB)

Question 16

What approach does ELB use for handling secure connections when traffic is decrypted, inspected, and then re-encrypted?

Answer 16

SSL Bridging (ALB)

Question 17

What approach does ELB use for handling secure connections when encrypted traffic is passed directly without decryption?

Answer 17

SSL Pass-Through (NLB)

Question 18

What approach does ELB use for handling secure connections when traffic is decrypted and then forwarded in plain HTTP without encryption?

Answer 18

SSL Offload/Termination (ALB)

Question 19

What are the primary features of SSL Bridging?

Answer 19

• One or more clients make connections to the load balancer
• The listener is configured for HTTPS
• The connection is terminated on the load balancer, which requires an SSL certificate for the domain name
• The load balancer initiates a new SSL connection to the backend instances
• Instances require SSL certificates and compute resources for cryptographic operations
• The load balancer requires an SSL certificate to remove the secure layer, access HTTP traffic, and make decisions based on its content before creating a new encrypted SSL session with the backend instances
• Negatives: The certificate is stored on the load balancer itself (posing a risk), and EC2 instances also need a copy of the certificate, introducing administrative overhead and the need for compute resources to perform cryptographic operations

Question 20

What are the primary features of SSL Pass-Through?

Answer 20

• The listener is configured for TCP
• No encryption or decryption occurs on the load balancer
• The connection is passed directly to the backend instances
• Each instance must have the appropriate SSL certificate installed
• There is no exposure of certificates to AWS, as encrypted traffic is passed through the load balancer to the backend instances without intervention

Question 21

What are the primary features of SSL Offload/Termination?

Answer 21

• The listener is configured for HTTPS
• Connections are terminated on the load balancer, which requires an SSL certificate for the domain name
• The load balancer initiates non-secure connections to the backend instances using HTTP
• Traffic from the ELB to the backend instance is never encrypted again
• Instances do not require an SSL certificate or perform cryptographic operations

Question 22

Which ELB feature enables a load balancer to route requests from a specific client to the same instance for the duration of a user’s session?

Answer 22

Sticky Sessions (also known as session affinity or session persistence)

Question 23

What is a good use case for the ELB Sticky Sessions feature?

Answer 23

Sticky Sessions are crucial for stateful servers, however, if the user state is stored externally (not on the server), stickiness is not required

Question 24

How does ELB determine which instance to route traffic to when Sticky Sessions are enabled?

Answer 24

Sticky Sessions generate an AWSELB cookie, which locks the device to a single backend instance for a specified duration (from 1 second to 7 days), once the cookie expires, the user will be allocated a new cookie with a new backend instance

Question 25

What is the primary function of the GWLB?

Answer 25

It helps run and scale third-party appliances such as firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), data analysis tools, and inbound/outbound transparent traffic inspection/protection

Question 26

What type of Load Balancer enables you to deploy, scale, and manage virtual appliances like firewalls, intrusion detection and prevention systems, and deep packet inspection systems?

Answer 26

Gateway Load Balancer (GWLB)

Question 27

Which GWLB component operates within a VPC where traffic you want to monitor originates or is destined to, similar to a normal VPC interface endpoint but with the added capability to be included in the route table as the next hop?

Answer 27

GWLB Endpoint

Question 28

What are the primary features of the GWLB?

Answer 28

• It load balances packets across multiple backend instances running security software without altering them
• It uses the GENEVE protocol to create a tunnel between the GWLB and backend instances
• It manages flow stickiness, ensuring that one flow always uses one appliance
• It provides an abstraction to enhance resiliency and allows appliances to scale horizontally

Question 29

What might a traffic flow representation look like when using GWLB?

Answer 29

1. Client ->
2. Internet Gateway (traffic via route table directs the next hop to the GWLB endpoint) ->
3. GWLB Endpoint ->
4. GW Load Balancer (balances the load to a range of appliances through the GENEVE tunnel) ->
5. Security Network Appliance instance ->
6. GW Load Balancer ->
7. GWLB Endpoint ->
8. Application Load Balancer ->
9. Application instance ->
10. Application Load Balancer ->
11. GWLB Endpoint ->
12. GW Load Balancer ->
13. GWLB Endpoint ->
14. Internet Gateway ->
15. Client