ELB Flashcards
This deck aims to help retain concepts related to the AWS ELB service.
Which AWS service automatically distributes incoming application traffic across multiple targets and virtual appliances, both in AWS and on-premises environments?
The Elastic Load Balancer (ELB) abstracts customer traffic from infrastructure, allowing each tier to scale independently
What are the different types of Elastic Load Balancers offered by AWS?
- Application Load Balancer (ALB)
- Network Load Balancer (NLB)
- Gateway Load Balancer (GLB)
- Classic Load Balancer (CLB) (deprecated)
What are the primary considerations when configuring an ELB in AWS?
- Configured to operate in 2 or more AZs
- 1 or more ELB nodes are placed into a subnet in each AZ, and scale with load
- Configured with an (A) record DNS name resolved to ELB nodes
How many IP addresses does an ELB require to operate?
ELB requires at least 8 free IP addresses to function and allow for scaling (/28 subnet is sufficient, but /27 or larger is preferred)
What is the difference between a public-facing and an internal ELB?
- Internet-facing ELB:
- receives traffic from the internet
- can route traffic to public and private targets (EC2 instances)
- ELB nodes have both public and private IP addresses
- Internal ELB:
- receives traffic from internal services
- generally used to separate different application tiers allowing independent scaling
- ELB nodes have private IP addresses only
Which component of an ELB requires configuration to accept traffic on a specific port/protocol and communicate with targets on a port/protocol?
Listeners
What key feature of an ELB ensures that incoming requests are evenly distributed across all registered instances in multiple AZs, enhancing fault tolerance and overall application responsiveness?
Cross-zone Load Balancing
Each ELB node in every AZ can evenly distribute traffic to targets in different AZs
Why is the Classic Load Balancer (CLB) not recommended for use?
Classic Load Balancers do not support Server Name Indication (SNI), requiring a separate CLB for each unique HTTPS name
In contrast, both ALB and NLB support rules, target groups, and host-based rules using SNI
Does ALB support an unbroken connection from the customer to the application instance?
No, SSL/TLS is always terminated at the ALB
Meaning there is no unbroken SSL connection from the client to the application instance, a new SSL connection is established between the ALB and the application instance
What are the primary features of an ALB?
- Layer 7 load balancer
- Supports HTTP/HTTPS protocols and can inspect content types, cookies, custom headers, user location, and application behavior
- Does not support other Layer 7 protocols like SMTP, FTP, etc.
- Does not support TCP/UDP/TLS listeners
- Can evaluate application health
- Requires an SSL certificate for HTTPS
- Slower due to additional layers in the networking stack
Which ALB component handles incoming connection requests based on a specific protocol and port?
Listener, which processes and routes incoming requests
Which ALB component consists of a priority, one or more actions, and one or more conditions?
Listener Rule, processed in sequence, with the default rule (catch-all) processed last
What conditions can be set in a Listener Rule?
- host-header
- http-header
- http-request-method
- path-patterns
- query-strings
- source-IP, and others
What actions can a Listener Rule perform?
- forward
- redirect
- fixed-response
- authenticate-oidc
- authenticate-cognito
What are the primary features of NLB?
- A Layer 4 load balancer (TCP/UDP/TLS/TCP_UDP)
- No visibility into or understanding of HTTP/HTTPS does not support headers, cookies, or session stickiness
- Cannot evaluate application health, only performs ICMP checks and basic TCP handshakes
- Can use static IPs, useful for whitelisting
- Can forward TCP listeners to application instances, providing an unbroken SSL connection (end-to-end encryption)
- Extremely fast, handling millions of requests per second with 25% of the latency of an ALB
When should an NLB be preferred over other types of load balancers?
- When end-to-end encryption (unbroken SSL connection) is required
- When static IPs for whitelisting are necessary
- When maximum performance is needed
- When HTTP or HTTPS is not required
- When using PrivateLink to provide services to other VPCs
For all other scenarios, use an ALB
What options does ELB offer for handling secure connections?
- SSL Bridging (ALB)
- SSL Pass-Through (NLB)
- SSL Offload/Termination (ALB)
What approach does ELB use for handling secure connections when traffic is decrypted, inspected, and then re-encrypted?
SSL Bridging (ALB)
What approach does ELB use for handling secure connections when encrypted traffic is passed directly without decryption?
SSL Pass-Through (NLB)
What approach does ELB use for handling secure connections when traffic is decrypted and then forwarded in plain HTTP without encryption?
SSL Offload/Termination (ALB)
What are the primary features of SSL Bridging?
- One or more clients make connections to the load balancer
- The listener is configured for HTTPS
- The connection is terminated on the load balancer, which requires an SSL certificate for the domain name
- The load balancer initiates a new SSL connection to the backend instances
- Instances require SSL certificates and compute resources for cryptographic operations
- The load balancer requires an SSL certificate to remove the secure layer, access HTTP traffic, and make decisions based on its content before creating a new encrypted SSL session with the backend instances
Negatives: The certificate is stored on the load balancer itself (posing a risk), and EC2 instances also need a copy of the certificate, introducing administrative overhead and the need for compute resources to perform cryptographic operations
What are the primary features of SSL Pass-Through?
- The listener is configured for TCP
- No encryption or decryption occurs on the load balancer
- The connection is passed directly to the backend instances
- Each instance must have the appropriate SSL certificate installed
- There is no exposure of certificates to AWS, as encrypted traffic is passed through the load balancer to the backend instances without intervention
What are the primary features of SSL Offload/Termination?
- The listener is configured for HTTPS
- Connections are terminated on the load balancer, which requires an SSL certificate for the domain name
- The load balancer initiates non-secure connections to the backend instances using HTTP
- Traffic from the ELB to the backend instance is never encrypted again
- Instances do not require an SSL certificate or perform cryptographic operations
Which ELB feature enables a load balancer to route requests from a specific client to the same instance for the duration of a user’s session?
Sticky Sessions (also known as session affinity or session persistence)
What is a good use case for the ELB Sticky Sessions feature?
Sticky Sessions are crucial for stateful servers, if user state is stored externally (not on the server), stickiness is not required
How does ELB determine which instance to route traffic to when Sticky Sessions are enabled?
- Sticky Sessions generate an AWSELB cookie, which locks the device to a single backend instance for a specified duration (from 1 second to 7 days)
- Once the cookie expires, the user will be allocated a new cookie with a new backend instance
What is the primary function of the GWLB?
It helps run and scale third-party appliances such as:
- firewalls
- intrusion detection systems (IDS)
- intrusion prevention systems (IPS)
- data analysis tools
- inbound/outbound transparent traffic inspection/protection tools
What type of Load Balancer enables you to deploy, scale, and manage virtual appliances like firewalls, intrusion detection and prevention systems, and deep packet inspection systems?
Gateway Load Balancer (GWLB)
Which GWLB component operates within a VPC where traffic you want to monitor originates or is destined to, similar to a normal VPC interface endpoint but with the added capability to be included in the route table as the next hop?
GWLB Endpoint
What are the primary features of the GWLB?
- Load balances packets across multiple backend instances running security software without altering them
- Uses the GENEVE protocol to create a tunnel between the GWLB and backend instances
- Manages flow stickiness, ensuring that one flow always uses one appliance
- Provides an abstraction to enhance resiliency and allows appliances to scale horizontally
What might a traffic flow representation look like when using GWLB?
- Client ->
- Internet Gateway (traffic via route table directs the next hop to the GWLB endpoint) ->
- GWLB Endpoint ->
- GW Load Balancer (balances the load to a range of appliances through the GENEVE tunnel) ->
- Security Network Appliance instance ->
- GW Load Balancer ->
- GWLB Endpoint ->
- Application Load Balancer ->
- Application instance ->
- Application Load Balancer ->
- GWLB Endpoint ->
- GW Load Balancer ->
- GWLB Endpoint ->
- Internet Gateway ->
- Client
What feature of the Elastic Load Balancer captures detailed information about requests and is useful for traffic pattern analysis and troubleshooting?
Access Logs
Include details such as the request time, client’s IP address, latencies, request paths, and server responses
Which AWS Elastic Load Balancer feature enables load balancer nodes to distribute traffic evenly across registered targets in all enabled Availability Zones (AZs)?
Cross-zone load balancing
What header is used by AWS Application Load Balancer to identify the client’s IP address?
X-Forwarded-For
What are the three possible target types for an AWS Application Load Balancer (ALB)?
- Instance
- IP
- Lambda
Can you specify publicly routable IP addresses to an AWS Application Load Balancer (ALB)?
No
What error occurs when the target groups for the load balancer have no registered targets?
HTTP 503: Service Unavailable error
How can Application Load Balancer securely authenticate users for accessing your applications?
By using Cognito Authentication via Cognito User Pools
