Difference Between ALB and NLB

AWS provides different types of load balancers to distribute incoming application traffic across multiple targets. The two most common types are Application Load Balancer (ALB) and Network Load Balancer (NLB). Each has distinct use cases based on how they operate and the kind of traffic they handle

1. Application Load Balancer (ALB)

Overview:

• ALB operates at Layer 7 (Application Layer) of the OSI model.

• It is designed for HTTP/HTTPS traffic and supports host-based, path-based, and header-based routing.

• ALB intelligently routes requests to targets based on content (e.g., URL path, headers).

• It supports WebSockets and integrates well with AWS services like ECS, Lambda, and EKS.

Key Features:

1. Path-Based Routing:

   • Example: Traffic to example.com/api goes to one target group, while example.com/frontend goes to another.

2. Host-Based Routing:

   • Example: api.example.com is routed to backend services, while web.example.com is routed to frontend services.

3. Header-Based Routing:

   • Example: Requests with a custom header (X-App-Version: v2) can be routed to a different target group.

4. SSL Termination:

   • ALB can terminate SSL connections and pass unencrypted traffic to backend instances.

5. Sticky Sessions:

   • Supports session persistence (cookies-based) to route the same client to the same backend.

6. WebSocket Support:

   • ALB can handle WebSocket connections, useful for real-time applications.

Example Use Case:

Imagine you have an e-commerce website where:

• /products requests go to a product service.

• /cart requests go to a cart service.

• /checkout requests go to a payment service.

💡 Solution: Use an ALB with path-based routing to route requests to different microservices.

Target Groups:

---

2. Network Load Balancer (NLB)

Overview:

• NLB operates at Layer 4 (Transport Layer) of the OSI model.

• It handles TCP, UDP, and TLS traffic and routes based on IP addresses and ports.

• It provides ultra-low latency and is suitable for high-performance applications.

• It preserves the client’s original IP address, unlike ALB.

Key Features:

1. TCP/UDP Load Balancing:

   • Example: Useful for databases (PostgreSQL, MySQL), gaming servers, and VoIP applications.

2. Extreme Performance:

   • NLB can handle millions of requests per second with low latency.

3. Static IP Addresses:

   • Unlike ALB, which assigns a dynamic IP, NLB provides a static IP per Availability Zone.

4. Cross-Zone Load Balancing:

   • NLB supports distributing traffic across multiple AZs efficiently.

5. TLS Passthrough Support:

   • NLB does not terminate SSL/TLS connections but forwards them to the backend, making it suitable for encrypted traffic.

6. Client IP Preservation:

   • Since NLB forwards the original client’s IP, backend servers can perform IP-based access control.

Example Use Case:

Imagine you have a financial trading platform where:

• Clients need low-latency order execution.

• Traffic is TLS-encrypted, and you don’t want the load balancer to terminate SSL.

💡 Solution: Use an NLB to route raw TCP connections to backend servers.

Target Groups:

---

ALB vs. NLB - Feature Comparison

---

SSL Termination vs. TLS Passthrough in ALB and NLB

1. What is SSL Termination?

SSL (Secure Sockets Layer) termination means that the load balancer decrypts incoming encrypted traffic (HTTPS/TLS) before passing it to the backend servers in plaintext (HTTP). This reduces the processing burden on backend instances.

🔹 ALB supports SSL termination.
🔹 NLB does NOT support SSL termination (only TLS passthrough).

---

Example of SSL Termination in ALB

Scenario:

You have a React frontend that communicates with a Node.js API backend over HTTPS. The backend does not support HTTPS and only listens on HTTP.

How SSL Termination Works with ALB:

1. A client sends a secure HTTPS request to the ALB (https://api.example.com).

2. The ALB decrypts the HTTPS request using an SSL certificate (stored in ACM).

3. ALB forwards the decrypted HTTP request to the backend server (http://backend.example.com).

4. The backend processes the request and sends an HTTP response.

5. ALB re-encrypts the response (if necessary) before sending it back to the client.

Architecture:

scssCopyEditClient (HTTPS)  --->  ALB (SSL Termination)  --->  Backend (HTTP)

Benefits of SSL Termination:

✅ Reduces backend load (servers don’t have to decrypt HTTPS traffic).
✅ Simplifies backend setup (backends can run on plain HTTP).
✅ Centralized certificate management (using AWS Certificate Manager - ACM).

Drawback:

❌ Data between ALB and backend is not encrypted (can be mitigated using internal TLS).

Example AWS ALB SSL Termination (Terraform)

hclCopyEditresource "aws_lb_listener" "https" {
  load_balancer_arn = aws_lb.my_alb.arn
  port              = 443
  protocol          = "HTTPS"

  ssl_policy       = "ELBSecurityPolicy-2016-08"
  certificate_arn  = aws_acm_certificate.my_cert.arn

  default_action {
    type = "forward"
    target_group_arn = aws_lb_target_group.backend.arn
  }
}

---

2. What is TLS Passthrough?

TLS passthrough means the load balancer does not decrypt traffic. Instead, it forwards encrypted TLS traffic directlyto the backend servers. The backend servers must handle SSL/TLS decryption.

🔹 NLB supports only TLS passthrough.
🔹 The backend must have its own SSL certificate.

---

Example of TLS Passthrough in NLB

Scenario:

You have a secure banking API that requires end-to-end encryption. The backend must see the original client certificate and use mutual TLS (mTLS).

How TLS Passthrough Works with NLB:

1. A client sends a secure HTTPS request (https://secure.example.com).

2. NLB does NOT decrypt the request but forwards it as-is to backend instances.

3. The backend server decrypts the request using its own SSL certificate.

4. The backend sends an encrypted response to NLB.

5. NLB forwards the response as-is to the client.

Architecture:

scssCopyEditClient (HTTPS)  --->  NLB (TLS Passthrough)  --->  Backend (HTTPS)

Benefits of TLS Passthrough:

✅ Full end-to-end encryption (secure from client to backend).
✅ Preserves client’s original certificate (useful for mutual TLS authentication).
✅ Good for regulatory compliance (e.g., banking, healthcare).

Drawbacks:

❌ Backend servers must manage SSL certificates (can be complex).
❌ No Layer 7 features like header-based routing (only IP and port-based routing).

Example AWS NLB TLS Passthrough (Terraform)

hclCopyEditresource "aws_lb_listener" "https" {
  load_balancer_arn = aws_lb.my_nlb.arn
  port              = 443
  protocol          = "TLS"   # TLS Passthrough

  default_action {
    type = "forward"
    target_group_arn = aws_lb_target_group.backend.arn
  }
}

---

Comparison: SSL Termination vs. TLS Passthrough

---

When to Use Which?

---

Final Thoughts

• Use ALB (SSL Termination) if you want simpler SSL management and better performance.

• Use NLB (TLS Passthrough) if you need end-to-end encryption and client certificate authentication.