Elastic Load Balancing on AWS: ALB vs NLB vs GLB and When to Use Each
A load balancer sits in front of your instances and distributes incoming requests so no single server handles everything. Beyond traffic distribution, AWS load balancers handle SSL termination, health checking, and routing logic — and the right choice depends entirely on what kind of traffic you are routing.
AWS offers three current load balancer types. The Classic Load Balancer (CLB) is a legacy option you will still encounter in older AWS accounts, but AWS recommends against it for new deployments.
Load Balancer Types Overview
┌───────────────────────────────────────────────────────────────────────┐│ ELB Type Comparison ││ ││ Type OSI Layer Protocol Primary Use Case ││ ───────────────────────────────────────────────────────────────── ││ ALB Layer 7 HTTP, HTTPS, Web apps, microservices, ││ WebSocket, gRPC content-based routing ││ ││ NLB Layer 4 TCP, UDP, TLS High-perf APIs, gaming, ││ static IP requirement ││ ││ GLB Layer 3 GENEVE Firewall appliances, ││ IDS/IPS, packet inspection │└───────────────────────────────────────────────────────────────────────┘Application Load Balancer (ALB)
ALB operates at Layer 7, which means it can inspect HTTP request content — method, headers, path, query string, host, and even the request body. This makes it the right choice for anything speaking HTTP or HTTPS.
Path-Based and Host-Based Routing
One of ALB’s most useful features: a single load balancer can route to different target groups based on the URL path or the Host header.
Client Request: GET /api/users HTTP/1.1 Host: app.example.com
ALB Listener Rules: Rule 1: IF path = /api/* → target group: api-servers Rule 2: IF path = /static/* → target group: s3-origin (via lambda) Rule 3: IF host = admin.* → target group: admin-servers Default: → target group: frontend-serversThis is how you implement microservice routing on a single domain without separate load balancers per service.
Creating an ALB
# Create the load balanceraws elbv2 create-load-balancer \ --name web-alb \ --subnets subnet-0a1b2c subnet-0d4e5f \ --security-groups sg-0abc123 \ --scheme internet-facing \ --type application \ --ip-address-type ipv4
# Create a target groupaws elbv2 create-target-group \ --name web-servers \ --protocol HTTP \ --port 8080 \ --vpc-id vpc-0a1b2c \ --health-check-path /health \ --health-check-interval-seconds 15 \ --healthy-threshold-count 2 \ --unhealthy-threshold-count 3
# Create listener with default actionaws elbv2 create-listener \ --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789:loadbalancer/app/web-alb/abc \ --protocol HTTPS \ --port 443 \ --certificates CertificateArn=arn:aws:acm:us-east-1:123456789:certificate/abc123 \ --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789:targetgroup/web-servers/defALB Target Types
ALB supports three target types:
- instance — routes to EC2 instances by instance ID (default)
- ip — routes to any IP address, including on-premises servers via Direct Connect or VPN
- lambda — routes HTTP requests directly to a Lambda function (no EC2 needed)
The ip target type is what allows hybrid architectures where some backend servers are on-premises.
Sticky Sessions
ALB can bind a specific user to a specific instance using a cookie. This is useful for applications that store session state locally rather than in a shared cache. The load balancer issues a cookie, and subsequent requests from that client go to the same instance.
Enable with duration-based stickiness (ALB manages the cookie) or application-based stickiness (your application sets the cookie).
Network Load Balancer (NLB)
NLB operates at Layer 4. It does not inspect HTTP content — it just forwards TCP or UDP packets to targets based on the source IP and port. The benefit is extreme performance: NLB can handle millions of requests per second with single-digit millisecond latency.
When NLB Is the Right Choice
- Static IP requirement: NLB assigns a fixed Elastic IP per AZ. Customers who need to whitelist your service’s IP in their firewall rules need NLB.
- TLS passthrough: If you need end-to-end encryption where the backend instance terminates TLS (not the load balancer), use NLB with TLS passthrough.
- Non-HTTP protocols: Game servers (UDP), MQTT, custom binary protocols, financial market data feeds.
- Extreme throughput: Video streaming at scale, DDoS mitigation services.
aws elbv2 create-load-balancer \ --name api-nlb \ --type network \ --subnets subnet-0a1b2c subnet-0d4e5f \ --scheme internet-facing
aws elbv2 create-target-group \ --name api-servers-tcp \ --protocol TCP \ --port 9000 \ --vpc-id vpc-0a1b2c \ --health-check-protocol TCPNLB preserves the client’s source IP address, which reaches your instance directly. ALB, by default, replaces the source IP with its own; you access the original client IP via the X-Forwarded-For header.
NLB and Security Groups
Until late 2023, NLBs did not support security groups — traffic control was handled through NACLs and the target instance’s security group. AWS has since added security group support to NLB. For existing deployments, check whether security groups are attached.
Gateway Load Balancer (GLB)
GLB is the odd one out. It does not distribute application traffic to your servers — it sends traffic through third-party virtual appliances like firewalls, intrusion detection systems, and deep packet inspection tools.
How GLB Works
┌────────────────────────────────────────────────────────────────┐│ Traffic Flow with Gateway Load Balancer ││ ││ Internet ──→ GLB Endpoint (GWLBE in app VPC) ││ │ ││ ↓ GENEVE tunnel (port 6081) ││ ┌──────────────────────┐ ││ │ Security Appliance │ ← Third-party firewall ││ │ (in appliance VPC) │ FortiGate, Palo Alto ││ └──────────────────────┘ ││ │ ││ ↓ (if approved) ││ Application Servers │└────────────────────────────────────────────────────────────────┘GLB uses the GENEVE protocol (port 6081) to encapsulate packets and send them to appliances. The appliance inspects the packet and either drops it or returns it for forwarding to the application. This keeps the appliance inline without requiring source IP changes.
aws elbv2 create-load-balancer \ --name inspection-glb \ --type gateway \ --subnets subnet-appliance-az1 subnet-appliance-az2
aws elbv2 create-target-group \ --name firewall-appliances \ --protocol GENEVE \ --port 6081 \ --vpc-id vpc-applianceReal-World Scenario: Enterprise Security Architecture
A financial services company runs all incoming traffic through GLB:
- External traffic hits an ALB fronting the customer-facing API
- Before reaching application instances, traffic is intercepted by a GLB endpoint
- GLB sends each packet to Palo Alto firewalls running on EC2 in a separate security VPC
- The firewall performs deep packet inspection and blocks threats
- Approved traffic returns to GLB, which forwards to the application instances
This architecture centralises security controls without requiring changes to the application team’s infrastructure.
Comparing the Three Side by Side
┌──────────────────────────────────────────────────────────────────────┐│ Feature Comparison ││ ││ Feature ALB NLB GLB ││ ────────────────────────────────────────────────────────────────── ││ Path-based routing Yes No No ││ Host-based routing Yes No No ││ SSL/TLS termination Yes Yes No ││ Static IP per AZ No Yes Yes ││ WebSocket support Yes Yes No ││ gRPC support Yes No No ││ UDP support No Yes No ││ Lambda targets Yes No No ││ Client IP preservation No* Yes Yes ││ Security groups Yes Yes** No ││ ││ * ALB puts original IP in X-Forwarded-For header ││ ** NLB security group support added in 2023 │└──────────────────────────────────────────────────────────────────────┘Health Checks
All load balancers send periodic health check requests to targets. If a target fails a configurable number of consecutive checks, the load balancer stops routing to it.
For ALB: configure a path (like /health), expected status code range, and interval. Your application should return 200 from that path when ready.
For NLB with TCP targets: the check is a TCP connection test. For HTTP/HTTPS health checks on NLB, configure a path similar to ALB.
Target groups track health per-AZ, so if an entire AZ has degraded instances, only that AZ’s traffic is affected.
Common Interview Questions
Q: Can an ALB route to targets in different VPCs?
Yes, using the ip target type. You can register any IP address as a target, including private IPs accessible via VPC peering, Transit Gateway, or Direct Connect.
Q: When does NLB preserve the source IP and ALB does not?
NLB forwards packets directly to targets with the original client IP. ALB terminates the connection and opens a new one to the target, replacing the source IP. The original IP is in the X-Forwarded-For header.
Q: What is the difference between a listener and a target group? A listener is on the load balancer side — it receives traffic on a specific port/protocol. A target group is a collection of targets (instances, IPs, Lambda) that a listener can forward to. Rules map listener requests to target groups.
Q: Can you attach a WAF to an NLB? No. AWS WAF integrates with ALB (and CloudFront) only because it operates at Layer 7. NLB at Layer 4 does not carry HTTP content for WAF to inspect.