What Does ALB Mean?
On This Page
Quick Definition
ALB stands for Application Load Balancer. It is an AWS service that automatically spreads incoming traffic across multiple servers to keep your website or app fast and reliable. ALB operates at Layer 7, meaning it makes smart routing decisions based on the content of the request, like the web address or browser type.
Commonly Confused With
NLB operates at Layer 4 and handles TCP, UDP, and TLS traffic. It can have static IP addresses and is better for extreme performance and low latency. ALB operates at Layer 7 and is content-aware, which makes it ideal for web applications with microservices.
Use NLB for a gaming server that uses a custom TCP protocol. Use ALB for a web app that routes /api to one server and /static to another.
CLB is the old generation load balancer, which is less feature-rich and not recommended for new architectures. CLB cannot do path-based or host-based routing. ALB is more flexible and supports advanced routing rules.
A legacy application already using a CLB can continue, but any new microservices architecture should use ALB.
An Auto Scaling group manages the number of EC2 instances, launching and terminating them based on demand. ALB distributes traffic among the instances. They work together but are different services. ALB does not scale instances; it only routes traffic.
Auto Scaling Group launches two EC2 instances when CPU is high; ALB distributes user requests between those two instances evenly.
API Gateway is a fully managed service for creating, publishing, and managing APIs. It can perform tasks like authentication, rate limiting, and caching. ALB is simpler and does not offer API management features. Both can route HTTP traffic, but they serve different purposes.
Use API Gateway for a public REST API that needs API keys and throttling. Use ALB for a simple web app that just needs to distribute traffic to backends.
Must Know for Exams
The AWS Certified Solutions Architect – Associate (SAA-C03) exam heavily features load balancers, especially the Application Load Balancer. ALB is a core component for topics under the “Design Resilient Architectures” and “Design High-Performing Architectures” domains. You can expect multiple questions that test your ability to choose the correct load balancer type (ALB vs. NLB vs. CLB) and to configure routing rules, health checks, and security settings.
Exam objectives that explicitly mention ALB include: “Design a multi-tier architecture” (using ALB in front of web and application tiers), “Choose appropriate load balancing strategies” (path-based routing, host-based routing), and “Implement high availability” (cross-zone load balancing, health checks). Questions often present a scenario: “A company has a microservices application with separate services for user profiles, orders, and payments. How should they route incoming requests to the correct service?” The correct answer is to use an ALB with path-based routing rules.
Another common question type involves cost optimization. For example, “Which load balancer should you use to expose a TCP-based legacy application?” Many students incorrectly choose ALB, but the right answer is NLB because ALB only handles HTTP/HTTPS and WebSocket traffic. The exam also tests the difference between ALB and CLB: ALB supports path-based and host-based routing, while CLB does not.
Health check configuration is another frequent topic. You might be asked: “A developer notices that traffic is still being sent to an unhealthy EC2 instance. What is the most likely cause?” The answer could be that the health check interval is too high, or the unhealthy threshold is too large, or the health check path is returning a 200 status code incorrectly.
ALB also shows up in combination with Auto Scaling: “How to automatically register new instances with an ALB?” The answer is to create an Auto Scaling group and attach the ALB target group to it. New instances launched by the Auto Scaling group are automatically registered with the ALB.
ALB is not just a feature to memorize; it is a concept you must deeply understand for the SAA exam. Practice designing architectures that use ALB for routing, security, and scaling. Many sample questions in AWS practice exams center on ALB behavior, so mastering this one service gives you a strong advantage.
Simple Meaning
Imagine you are a very popular pizza restaurant. One person at the counter takes orders, but if only one person takes orders, customers get angry waiting. So you hire order takers and a smart host who decides which order taker handles which customer. The host looks at each customer's request: “I want a large pepperoni,” and sends them to the order taker who is best at large pizzas. The host also checks if any order taker is already too busy, and sends new customers to someone who can help right now.
In the world of cloud computing, an Application Load Balancer (ALB) does exactly that job. Your website or application has multiple servers running behind the scenes. When a user visits your site, the ALB intercepts the request. It looks at the URL the user typed, for example, “myapp.com/login” or “myapp.com/images”. The ALB then sends the login request to a server that handles logins and the image request to a server dedicated to images. This is called content-based routing.
The ALB also performs health checks. If one server crashes or becomes slow, the ALB stops sending traffic to it automatically. This keeps your application running smoothly even when things go wrong. It can also handle encryption, so your users’ data stays secure.
For an IT certification learner, think of ALB as the smart traffic cop that makes your web application fast, scalable, and resilient. It is a key building block in modern cloud architectures because it helps you separate concerns, scale parts of your application independently, and improve user experience without manual intervention.
Full Technical Definition
An Application Load Balancer (ALB) is a fully managed Layer 7 load balancing service provided by AWS. It operates at the application layer of the OSI model (Layer 7) and is designed to distribute incoming HTTP, HTTPS, and WebSocket traffic across multiple targets, such as EC2 instances, containers (ECS/EKS), Lambda functions, and IP addresses. ALB is part of the Elastic Load Balancing (ELB) family and is specifically designed for modern application architectures, including microservices and container-based deployments.
ALB uses listeners to inspect incoming traffic. Each listener is configured with a protocol and port (e.g., HTTP on port 80 or HTTPS on port 443). Listeners have rules that define how traffic should be routed based on conditions like the host header, path pattern (e.g., /api/*), HTTP method, query string, or source IP address. These rules can forward traffic to different target groups, each containing a set of backend resources. This enables sophisticated routing patterns such as path-based routing (sending /images to an image server and /api to an API server) and host-based routing (directing blog.example.com to one set of servers and shop.example.com to another).
ALB terminates TLS connections, which offloads the CPU-intensive encryption and decryption work from the backend servers. It supports SNI (Server Name Indication) to allow multiple TLS certificates on the same listener. It also integrates with AWS WAF (Web Application Firewall) to protect against common web exploits.
Health checks are performed periodically on each registered target. ALB supports both HTTP and HTTPS health checks, and you can customize the path, interval, timeout, and healthy/unhealthy threshold values. If a target fails health checks, ALB stops sending traffic to it and resumes only when it passes checks again.
ALB is designed for high availability and scales automatically. It can be deployed in multiple Availability Zones and uses a cross-zone load balancing feature by default, distributing traffic evenly across all healthy targets in all enabled zones. It provides access logs, CloudWatch metrics (e.g., request count, target response time), and request tracing via X-Ray.
In real IT implementations, ALB is often placed at the edge of the VPC, with security groups that allow traffic only from the ALB, and the ALB forwards traffic to targets in private subnets. It supports connection idle timeout, sticky sessions using cookies, and can return fixed responses (e.g., a custom 404 page) without invoking any backend target.
Real-Life Example
Think of a busy airport check-in counter. You have several airline agents behind the counter, each handling passengers. But instead of passengers just walking up to any agent, there is a smart digital signboard that directs passengers to specific agents based on their destination. If you are flying to Tokyo, the signboard directs you to Agent 3. If you are flying to London, it sends you to Agent 1. This way, each agent becomes specialized for a set of destinations, making them faster and more knowledgeable about that route's rules.
Now, what if Agent 2 gets sick and leaves? The smart signboard notices that Agent 2’s line is not moving, so it reroutes all passengers originally assigned to Agent 2 to other available agents. The passengers still get served, even though one agent is missing. The signboard also constantly checks that each agent is present and ready to help. If an agent steps away for a break, the signboard stops sending passengers to that agent until they return.
In this analogy, the airport is your web application. The agents are your backend servers, and the smart digital signboard is the Application Load Balancer. Each agent (server) handles different types of requests: one server handles login requests, another handles image uploads. The signboard (ALB) reads the destination (URL path) and routes each passenger (user request) to the right agent (server). If a server goes down, the ALB detects it via health checks and stops sending traffic there, ensuring no user gets stuck waiting for a response that will never come.
This analogy helps you understand the job of an ALB: it makes your application more organized, efficient, and resilient by intelligently directing traffic based on what the user is trying to do, while also protecting your users from server failures.
Why This Term Matters
In modern cloud applications, monolithic architectures are giving way to microservices. Instead of one large server handling everything, you have many small services, each responsible for a specific function, such as authentication, payment, or image processing. Without a smart traffic manager, keeping these services organized and scalable is nearly impossible. An Application Load Balancer solves this problem by acting as the single entry point for all client requests and routing each request to the appropriate service.
From a practical IT perspective, ALB matters because it directly improves application availability and performance. It distributes traffic across multiple availability zones, so if one AWS data center goes down, your application continues running from other zones. It also automatically scales to handle traffic spikes, meaning you do not need to manually provision more servers during a sudden rush of users. This elasticity is a core pillar of cloud computing.
ALB also simplifies deployment and maintenance. When you need to update a server, you can take it out of the target group, update it, perform health checks, and then bring it back without any downtime. This rolling update pattern is essential for continuous delivery and DevOps practices.
Security is another critical reason ALB matters. By terminating SSL/TLS at the ALB, you reduce the attack surface on your backend servers. You can also enable AWS WAF to filter malicious requests, and you can restrict security group rules so that only the ALB can communicate with your servers, isolating them from direct internet traffic.
For certification learners, understanding ALB is not optional. It appears in almost every architecture scenario and is a favorite topic for scenario-based questions. Knowing how to configure listeners, rules, target groups, and health checks is essential to passing the AWS Solutions Architect Associate exam and to designing robust, production-ready systems.
How It Appears in Exam Questions
Exam questions about ALB typically fall into three categories: scenario-based, configuration-based, and troubleshooting-based.
Scenario-based questions: You are given a description of an application and its requirements. You must identify the best load balancing solution. For example: “A company runs a web application that has two distinct modules: a user portal and an admin portal. They want to route traffic based on the URL path: /users goes to user portal, /admin goes to admin portal. Which load balancer and configuration should they use?” The correct answer is an ALB with path-based routing rules. Variations include host-based routing (different subdomains to different target groups) or routing based on query string parameters.
Configuration-based questions: These ask you to fill in missing steps or choose correct configuration values. For example: “A developer wants the ALB to perform health checks every 10 seconds and wait for 3 consecutive failures before marking an instance unhealthy. Which health check settings should be configured?” You need to know that the health check interval is set to 10, and the unhealthy threshold is set to 3. Another example: “An ALB listener on port 443 needs to support multiple domains with different SSL certificates. Which feature must be enabled?” Answer: Server Name Indication (SNI).
Troubleshooting-based questions: These describe a problem and ask you to identify the cause. For instance: “Users report that sometimes they see a 503 error when trying to access the application. The ALB shows that all targets are healthy. What could be the issue?” Possible causes include the ALB target group not having enough capacity (all targets are overloaded but still passing basic health checks) or the security group of the targets not allowing traffic from the ALB. Another common troubleshooting question: “After deploying new code, users get a 502 Bad Gateway error. What might be wrong?” The answer often involves the backend server not responding correctly, maybe returning malformed responses or timing out.
Another pattern: “A company wants to limit access to their application to specific IP addresses. Where should they configure this restriction?” The best practice is to use security groups on the ALB, or use AWS WAF if they need more sophisticated rules. Some questions may also combine ALB with Auto Scaling: “When launching a new instance in an Auto Scaling group, how does the ALB know to send traffic to it?” The answer is that the Auto Scaling group automatically registers the instance with the ALB target group.
Finally, questions may ask about sticky sessions (session affinity). For example: “An application requires that all requests from a user during a session go to the same backend server. Which feature of ALB should be enabled?” Answer: Stickiness with a duration-based cookie. But be careful: sticky sessions can cause uneven load distribution if not managed properly.
In all these question types, the key is to understand not just what ALB does, but why certain configurations are used and what happens when things go wrong.
Practise ALB Questions
Test your understanding with exam-style practice questions.
Example Scenario
You are a solutions architect for an online bookstore. The application has three microservices: one for browsing books (books.example.com), one for user accounts (accounts.example.com), and one for processing payments (payments.example.com). All three services are running on multiple EC2 instances in private subnets across two Availability Zones. Users access the bookstore via a single domain: www.example.com.
Your task: Design a load balancing solution so that traffic is directed to the correct microservice based on the URL path.
Configuration: You create an Application Load Balancer and place it in public subnets. You configure a listener for HTTPS on port 443 with an SSL certificate for *.example.com. You create three target groups: TG-Books, TG-Accounts, and TG-Payments.
- TG-Books: contains instances running the books service, port 3000, health check path /books/health. - TG-Accounts: contains instances running the accounts service, port 3001, health check path /accounts/health. - TG-Payments: contains instances running the payments service, port 3002, health check path /payments/health.
You add rules to the listener: - If path is /books*, forward to TG-Books. - If path is /accounts*, forward to TG-Accounts. - If path is /payments*, forward to TG-Payments. - Default action: return a 404 fixed response.
When a user visits https://www.example.com/books/harry-potter, the ALB sees the path /books/harry-potter, matches the first rule, and forwards the request to an instance in TG-Books. The books service then returns the book details.
each target group has health checks configured to hit a lightweight endpoint. If an instance fails three consecutive health checks, it is removed from rotation. This ensures that users never see errors from a broken server.
This scenario demonstrates path-based routing, a core ALB feature. It also shows how ALB enables clean separation of microservices, which is a common pattern in modern cloud architectures.
Common Mistakes
Using ALB for non-HTTP traffic like database connections or game server connections.
ALB only operates at Layer 7 and supports HTTP, HTTPS, and WebSocket protocols. For TCP, UDP, or TLS traffic, you must use a Network Load Balancer (NLB).
If the application uses any protocol other than HTTP/HTTPS/WebSocket, choose NLB instead of ALB.
Configuring health checks with a very short interval and a low unhealthy threshold.
A too-short health check interval can cause unnecessary load on the targets, and a low unhealthy threshold may mark a target unhealthy prematurely due to transient issues. This leads to traffic oscillation and poor stability.
Use reasonable defaults: interval of 30 seconds, unhealthy threshold of 3 failures. Only reduce these values if you have a specific latency-critical requirement.
Placing the ALB in private subnets and expecting it to be accessible from the internet.
An ALB must be in public subnets (with a route to an Internet Gateway) to receive internet traffic. Private subnets are for internal-only resources.
Place the ALB in public subnets, and ensure that its security group allows inbound traffic from the internet (e.g., HTTP/HTTPS from 0.0.0.0/0). Target instances remain in private subnets for security.
Assuming that ALB supports path-based routing only with exact path matches.
ALB can route based on path patterns with wildcards (e.g., /api/*), not just exact paths. It also supports host-based routing, query string routing, and HTTP method routing.
Use the correct condition type (e.g., path pattern) with wildcard characters when needed. For example, /users/* will match /users/list and /users/123.
Configuring security group rules that allow traffic from 0.0.0.0/0 to the backend servers.
This exposes backend servers directly to the internet, bypassing the ALB and defeating its security and health check benefits. It also violates the principle of least privilege.
Set the backend server security group to allow traffic only from the ALB security group. Reference the ALB security group ID in the inbound rule.
Not enabling cross-zone load balancing, then assuming traffic is evenly distributed.
Without cross-zone load balancing, each ALB node distributes traffic only to targets in its own Availability Zone, which can lead to uneven load if instances are unevenly distributed across zones.
Enable cross-zone load balancing on the ALB (it is enabled by default for ALBs created in the AWS Management Console). This ensures traffic is spread evenly across all healthy targets in all zones.
Exam Trap — Don't Get Fooled
{"trap":"In a scenario where a company wants to load balance a legacy application that uses a custom protocol over TCP, many learners choose ALB because they think it is the default or the “best” load balancer.","why_learners_choose_it":"ALB is the most featured load balancer in AWS and is covered extensively in exam prep. Learners often overgeneralize and assume ALB can handle any traffic, not realizing its Layer 7 limitation."
,"how_to_avoid_it":"Always check the protocol used by the application. ALB only supports HTTP, HTTPS, and WebSocket. For any other protocol (TCP, UDP, TLS), use NLB. If the application requires both Layer 7 features and static IP addresses, use a combination of NLB in front of ALB."
Step-by-Step Breakdown
Client sends request
A user types a URL in their browser, such as https://www.example.com/login. The DNS resolves the ALB’s public endpoint, and the request reaches the ALB node in the nearest Availability Zone.
ALB listener receives the request
The listener is configured for HTTPS on port 443. The ALB terminates the TLS connection using the SSL certificate associated with the domain. It decrypts the request so it can read the HTTP headers and path.
Evaluate listener rules
The ALB evaluates the listener rules in order. Each rule has conditions (e.g., path pattern, host header). For the path /login, a rule like “If path is /login*, forward to LoginTargetGroup” matches. If no rule matches, the default action is taken (e.g., fixed response or redirect).
Select a target from the target group
The ALB uses a load balancing algorithm (default is round robin) to select a healthy target from the LoginTargetGroup. It only considers targets that have passed the latest health check.
Forward the request to the selected target
The ALB forwards the request to the selected EC2 instance or IP address in the target group. The target processes the request and sends the response back through the ALB. The ALB may modify headers (like X-Forwarded-For) to preserve client IP information.
Response returned to client
The ALB forwards the response from the target back to the client. If the connection is HTTPS, the ALB re-encrypts the response before sending it over the internet.
Health check cycle (ongoing)
Every health check interval (e.g., 30 seconds), the ALB sends a request to each target’s health check endpoint (e.g., /health). If the target responds with a 200 status code within the timeout, it is marked healthy. After consecutive failures (e.g., 3), it is marked unhealthy and removed from rotation.
Practical Mini-Lesson
When you deploy an ALB in a real production environment, there are several important considerations beyond the basic setup.
First, plan your target group design carefully. Each target group should represent a logical service or tier. For microservices, create one target group per service. This allows you to configure different health check endpoints, port numbers, and stickiness policies for each service. You can also attach multiple target groups to a single listener with different rules.
Second, always configure security groups with precision. The ALB security group should allow inbound traffic from the internet on ports 80 and/or 443. The backend instance security group should only allow inbound traffic from the ALB security group. This layered security approach protects your instances from direct exposure.
Third, monitor ALB performance. Use CloudWatch metrics such as RequestCount, TargetResponseTime, HTTPCode_ELB_5XX, and HealthyHostCount. An increase in 5xx errors from the ALB often indicates that the backend is returning errors, while an increase in 5xx from the target group indicates healthy errors but the ALB is forwarding correctly. Access logs (enable them in S3) provide detailed request-level data for debugging.
Fourth, understand the difference between ALB’s connection idle timeout and keep-alive settings. The default idle timeout is 60 seconds. If your application requires longer-lived connections, increase this value. Also, ALB does not handle WebSocket upgrades itself but can forward WebSocket traffic if the backend supports it.
Fifth, consider cost. ALB pricing is based on the number of load balancer capacity units (LCUs) consumed, which depends on new connections, active connections, processed bytes, and rule evaluations. If you have many rules or very high traffic, costs can add up. NLB is cheaper for high-throughput TCP traffic.
What can go wrong? - Misconfigured health checks: A health check that always returns 200 (because the endpoint is a static page) will never detect a failing application. Make sure the health check path actually tests the application logic. - Security group issues: If the ALB security group does not allow inbound traffic from clients, users get connection timeouts. If the target security group does not allow inbound traffic from the ALB, the ALB gets 503 errors. - Sticky sessions side-effects: If you enable stickiness but one target goes down, all sessions pinned to that target are lost unless you handle session replication at the application level. - Inefficient routing rules: Too many rules (AWS supports up to 100 per listener, but performance can degrade with complexity). Always order rules with specific ones first, general ones later.
Professionals also use ALB with AWS Global Accelerator to improve latency for global users, or with AWS WAF to block common attacks like SQL injection and cross-site scripting. In many enterprises, ALB is the standard front door for all web-facing applications.
Memory Tip
ALB = Application Layer (Layer 7) Load Balancer, meaning it reads the application content like URL path and headers, unlike NLB which only reads network ports.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
Related Glossary Terms
A 2-in-1 laptop is a portable computer that can switch between a traditional laptop form and a tablet form, usually by detaching or rotating the keyboard.
The 24-pin motherboard connector is the main power cable that connects the computer's power supply unit (PSU) to the motherboard, supplying electricity to the motherboard and its components.
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
A 3D printer is a device that creates physical objects by depositing layers of material based on a digital model.
5G is the fifth generation of cellular network technology, designed to deliver faster speeds, lower latency, and support for many more connected devices than previous generations.
The 8-pin CPU connector is a power cable from the power supply that delivers dedicated electricity to the processor on a computer's motherboard.
802.1Q is the networking standard that allows multiple virtual LANs (VLANs) to share a single physical network link by tagging Ethernet frames with VLAN identification information.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
Frequently Asked Questions
Can I use an ALB to load balance traffic to an on-premises server?
Yes, you can register an on-premises server as a target using its IP address, as long as the server is reachable from the ALB via a VPN or Direct Connect. You must use the IP address type for the target group.
What is the difference between a listener and a target group?
A listener is a process that checks for connection requests on a specific port (e.g., 443). It uses rules to decide where to send the traffic, and the target group is the destination for those requests, containing the actual backend resources.
Does ALB support WebSocket?
Yes, ALB supports the WebSocket protocol. It can upgrade HTTP connections to WebSocket and maintain persistent connections to the backend targets.
How do I make sure my ALB only accepts traffic from CloudFront?
You can restrict ALB access by using a security group that allows inbound traffic only from the CloudFront IP address ranges. Alternatively, you can use a custom header that CloudFront signs and the ALB verifies.
What is the default load balancing algorithm for ALB?
The default algorithm is round robin. However, ALB also supports least outstanding requests (LOR) algorithm, which is often better for heterogeneous backends.
Can I have multiple SSL certificates on one ALB?
Yes, ALB supports Server Name Indication (SNI), which allows you to associate multiple certificates with a single HTTPS listener and serve the correct one based on the hostname in the client’s request.
What happens if all targets in a target group become unhealthy?
If all targets become unhealthy, the ALB will return a 503 Service Unavailable error to clients. There is no fallback target group unless you configure a default action or redirect.
Summary
The Application Load Balancer (ALB) is a foundational component for building resilient, scalable, and secure web applications on AWS. It operates at Layer 7, which means it can inspect HTTP headers, paths, and hostnames to make intelligent routing decisions. This makes it ideal for microservices architectures, containerized deployments, and any scenario where you need to direct traffic based on application content.
ALB simplifies operations by handling TLS termination, health checks, and automatic scaling. It integrates with other AWS services like Auto Scaling groups, ECS, Lambda, and AWS WAF. In real-world IT environments, the ALB serves as the entry point, distributing traffic across multiple targets in multiple Availability Zones to ensure high availability.
For certification candidates, especially those taking the AWS Solutions Architect Associate exam, ALB is a must-know service. You will be asked to choose between ALB, NLB, and CLB in various scenarios, to configure path-based or host-based routing rules, to set appropriate health check parameters, and to troubleshoot common issues like 503 errors or improper security group configurations.
Key exam takeaways: Remember that ALB is Layer 7 only, used for HTTP/HTTPS/WebSocket traffic. Use path-based routing for microservices, host-based routing for multi-domain setups, and always enable cross-zone load balancing. Secure your architecture by allowing traffic to the ALB from the internet, but only allow traffic from the ALB to backend instances. Practice designing architectures that combine ALB with Auto Scaling for elasticity and with WAF for security. Mastering ALB concepts will give you confidence to answer many scenario-based questions correctly.