This chapter covers the three types of Elastic Load Balancers (ELBs) available on AWS: Application Load Balancer (ALB), Network Load Balancer (NLB), and Gateway Load Balancer (GWLB). Understanding the differences, use cases, and configurations of each is critical for the SOA-C02 exam, which tests your ability to design resilient, high-performance architectures. Expect approximately 8-12% of exam questions to touch on ELB types, their features, and appropriate deployment scenarios.
Jump to a section
Imagine a large shipping company with three different types of loading docks. The first dock is like an Application Load Balancer (ALB): it can read the shipping labels on each package (HTTP headers, cookies, path) and route them to specific processing lines based on content type — all fragile items go to line A, all express packages to line B. It can also inspect the package contents (body) for routing decisions. The second dock is a Network Load Balancer (NLB): it only looks at the destination address on the package (TCP/UDP port, IP) and forwards the entire package as-is to the appropriate truck, without opening it. It can handle millions of packages per second with minimal delay. The third dock is a Gateway Load Balancer (GWLB): it acts as a checkpoint; every package must pass through a security screening station (third-party appliances like firewalls or IDS/IPS) before being forwarded to its final destination. The GWLB distributes packages across multiple screening stations and ensures each package goes through inspection without modifying the package itself. In AWS, ALB works at Layer 7 (application), NLB at Layer 4 (transport), and GWLB at Layer 3 (network) with transparent inspection.
What Are ELB Types and Why Do They Exist?
AWS offers three types of load balancers under the Elastic Load Balancing (ELB) service, each designed for different network layers and use cases. The Application Load Balancer (ALB) operates at Layer 7 (the application layer of the OSI model), the Network Load Balancer (NLB) operates at Layer 4 (transport layer), and the Gateway Load Balancer (GWLB) operates at Layer 3 (network layer) with Layer 4 capabilities for transparent inspection. The exam expects you to know the specific features, limitations, and appropriate scenarios for each.
How Each Load Balancer Works Internally
Application Load Balancer (ALB): ALB is a Layer 7 load balancer that makes routing decisions based on content of the HTTP/HTTPS request. When a client sends an HTTP request, the ALB terminates the TLS connection (if HTTPS), reads the request headers, path, query string, and optionally the body, then forwards the request to a target group based on listener rules. ALB supports path-based routing (e.g., /images/* to one target group, /api/* to another), host-based routing (e.g., api.example.com vs. app.example.com), HTTP header-based routing, query string routing, and HTTP method routing. It also supports WebSocket and HTTP/2. ALB can offload TLS termination, reducing backend CPU load. It operates at the connection level: it maintains two separate TCP connections — one with the client and one with the target. This allows it to inspect and modify application-layer data. ALB also provides sticky sessions (session affinity) using cookies, either application-generated or AWS-generated (AWSALB cookie). The default idle timeout is 60 seconds (configurable 1-4000 seconds).
Network Load Balancer (NLB): NLB is a Layer 4 load balancer designed for extreme performance and low latency. It handles millions of requests per second with very low latency (as low as sub-millisecond). NLB does not terminate the TCP connection; instead, it forwards the TCP/UDP traffic directly to the target while preserving the client's source IP address (by default) or using a proxy protocol to pass the client IP. NLB is stateless — it does not maintain connection state; it simply maps connections to targets based on a hash algorithm (5-tuple: source IP, source port, destination IP, destination port, protocol). NLB supports both TCP and UDP, as well as TLS termination (with a listener configured for TLS). It can also handle static IP addresses (one per Availability Zone) and can be assigned an Elastic IP. NLB supports cross-zone load balancing (disabled by default) and health checks using TCP, HTTP, or HTTPS. The idle timeout is 350 seconds for TCP (not configurable). For UDP, there is no timeout because UDP is connectionless.
Gateway Load Balancer (GWLB): GWLB is a Layer 3/4 load balancer that helps you deploy, scale, and manage third-party virtual appliances, such as firewalls, intrusion detection/prevention systems (IDS/IPS), and deep packet inspection (DPI) appliances. GWLB operates in a transparent mode: it does not modify the packet content; it forwards the entire packet (Layer 2-4) to the target appliance. GWLB uses the GENEVE protocol (Generic Network Virtualization Encapsulation) on port 6081 to encapsulate packets between the load balancer and the target appliances. The GWLB is deployed at the edge of a VPC (subnet) and can be used as a next-hop for traffic routing (via route tables). It supports two modes: transparent (the appliance sees the original client IP) and with proxy (the appliance sees the GWLB IP). GWLB health checks are done using the GENEVE protocol. GWLB supports TCP, UDP, and ICMP traffic. It is integrated with AWS Transit Gateway and can be used for east-west traffic inspection.
Key Components, Values, Defaults, and Timers
ALB: Listeners (port/protocol), rules (conditions and actions), target groups (target type: instance, IP, or Lambda), health checks (default: 5s interval, 2 healthy/unhealthy threshold, 5s timeout), idle timeout (default 60s, configurable 1-4000s), deregistration delay (default 300s), slow start (0-3600s), connection idle timeout for WebSocket (default 60s).
NLB: Listeners (port/protocol: TCP, UDP, TLS), target groups (target type: instance, IP, or ALB), health checks (TCP, HTTP, HTTPS; default interval 10s, healthy threshold 3, unhealthy threshold 3, timeout 10s), idle timeout for TCP (350s, not configurable), cross-zone load balancing (disabled by default), proxy protocol v2 (optional), client IP preservation (enabled by default for TCP).
GWLB: Listeners (port 6081, protocol GENEVE), target groups (target type: instance or IP), health checks (GENEVE protocol, default interval 10s, healthy threshold 3, unhealthy threshold 3, timeout 10s), idle timeout (350s for TCP, not configurable for UDP), cross-zone load balancing (enabled by default), GENEVE encapsulation with an 8-byte header (includes virtual network identifier VNI).
Configuration and Verification Commands
Load balancers are configured via AWS Management Console, AWS CLI, or CloudFormation. Key CLI commands:
# Create an ALB
alb create-load-balancer --name my-alb --subnets subnet-123 subnet-456 --security-groups sg-789
# Create an NLB
nlb create-load-balancer --name my-nlb --type network --subnets subnet-123 subnet-456
# Create a GWLB
gwlb create-load-balancer --name my-gwlb --type gateway --subnets subnet-123 subnet-456
# Describe load balancers
aws elbv2 describe-load-balancers
# Describe target health
aws elbv2 describe-target-health --target-group-arn arn:aws:elasticloadbalancing:...Interaction with Related Technologies
ALB: Integrates with AWS WAF (web application firewall) for Layer 7 protection, AWS Shield for DDoS protection, AWS Certificate Manager (ACM) for SSL/TLS certificates, and AWS Lambda as a target. ALB can also authenticate users via Cognito or OIDC.
NLB: Can be used as a target for AWS Global Accelerator, integrates with PrivateLink for VPC endpoint services, and can be fronted by AWS WAF only if an ALB is behind it (NLB itself does not support WAF). NLB supports Elastic IPs for whitelisting.
GWLB: Integrates with AWS Transit Gateway, VPC route tables, and third-party appliance vendors. GWLB is typically used with partner appliances from AWS Marketplace (e.g., Palo Alto Networks, Fortinet, Check Point).
Performance and Scaling
ALB: Scales automatically based on traffic load. Supports up to 50 listeners per ALB, 100 rules per listener (default), and 100 target groups. Can handle millions of concurrent connections.
NLB: Designed for high throughput (up to 25 Gbps per NLB). Can handle millions of packets per second. Supports static IP addresses and can be used for TCP/UDP traffic at extreme scale.
GWLB: Scales horizontally across multiple Availability Zones. Can handle traffic up to 100 Gbps per GWLB. Supports up to 50 target groups and 100 appliances per target group.
Security Considerations
ALB: Supports security groups (control inbound traffic to ALB), SSL/TLS termination, and authentication. ALB can be internal (VPC-only) or internet-facing.
NLB: Does not support security groups (traffic is forwarded as-is). Security is achieved via subnet network ACLs and controlling access to target groups. NLB can be internal or internet-facing.
GWLB: Does not support security groups. Traffic is forwarded transparently. Security is managed via the appliances themselves and subnet ACLs. GWLB is always internal (not internet-facing).
Pricing
ALB: Pay per hour (or partial hour) and per LCU (Load Balancer Capacity Unit). LCU measures connections, active connections, processed bytes, and rules evaluations.
NLB: Pay per hour and per NLCU (Network Load Balancer Capacity Unit). NLCU measures new connections, active connections, and processed bytes.
GWLB: Pay per hour and per GWLCU (Gateway Load Balancer Capacity Unit). GWLCU measures new connections, active connections, and processed bytes (traffic mirrored to appliances).
Exam Tips
The exam often tests which load balancer to use for a given scenario. Key differentiators: Layer 7 content routing -> ALB; TCP/UDP with extreme performance -> NLB; transparent inspection appliances -> GWLB.
Remember that NLB does not support security groups, but ALB does. GWLB also does not support security groups.
NLB can be assigned a static IP (Elastic IP), ALB cannot (uses a DNS name). GWLB uses a DNS name or can be referenced by route table.
ALB supports path-based and host-based routing; NLB and GWLB do not.
GWLB uses GENEVE protocol on port 6081; this is a common exam detail.
Choose Load Balancer Type
Determine the required OSI layer for your application. If you need content-based routing (HTTP headers, paths), choose ALB. If you need extreme performance and low latency for TCP/UDP traffic, choose NLB. If you need to deploy and scale third-party virtual appliances (firewalls, IDS/IPS) transparently, choose GWLB. This decision is based on the application's protocol, performance requirements, and security needs.
Configure Listeners and Rules
Create a listener on a specific port (e.g., 80 for HTTP, 443 for HTTPS for ALB; 80 for TCP for NLB; 6081 for GENEVE for GWLB). For ALB, define rules that specify conditions (path, host, header, query string, HTTP method) and actions (forward to target group, redirect, fixed response). For NLB, listeners forward all traffic on the port to a target group. For GWLB, the listener forwards GENEVE-encapsulated traffic to a target group.
Define Target Groups
Create target groups that specify the type of target (instance, IP, or Lambda for ALB; instance or IP for NLB and GWLB). Register targets (EC2 instances, IP addresses, or Lambda functions). Configure health checks: for ALB, default is HTTP/HTTPS with 5-second interval; for NLB, default is TCP with 10-second interval; for GWLB, default is GENEVE with 10-second interval. Set healthy/unhealthy thresholds (default 2 for ALB, 3 for NLB and GWLB).
Configure Advanced Settings
For ALB, configure idle timeout (default 60 seconds), deregistration delay (default 300 seconds), slow start (if needed), and stickiness (using cookies). For NLB, configure cross-zone load balancing (disabled by default), proxy protocol v2 (if client IP preservation is needed), and enable/disable client IP preservation. For GWLB, configure cross-zone load balancing (enabled by default) and ensure the GENEVE encapsulation is correctly set up.
Associate Security Groups and Subnets
For ALB, assign security groups to control inbound traffic. For NLB and GWLB, security groups are not supported; instead, use network ACLs on the subnets. Select at least two subnets in different Availability Zones for high availability. For internet-facing load balancers, the subnets must have an Internet Gateway route. For internal load balancers, the subnets are private.
Test and Verify
Access the load balancer's DNS name (for ALB/NLB) or configure route tables (for GWLB) to send traffic. Verify that health checks pass and traffic is distributed. Use `aws elbv2 describe-target-health` to check target health. Monitor CloudWatch metrics (e.g., RequestCount, ActiveConnectionCount, HealthyHostCount). For NLB, verify client IP preservation if needed. For GWLB, verify that traffic is being forwarded through appliances.
Enterprise Scenario 1: Microservices Architecture with ALB
A large e-commerce platform runs a microservices architecture with services for user authentication, product catalog, shopping cart, and payment processing. Each service is deployed on EC2 instances in Auto Scaling groups. The platform uses an Application Load Balancer to route incoming HTTPS traffic based on URL paths: /auth/* to the authentication service, /products/* to the catalog service, /cart/* to the cart service, and /payments/* to the payment service. The ALB terminates TLS using certificates from ACM, offloading encryption overhead from the backend. The ALB also integrates with AWS WAF to block SQL injection and cross-site scripting attacks. In production, the ALB handles over 50,000 requests per second with sub-10ms latency. The SysOps team monitors CloudWatch alarms for TargetResponseTime and HTTPCode_ELB_5XX_Count. A common misconfiguration is forgetting to update the target group's health check path to the correct endpoint (e.g., /health), causing all targets to be marked unhealthy and the site to go down.
Enterprise Scenario 2: High-Performance TCP Gaming Server with NLB
A gaming company deploys a real-time multiplayer game using a custom TCP protocol. The game requires extremely low latency (under 1ms) and can handle up to 1 million concurrent connections. The company chooses a Network Load Balancer to distribute TCP traffic across a fleet of game servers. The NLB is configured with static Elastic IPs so that players can whitelist the IPs for firewall rules. Client IP preservation is enabled so that the game servers see the original player IP for geolocation and anti-cheat measures. Cross-zone load balancing is enabled to distribute traffic evenly across Availability Zones. The NLB is also used as a target for AWS Global Accelerator to further reduce latency and provide a static anycast IP. In production, the NLB processes over 10 Gbps of traffic with minimal packet loss. A common issue is misconfiguring health checks: using TCP health checks on a port that the game server doesn't respond to, causing the server to be marked unhealthy even though it's serving players.
Enterprise Scenario 3: Transparent Firewall Inspection with GWLB
A financial services company needs to inspect all traffic between VPCs and on-premises data centers for compliance. They deploy a Gateway Load Balancer with a fleet of third-party firewall appliances (e.g., Palo Alto Networks VM-Series). The GWLB is placed in a dedicated inspection VPC, and route tables in the spoke VPCs point to the GWLB as the next hop for all inter-VPC traffic. The GWLB distributes traffic across multiple firewall appliances using GENEVE encapsulation. The appliances perform deep packet inspection and forward allowed traffic back to the GWLB, which then forwards it to the destination. This setup allows transparent inspection without modifying the original packet headers. The company scales the number of firewall appliances based on traffic load using Auto Scaling. In production, the GWLB handles up to 40 Gbps of traffic. A common misconfiguration is not properly configuring the GENEVE encapsulation on the firewall appliances, causing traffic to be dropped.
What SOA-C02 Tests on This Topic
The SOA-C02 exam objectives under Domain 5 (Networking) include objective 5.2: "Implement network connectivity patterns." This covers choosing the appropriate load balancer type based on requirements. The exam tests your ability to:
Differentiate between ALB, NLB, and GWLB features.
Identify the correct load balancer for a given scenario (e.g., HTTP content routing -> ALB, UDP traffic -> NLB, transparent appliance inspection -> GWLB).
Understand security groups, health checks, and cross-zone load balancing.
Know the default values and configurable parameters for each type.
Common Wrong Answers and Why They Are Wrong
Choosing ALB for TCP/UDP traffic: Candidates often assume ALB can handle any protocol because it's the most common. However, ALB only supports HTTP/HTTPS (Layer 7). For TCP/UDP, use NLB.
Choosing NLB for content-based routing: Candidates see NLB as a 'load balancer' but forget it operates at Layer 4. It cannot inspect HTTP headers or paths. ALB is required.
Assigning a security group to an NLB: Many candidates think all load balancers support security groups. NLB does not; it relies on network ACLs. This is a common trick question.
Assuming GWLB modifies packets: GWLB is transparent; it does not modify the packet payload. It only encapsulates using GENEVE. Candidates may think it performs content inspection, but it only forwards.
Specific Numbers and Values That Appear on the Exam
Default idle timeout for ALB: 60 seconds (configurable 1-4000).
Default idle timeout for NLB: 350 seconds (not configurable).
Default health check interval: ALB = 5s, NLB = 10s, GWLB = 10s.
Default healthy/unhealthy threshold: ALB = 2, NLB = 3, GWLB = 3.
NLB supports static IP (Elastic IP); ALB does not.
GWLB uses GENEVE protocol on port 6081.
Cross-zone load balancing: disabled by default for NLB, enabled by default for GWLB (ALB always enabled).
Edge Cases and Exceptions
NLB can be used with TLS listeners for TLS termination, but it does not support HTTP health checks if the target is not HTTP.
ALB can target Lambda functions; NLB and GWLB cannot.
GWLB does not support security groups, but you can use network ACLs on the GWLB subnet.
NLB supports UDP traffic; ALB does not.
ALB supports WebSocket and HTTP/2; NLB supports WebSocket only if it's TCP (NLB just forwards TCP).
How to Eliminate Wrong Answers
If the scenario mentions HTTP, HTTPS, path-based routing, host-based routing, or WebSocket, eliminate NLB and GWLB.
If the scenario mentions extreme performance, low latency, TCP, UDP, or static IP, eliminate ALB and GWLB.
If the scenario mentions third-party virtual appliances, firewall, IDS/IPS, or transparent inspection, eliminate ALB and NLB.
If the question asks about security groups, only ALB has them (NLB and GWLB do not).
ALB is Layer 7, NLB is Layer 4, GWLB is Layer 3/4 for transparent appliances.
Only ALB supports path-based, host-based, and header-based routing.
NLB does not support security groups; ALB does.
NLB supports static IP (Elastic IP); ALB and GWLB do not.
GWLB uses GENEVE protocol on port 6081.
Default idle timeout: ALB 60s (configurable), NLB 350s (not configurable).
Cross-zone load balancing is disabled by default for NLB, enabled for ALB and GWLB.
NLB can be used for UDP traffic; ALB cannot.
GWLB is always internal (not internet-facing).
Health check defaults: ALB interval 5s, threshold 2; NLB interval 10s, threshold 3; GWLB interval 10s, threshold 3.
These come up on the exam all the time. Here's how to tell them apart.
Application Load Balancer (ALB)
Operates at Layer 7 (HTTP/HTTPS)
Supports content-based routing (path, host, header, query string)
Supports security groups
Terminates TLS and offloads SSL
Supports sticky sessions via cookies
Network Load Balancer (NLB)
Operates at Layer 4 (TCP/UDP/TLS)
No content-based routing; forwards based on port
Does not support security groups
Can terminate TLS but does not offload; preserves client IP
No native sticky sessions; uses source IP hash or proxy protocol
Network Load Balancer (NLB)
Designed for extreme performance and low latency
Supports TCP, UDP, and TLS
Can be assigned Elastic IP (static IP)
Client IP preservation enabled by default for TCP
Can be used as a target for Global Accelerator
Gateway Load Balancer (GWLB)
Designed for transparent appliance inspection
Supports TCP, UDP, and ICMP (via GENEVE encapsulation)
Does not support Elastic IP; uses DNS name or route table
Preserves original client IP in GENEVE header
Integrated with Transit Gateway for inter-VPC inspection
Mistake
NLB can perform path-based routing.
Correct
NLB operates at Layer 4 and cannot inspect HTTP paths. Only ALB supports path-based routing.
Mistake
You can assign a security group to an NLB.
Correct
NLB does not support security groups. You must use network ACLs on the subnets to control traffic.
Mistake
ALB supports UDP traffic.
Correct
ALB only supports HTTP/HTTPS (Layer 7). For UDP, use NLB.
Mistake
GWLB modifies the packet content for inspection.
Correct
GWLB is transparent; it encapsulates packets using GENEVE but does not modify the original packet payload. The appliance inspects the original packet.
Mistake
All load balancers support cross-zone load balancing by default.
Correct
Cross-zone load balancing is enabled by default for ALB and GWLB, but disabled by default for NLB.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Use an Application Load Balancer (ALB). ALB operates at Layer 7 and can route based on URL path, host header, query string, and HTTP method. For example, you can route /api/* to one target group and /app/* to another. NLB and GWLB cannot perform content-based routing.
No, ALB does not support static IP addresses. It uses a DNS name that resolves to multiple IP addresses. For static IP, use a Network Load Balancer (NLB) with Elastic IPs. Alternatively, you can use AWS Global Accelerator with an ALB to get a static anycast IP.
Yes, NLB supports health checks using TCP, HTTP, or HTTPS protocols. By default, it uses TCP health checks on the target port with an interval of 10 seconds and a healthy threshold of 3. You can configure custom health check settings.
GWLB uses the GENEVE (Generic Network Virtualization Encapsulation) protocol on port 6081 to encapsulate traffic between the load balancer and the target appliances. This allows transparent forwarding of Layer 2-4 packets without modification.
Yes, NLB can handle WebSocket traffic because WebSocket operates over TCP. NLB forwards TCP traffic without inspecting the application layer. However, ALB has native WebSocket support and can perform content-based routing for WebSocket connections.
Network Load Balancer (NLB) supports UDP traffic. Application Load Balancer (ALB) only supports HTTP/HTTPS. Gateway Load Balancer (GWLB) supports UDP via GENEVE encapsulation, but it is designed for transparent appliances, not direct client-facing UDP.
Cross-zone load balancing is disabled by default on NLB. You can enable it during creation or by modifying the load balancer attributes using the AWS CLI: `aws elbv2 modify-load-balancer-attributes --load-balancer-arn <arn> --attributes Key=load_balancing.cross_zone.enabled,Value=true`. For ALB and GWLB, cross-zone load balancing is enabled by default.
You've just covered ELB Types: ALB, NLB, and Gateway Load Balancer — now see how well it sticks with free SOA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?