Edit attributes for your Network Load Balancer
After you create a Network Load Balancer, you can edit its attributes.
Load balancer attributes
Deletion protection
To prevent your Network Load Balancer from being deleted accidentally, you can enable deletion protection. By default, deletion protection is disabled for your Network Load Balancer.
If you enable deletion protection for your Network Load Balancer, you must disable it before you can delete the Network Load Balancer.
Cross-zone load balancing
With Network Load Balancers, cross-zone load balancing is off by default at the load balancer level, but you can turn it on at any time. For target groups, the default is to use the load balancer setting, but you can override the default by explicitly turning cross-zone load balancing on or off at the target group level. For more information, see Cross-zone load balancing for target groups.
Availability Zone DNS affinity
When using the default client routing policy, requests sent to your Network Load Balancers DNS name will receive any healthy Network Load Balancer IP addresses. This leads to the distribution of client connections across the Network Load Balancer's Availability Zones. With the Availability Zone affinity routing policies, client DNS queries favor Network Load Balancer IP addresses in their own Availability Zone. This helps improve both latency and resiliency, as clients do not need to cross Availability Zone boundaries when connecting to targets.
Availability Zone affinity routing policies only apply to clients resolving the Network Load Balancers DNS name using Route 53 Resolver. For more information, see What is Amazon Route 53 Resolver? in the Amazon Route 53 Developer Guide
Client routing policies available to Network Load Balancers using Route 53 resolver:
-
Availability Zone affinity – 100 percent zonal affinity
Client DNS queries will favor Network Load Balancer IP address in their own Availability Zone. Queries may resolve to other zones if there are no healthy Network Load Balancer IP addresses in their own zone.
-
Partial Availability Zone affinity – 85 percent zonal affinity
85 percent of client DNS queries will favor Network Load Balancer IP addresses in their own Availability Zone, while the remaining queries resolve to any healthy zone. Queries may resolve to other healthy zones if there are no healthy IPs in their zone. When there are no healthy IPs in any zone, queries resolve to any zone.
-
Any Availability Zone (default) – 0 percent zonal affinity
Client DNS queries are resolved among healthy Network Load Balancer IP addresses across all Network Load Balancer Availability Zones.
Availability Zone affinity helps route requests from the client to the Network Load Balancer, while cross-zone load balancing is used to help route requests from the Network Load Balancer to the targets. When using Availability Zone affinity, cross-zone load balancing should be turned off, this ensures the Network Load Balancer traffic from clients to targets remains within the same Availability Zone. With this configuration, client traffic is sent to the same Network Load Balancer Availability Zone, so it's recommended to configure your application to scale independently in each Availability Zone. This is an important consideration when the number of clients per Availability zone, or the traffic per Availability Zone are not the same. For more information, see Cross-zone load balancing for target groups.
When an Availability Zone is considered unhealthy, or when a zonal shift is started, the zonal IP address will be considered unhealthy and not returned to clients unless fail open is in effect. Availability Zone affinity is maintained when the DNS record fails open. This helps keep Availability Zones independent and prevent potential cross zone failures.
When using Availability Zone affinity, times of imbalance between Availability Zones are expected. It's recommended ensuring your targets are scaling at the zonal level, to support each Availability Zones workload. In cases where these imbalances are significant, it's recommended turning off Availability Zone affinity. This allows even distribution of client connections between all the Network Load Balancer's Availability Zones within 60 seconds, or the DNS TTL.
Before using Availability Zone affinity, consider the following:
-
Availability Zone affinity causes changes on all of the Network Load Balancers clients who are using Route 53 Resolver.
-
Clients aren't able to decide between zonal-local and multi-zone DNS resolutions. Availability Zone affinity decides for them.
-
Clients aren't provided with a reliable method to determine when they're being impacted by Availability Zone affinity, or how to know which IP address is in which Availability Zone.
-
-
When using Availability Zone affinity with Network Load Balancers and Route 53 Resolver, we recommend clients use the Route 53 Resolver inbound endpoint in their own Availability Zone.
-
Clients will remain assigned to their zone-local IP address until it is deemed fully unhealthy according to DNS health checks, and is removed from DNS.
-
Using Availability Zone affinity with cross-zone load balancing on can lead to unbalanced distribution of client connections between Availability Zones. It's recommended to configure your application stack to scale independently in each Availability Zone, ensuring it can support zonal clients traffic.
-
If cross-zone load balancing is on, the Network Load Balancer is subject to cross zone impact.
-
The load on each of the Network Load Balancers Availability Zones will be proportional to the zonal locations of clients requests. If you don't configure how many clients are running in which Availability Zone, you will have to independently scale each Availability Zone reactively.
Monitoring
It is recommended to track the distribution of connections between Availability Zones, using the zonal Network Load Balancer metrics. You can use metrics to view the number of new and active connections per zone.
We recommend tracking the following:
-
ActiveFlowCount– The total number of concurrent flows (or connections) from clients to targets. -
NewFlowCount– The total number of new flows (or connections) established from clients to targets in the time period. -
HealthyHostCount– The number of targets that are considered healthy. -
UnHealthyHostCount– The number of targets that are considered unhealthy.
For more information, see CloudWatch metrics for your Network Load Balancer
Enable Availability Zone affinity
Secondary IP addresses
If you experience port
allocation errors and you can't add targets to the target group to
resolve them, you can add secondary IP addresses to the load balancer network
interfaces. For each zone where the load balancer is enabled, we select IPv4
addresses from the load balancer subnet and assign them to the corresponding network
interface. These secondary IP addresses are used to establish connections with
targets. They are also used for health check traffic. We recommend that you add one
secondary IP address to start with, monitor the PortAllocationErrors
metric, and add another secondary IP address only if the port allocation errors are
not resolved.
Warning
After you add secondary IP addresses, you can't remove them. The only way to release the secondary IP addresses is to delete the load balancer. Before you add secondary IP addresses, verify that there are enough available IPv4 addresses in the load balancer subnets.