Network Load Balancers
A load balancer serves as the single point of contact for clients. Clients send requests to the load balancer, and the load balancer sends them to targets, such as EC2 instances, in one or more Availability Zones.
To configure your load balancer, you create target groups, and then register targets with your target groups. Your load balancer is most effective if you ensure that each enabled Availability Zone has at least one registered target. You also create listeners to check for connection requests from clients and route requests from clients to the targets in your target groups.
Network Load Balancers support connections from clients over VPC peering, Amazon managed VPN, Amazon Direct Connect, and third-party VPN solutions.
Contents
- Load balancer state
- Load balancer attributes
- IP address type
- Availability Zones
- Cross-zone load balancing
- Deletion protection
- Connection idle timeout
- DNS name
- Create a Network Load Balancer
- IP address types for your Network Load Balancer
- Security groups for your Network Load Balancer
- Tags for your Network Load Balancer
- Delete a Network Load Balancer
- Zonal shift
Load balancer state
A load balancer has one of the following states:
provisioning
-
The load balancer is being set up.
active
-
The load balancer is fully set up and ready to route traffic.
failed
-
The load balancer couldn't be set up.
Load balancer attributes
A load balancer has the following attributes:
access_logs.s3.enabled
-
Indicates whether access logs stored in Amazon S3 are enabled. The default is
false
. access_logs.s3.bucket
-
The name of the Amazon S3 bucket for the access logs. This attribute is required if access logs are enabled. For more information, see Bucket requirements.
access_logs.s3.prefix
-
The prefix for the location in the Amazon S3 bucket.
deletion_protection.enabled
-
Indicates whether deletion protection is enabled. The default is
false
. ipv6.deny_all_igw_traffic
-
Blocks internet gateway (IGW) access to the load balancer, preventing unintended access to your internal load balancer through an internet gateway. It is set to
false
for internet-facing load balancers andtrue
for internal load balancers. This attribute does not prevent non-IGW internet access (for example, through peering, Transit Gateway, Amazon Direct Connect, or Amazon VPN). load_balancing.cross_zone.enabled
-
Indicates whether cross-zone load balancing is enabled. The default is
false
.
IP address type
You can set the types of IP addresses that clients can use with your load balancer. The following are the IP address types:
ipv4
-
Clients must connect to the load balancer using IPv4 addresses (for example, 192.0.2.1). IPv4 enabled load balancers (both internet-facing and internal) support TCP, UDP, TCP_UDP, and TLS listeners.
dualstack
-
Clients can connect to the load balancer using both IPv4 addresses (for example, 192.0.2.1) and IPv6 addresses (for example, 2001:0db8:85a3:0:0:8a2e:0370:7334). Dualstack enabled load balancers (both internet-facing and internal) support TCP and TLS listeners.
Dualstack load balancer considerations
-
The load balancer communicates with targets based on the IP address type of the target group.
-
When you enable dualstack mode for the load balancer, Elastic Load Balancing provides an AAAA DNS record for the load balancer. Clients that communicate with the load balancer using IPv4 addresses resolve the A DNS record. Clients that communicate with the load balancer using IPv6 addresses resolve the AAAA DNS record.
-
Access to your internal dualstack load balancers through the internet gateway is blocked to prevent unintended internet access. However, this does not prevent other internet access (for example, through peering, Transit Gateway, Amazon Direct Connect, or Amazon VPN).
For more information about load balancer IP address types, see Update the address type.
Availability Zones
You enable one or more Availability Zones for your load balancer when you create it. If you enable multiple Availability Zones for your load balancer, this increases the fault tolerance of your applications. You can't disable Availability Zones for a Network Load Balancer after you create it, but you can enable additional Availability Zones.
When you enable an Availability Zone, you specify one subnet from that Availability Zone. Elastic Load Balancing creates a load balancer node in the Availability Zone and a network interface for the subnet (the description starts with "ELB net" and includes the name of the load balancer). Each load balancer node in the Availability Zone uses this network interface to get an IPv4 address. Note that you can view this network interface but you can't modify it.
When you create an internet-facing load balancer, you can optionally specify one Elastic IP address per subnet. If you do not choose one of your own Elastic IP addresses, Elastic Load Balancing provides one Elastic IP address per subnet for you. These Elastic IP addresses provide your load balancer with static IP addresses that will not change during the life of the load balancer. You can't change these Elastic IP addresses after you create the load balancer.
When you create an internal load balancer, you can optionally specify one private IP address per subnet. If you do not specify an IP address from the subnet, Elastic Load Balancing chooses one for you. These private IP addresses provide your load balancer with static IP addresses that will not change during the life of the load balancer. You can't change these private IP addresses after you create the load balancer.
Considerations
-
For internet-facing load balancers, the subnets that you specify must have at least 8 available IP addresses. For internal load balancers, this is only required if you let Amazon select a private IPv4 address from the subnet.
-
You can't specify a subnet in a constrained Availability Zone. The error message is "Load balancers with type 'network' are not supported in az_name". You can specify a subnet in another Availability Zone that is not constrained and use cross-zone load balancing to distribute traffic to targets in the constrained Availability Zone.
-
You can specify subnets that were shared with you.
-
You can't specify a subnet in a Local Zone.
After you enable an Availability Zone, the load balancer starts routing requests to the registered targets in that Availability Zone. Your load balancer is most effective if you ensure that each enabled Availability Zone has at least one registered target.
To add Availability Zones using the console
-
Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/
. -
In the navigation pane, choose Load Balancers.
-
Select the name of the load balancer to open its details page.
-
On the Network mapping tab, choose Edit subnets.
-
To enable an Availability Zone, select the check box for that Availability Zone. If there is one subnet for that Availability Zone, it is selected. If there is more than one subnet for that Availability Zone, select one of the subnets. Note that you can select only one subnet per Availability Zone.
For an internet-facing load balancer, you can select an Elastic IP address for each Availability Zone. For an internal load balancer, you can assign a private IP address from the IPv4 range of each subnet instead of letting Elastic Load Balancing assign one.
-
Choose Save changes.
To add Availability Zones using the Amazon CLI
Use the set-subnets command.
Cross-zone load balancing
By default, each load balancer node distributes traffic across the registered targets in its Availability Zone only. If you turn on cross-zone load balancing, each load balancer node distributes traffic across the registered targets in all enabled Availability Zones. You can also turn on cross-zone load balancing at the target group level. For more information, see Cross-zone load balancing for target groups and Cross-zone load balancing in the Elastic Load Balancing User Guide.
Deletion protection
To prevent your load balancer from being deleted accidentally, you can enable deletion protection. By default, deletion protection is disabled for your load balancer.
If you enable deletion protection for your load balancer, you must disable it before you can delete the load balancer.
To enable deletion protection using the console
-
Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/
. -
In the navigation pane, choose Load Balancers.
-
Select the name of the load balancer to open its details page.
-
On the Attributes tab, choose Edit.
-
Under Configuration, turn on Deletion protection.
-
Choose Save changes.
To disable deletion protection using the console
-
Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/
. -
In the navigation pane, choose Load Balancers.
-
Select the name of the load balancer to open its details page.
-
On the Attributes tab, choose Edit.
-
Under Configuration, turn on Deletion protection.
-
Choose Save changes.
To enable or disable deletion protection using the Amazon CLI
Use the modify-load-balancer-attributes command with the
deletion_protection.enabled
attribute.
Connection idle timeout
For each TCP request that a client makes through a Network Load Balancer, the state of that connection is tracked. If no data is sent through the connection by either the client or target for longer than the idle timeout, the connection is closed. If a client or target sends data after the idle timeout period elapses, it receives a TCP RST packet to indicate that the connection is no longer valid.
We set the idle timeout value for TCP flows to 350 seconds. You can't modify this value. Clients or targets can use TCP keepalive packets to reset the idle timeout. Keepalive packets sent to maintain TLS connections can't contain data or payload.
When a TLS listener receives a TCP keepalive packet from either a client or a target, the load balancer generates TCP keepalive packets and sends them to both the front-end and back-end connections every 20 seconds. You can't modify this behavior.
While UDP is connectionless, the load balancer maintains UDP flow state based on the source and destination IP addresses and ports. This ensures that packets that belong to the same flow are consistently sent to the same target. After the idle timeout period elapses, the load balancer considers the incoming UDP packet as a new flow and routes it to a new target. Elastic Load Balancing sets the idle timeout value for UDP flows to 120 seconds.
EC2 instances must respond to a new request within 30 seconds in order to establish a return path.
DNS name
Each Network Load Balancer receives a default Domain Name System (DNS) name with the following syntax:
name
-id
.elb.region
.amazonaws.com.cn.
For example, my-load-balancer-1234567890abcdef.elb.us-west-2.amazonaws.com.cn.
If you'd prefer to use a DNS name that is easier to remember, you can create a custom domain name and associate it with the DNS name for your load balancer. When a client makes a request using this custom domain name, the DNS server resolves it to the DNS name for your load balancer.
First, register a domain name with an accredited domain name registrar. Next, use your DNS service, such as your domain registrar, to create a DNS record to route requests to your load balancer. For more information, see the documentation for your DNS service. For example, if you use Amazon Route 53 as your DNS service, you create an alias record that points to your load balancer. For more information, see Routing traffic to an ELB load balancer in the Amazon Route 53 Developer Guide.
The load balancer has one IP address per enabled Availability Zone. These are the IP
addresses of the load balancer nodes. The DNS name of the load balancer resolves to
these addresses. For example, suppose that the custom domain name for your load balancer
is example.networkloadbalancer.com
. Use the following
dig or nslookup command to determine the IP
addresses of the load balancer nodes.
Linux or Mac
$
dig +short
example.networkloadbalancer.com
Windows
C:\>
nslookup
example.networkloadbalancer.com
The load balancer has DNS records for its load balancer nodes. You can use DNS names
with the following syntax to determine the IP addresses of the load balancer nodes:
az
.name
-id
.elb.region
.amazonaws.com.cn.
Linux or Mac
$
dig +short
us-west-2b.my-load-balancer-1234567890abcdef.elb.us-west-2.amazonaws.com.cn
Windows
C:\>
nslookup
us-west-2b.my-load-balancer-1234567890abcdef.elb.us-west-2.amazonaws.com.cn