Load balancer state Load balancer attributes IP address type Availability Zones Cross-zone load balancing Deletion protection Connection idle timeout DNS name Availability Zone DNS affinity

Network Load Balancers

A load balancer serves as the single point of contact for clients. Clients send requests to the load balancer, and the load balancer sends them to targets, such as EC2 instances, in one or more Availability Zones.

To configure your load balancer, you create target groups, and then register targets with your target groups. Your load balancer is most effective if you ensure that each enabled Availability Zone has at least one registered target. You also create listeners to check for connection requests from clients and route requests from clients to the targets in your target groups.

Network Load Balancers support connections from clients over VPC peering, Amazon managed VPN, Amazon Direct Connect, and third-party VPN solutions.

Load balancer state

A load balancer has one of the following states:

provisioning: The load balancer is being set up.
active: The load balancer is fully set up and ready to route traffic.
failed: The load balancer couldn't be set up.

Load balancer attributes

A load balancer has the following attributes:

access_logs.s3.enabled: Indicates whether access logs stored in Amazon S3 are enabled. The default is false.
access_logs.s3.bucket: The name of the Amazon S3 bucket for the access logs. This attribute is required if access logs are enabled. For more information, see Bucket requirements.
access_logs.s3.prefix: The prefix for the location in the Amazon S3 bucket.
deletion_protection.enabled: Indicates whether deletion protection is enabled. The default is false.
ipv6.deny_all_igw_traffic: Blocks internet gateway (IGW) access to the load balancer, preventing unintended access to your internal load balancer through an internet gateway. It is set to false for internet-facing load balancers and true for internal load balancers. This attribute does not prevent non-IGW internet access (for example, through peering, Transit Gateway, Amazon Direct Connect, or Amazon VPN).
load_balancing.cross_zone.enabled: Indicates whether cross-zone load balancing is enabled. The default is false.
dns_record.client_routing_policy: Indicates how traffic is distributed among the load balancer Availability Zones. The possible values are availability_zone_affinity with 100 percent zonal affinity, partial_availability_zone_affinity with 85 percent zonal affinity, and any_availability_zone with 0 percent zonal affinity.

IP address type

You can set the types of IP addresses that clients can use with your load balancer. The following are the IP address types:

ipv4: Clients must connect to the load balancer using IPv4 addresses (for example, 192.0.2.1). IPv4 enabled load balancers (both internet-facing and internal) support TCP, UDP, TCP_UDP, and TLS listeners.
dualstack: Clients can connect to the load balancer using both IPv4 addresses (for example, 192.0.2.1) and IPv6 addresses (for example, 2001:0db8:85a3:0:0:8a2e:0370:7334). Dualstack enabled load balancers (both internet-facing and internal) support TCP and TLS listeners.

Dualstack load balancer considerations

The load balancer communicates with targets based on the IP address type of the target group.
When you enable dualstack mode for the load balancer, Elastic Load Balancing provides an AAAA DNS record for the load balancer. Clients that communicate with the load balancer using IPv4 addresses resolve the A DNS record. Clients that communicate with the load balancer using IPv6 addresses resolve the AAAA DNS record.
Access to your internal dualstack load balancers through the internet gateway is blocked to prevent unintended internet access. However, this does not prevent other internet access (for example, through peering, Transit Gateway, Amazon Direct Connect, or Amazon VPN).

For more information about load balancer IP address types, see Update the address type.

Availability Zones

You enable one or more Availability Zones for your load balancer when you create it. If you enable multiple Availability Zones for your load balancer, this increases the fault tolerance of your applications. You can't disable Availability Zones for a Network Load Balancer after you create it, but you can enable additional Availability Zones.

When you enable an Availability Zone, you specify one subnet from that Availability Zone. Elastic Load Balancing creates a load balancer node in the Availability Zone and a network interface for the subnet (the description starts with "ELB net" and includes the name of the load balancer). Each load balancer node in the Availability Zone uses this network interface to get an IPv4 address. Note that you can view this network interface but you can't modify it.

When you create an internet-facing load balancer, you can optionally specify one Elastic IP address per subnet. If you do not choose one of your own Elastic IP addresses, Elastic Load Balancing provides one Elastic IP address per subnet for you. These Elastic IP addresses provide your load balancer with static IP addresses that will not change during the life of the load balancer. You can't change these Elastic IP addresses after you create the load balancer.

When you create an internal load balancer, you can optionally specify one private IP address per subnet. If you do not specify an IP address from the subnet, Elastic Load Balancing chooses one for you. These private IP addresses provide your load balancer with static IP addresses that will not change during the life of the load balancer. You can't change these private IP addresses after you create the load balancer.

Considerations

For internet-facing load balancers, the subnets that you specify must have at least 8 available IP addresses. For internal load balancers, this is only required if you let Amazon select a private IPv4 address from the subnet.
You can't specify a subnet in a constrained Availability Zone. The error message is "Load balancers with type 'network' are not supported in az_name". You can specify a subnet in another Availability Zone that is not constrained and use cross-zone load balancing to distribute traffic to targets in the constrained Availability Zone.
You can specify subnets that were shared with you.
You can't specify a subnet in a Local Zone.

After you enable an Availability Zone, the load balancer starts routing requests to the registered targets in that Availability Zone. Your load balancer is most effective if you ensure that each enabled Availability Zone has at least one registered target.

To add Availability Zones using the console

Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.
In the navigation pane, choose Load Balancers.
Select the name of the load balancer to open its details page.
On the Network mapping tab, choose Edit subnets.
To enable an Availability Zone, select the check box for that Availability Zone. If there is one subnet for that Availability Zone, it is selected. If there is more than one subnet for that Availability Zone, select one of the subnets. Note that you can select only one subnet per Availability Zone.

For an internet-facing load balancer, you can select an Elastic IP address for each Availability Zone. For an internal load balancer, you can assign a private IP address from the IPv4 range of each subnet instead of letting Elastic Load Balancing assign one.
Choose Save changes.

To add Availability Zones using the Amazon CLI

Use the set-subnets command.

Cross-zone load balancing

By default, each load balancer node distributes traffic across the registered targets in its Availability Zone only. If you turn on cross-zone load balancing, each load balancer node distributes traffic across the registered targets in all enabled Availability Zones. You can also turn on cross-zone load balancing at the target group level. For more information, see Cross-zone load balancing for target groups and Cross-zone load balancing in the Elastic Load Balancing User Guide.

Deletion protection

To prevent your load balancer from being deleted accidentally, you can enable deletion protection. By default, deletion protection is disabled for your load balancer.

If you enable deletion protection for your load balancer, you must disable it before you can delete the load balancer.

To enable deletion protection using the console

Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.
In the navigation pane, choose Load Balancers.
Select the name of the load balancer to open its details page.
On the Attributes tab, choose Edit.
Under Configuration, turn on Deletion protection.
Choose Save changes.

To disable deletion protection using the console

Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.
In the navigation pane, choose Load Balancers.
Select the name of the load balancer to open its details page.
On the Attributes tab, choose Edit.
Under Configuration, turn on Deletion protection.
Choose Save changes.

To enable or disable deletion protection using the Amazon CLI

Use the modify-load-balancer-attributes command with the deletion_protection.enabled attribute.

Connection idle timeout

For each TCP request that a client makes through a Network Load Balancer, the state of that connection is tracked. If no data is sent through the connection by either the client or target for longer than the idle timeout, the connection is closed. If a client or target sends data after the idle timeout period elapses, it receives a TCP RST packet to indicate that the connection is no longer valid.

We set the idle timeout value for TCP flows to 350 seconds. You can't modify this value. Clients or targets can use TCP keepalive packets to reset the idle timeout. Keepalive packets sent to maintain TLS connections can't contain data or payload.

When a TLS listener receives a TCP keepalive packet from either a client or a target, the load balancer generates TCP keepalive packets and sends them to both the front-end and back-end connections every 20 seconds. You can't modify this behavior.

While UDP is connectionless, the load balancer maintains UDP flow state based on the source and destination IP addresses and ports. This ensures that packets that belong to the same flow are consistently sent to the same target. After the idle timeout period elapses, the load balancer considers the incoming UDP packet as a new flow and routes it to a new target. Elastic Load Balancing sets the idle timeout value for UDP flows to 120 seconds.

EC2 instances must respond to a new request within 30 seconds in order to establish a return path.

DNS name

Each Network Load Balancer receives a default Domain Name System (DNS) name with the following syntax: name-id.elb.region.amazonaws.com.cn. For example, my-load-balancer-1234567890abcdef.elb.us-west-2.amazonaws.com.cn.

If you'd prefer to use a DNS name that is easier to remember, you can create a custom domain name and associate it with the DNS name for your load balancer. When a client makes a request using this custom domain name, the DNS server resolves it to the DNS name for your load balancer.

First, register a domain name with an accredited domain name registrar. Next, use your DNS service, such as your domain registrar, to create a DNS record to route requests to your load balancer. For more information, see the documentation for your DNS service. For example, if you use Amazon Route 53 as your DNS service, you create an alias record that points to your load balancer. For more information, see Routing traffic to an ELB load balancer in the Amazon Route 53 Developer Guide.

The load balancer has one IP address per enabled Availability Zone. These are the IP addresses of the load balancer nodes. The DNS name of the load balancer resolves to these addresses. For example, suppose that the custom domain name for your load balancer is example.networkloadbalancer.com. Use the following dig or nslookup command to determine the IP addresses of the load balancer nodes.

Linux or Mac


$ dig +short example.networkloadbalancer.com

Windows


C:\> nslookup example.networkloadbalancer.com

The load balancer has DNS records for its load balancer nodes. You can use DNS names with the following syntax to determine the IP addresses of the load balancer nodes: az.name-id.elb.region.amazonaws.com.cn.

Linux or Mac


$ dig +short us-west-2b.my-load-balancer-1234567890abcdef.elb.us-west-2.amazonaws.com.cn

Windows


C:\> nslookup us-west-2b.my-load-balancer-1234567890abcdef.elb.us-west-2.amazonaws.com.cn

Availability Zone DNS affinity

When using the default client routing policy, requests sent to your Network Load Balancers DNS name will receive any healthy load balancer IP addresses. This leads to the distribution of client connections across the load balancers Availability Zones. With the Availability Zone affinity routing policies, client DNS queries favor load balancer IP addresses in their own Availability Zone. This helps improve both latency and resiliency, as clients do not need to cross Availability Zone boundaries when connecting to targets.

Client routing policies available to Network Load Balancers using Route 53 resolver:

Availability Zone affinity – 100 percent zonal affinity

Client DNS queries will favor load balancer IP address in their own Availability Zone. Queries may resolve to other zones if there are no healthy load balancer IP addresses in their own zone.
Partial Availability Zone affinity – 85 percent zonal affinity

85 percent of client DNS queries will favor load balancer IP addresses in their own Availability Zone, while the remaining queries resolve to any healthy zone. Queries may resolve to other healthy zones if there are no healthy IPs in their zone. When there are no healthy IPs in any zone, queries resolve to any zone.
Any Availability Zone (default) – 0 percent zonal affinity

Client DNS queries are resolved among healthy load balancer IP addresses across all load balancer Availability Zones.

Note

Availability Zone affinity routing policies only apply to clients resolving the Network Load Balancers DNS name using Route 53 Resolver. For more information, see What is Amazon Route 53 Resolver? in the Amazon Route 53 Developer Guide

Availability Zone affinity helps route requests from the client to the load balancer, while cross-zone load balancing is used to help route requests from the load balancer to the targets. When using Availability Zone affinity, cross-zone load balancing should be turned off, this ensures the load balancer traffic from clients to targets remains within the same Availability Zone. With this configuration, client traffic is sent to the same Network Load Balancer Availability Zone, so it's recommended to configure your application to scale independently in each Availability Zone. This is an important consideration when the number of clients per Availability zone, or the traffic per Availability Zone are not the same. For more information, see Cross-zone load balancing for target groups.

When an Availability Zone is considered unhealthy, or when a zonal shift is started, the zonal IP address will be considered unhealthy and not returned to clients unless fail open is in effect. Availability Zone affinity is maintained when the DNS record fails open. This helps keep Availability Zones independent and prevent potential cross zone failures.

When using Availability Zone affinity, times of imbalance between Availability Zones are expected. It's recommended ensuring your targets are scaling at the zonal level, to support each Availability Zones workload. In cases where these imbalances are significant, it's recommended turning off Availability Zone affinity. This allows even distribution of client connections between all the load balancers Availability Zones within 60 seconds, or the DNS TTL.

Before using Availability Zone affinity, consider the following:

Availability Zone affinity causes changes on all of the Network Load Balancers clients who are using Route 53 Resolver.
- Clients aren't able to decide between zonal-local and multi-zone DNS resolutions. Availability Zone affinity decides for them.
- Clients aren't provided with a reliable method to determine when they're being impacted by Availability Zone affinity, or how to know which IP address is in which Availability Zone.
Clients will remain assigned to their zone-local IP address until it is deemed fully unhealthy according to DNS health checks, and is removed from DNS.
Using Availability Zone affinity with cross-zone load balancing on can lead to unbalanced distribution of client connections between Availability Zones. It's recommended to configure your application stack to scale independently in each Availability Zone, ensuring it can support zonal clients traffic.
If cross-zone load balancing is on, the Network Load Balancer is subject to cross zone impact.
The load on each of the Network Load Balancers Availability Zones will be proportional to the zonal locations of clients requests. If you don't configure how many clients are running in which Availability Zone, you will have to independently scale each Availability Zone reactively.

Monitoring

It is recommended to track the distribution of connections between Availability Zones, using the zonal load balancer metrics. You can use metrics to view the number of new and active connections per zone.

We recommend tracking the following:

ActiveFlowCount – The total number of concurrent flows (or connections) from clients to targets.
NewFlowCount – The total number of new flows (or connections) established from clients to targets in the time period.
HealthyHostCount – The number of targets that are considered healthy.
UnHealthyHostCount – The number of targets that are considered unhealthy.

For more information, see CloudWatch metrics for your Network Load Balancer

Turn on Availability Zone affinity

The steps in this procedure explain how to turn on Availability Zone affinity using the Amazon EC2 console.

To turn on Availability Zone affinity using the console

Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.
In the navigation pane, choose Load Balancers.
Select the name of the load balancer to open its details page.
On the Attributes tab, choose Edit.
Under Availability Zone routing configuration, Client routing policy (DNS record), select Availability Zone affinity or Partial Availability Zone affinity.
Choose Save changes.

To turn on Availability Zone affinity using the Amazon CLI

Use the modify-load-balancer-attributes command with the dns_record.client_routing_policy attribute.

Turn off Availability Zone affinity

The steps in this procedure explain how to turn off Availability Zone affinity using the Amazon EC2 console.

To turn off Availability Zone affinity using the console

Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.
In the navigation pane, choose Load Balancers.
Select the name of the load balancer to open its details page.
On the Attributes tab, choose Edit.
Under Availability Zone routing configuration, Client routing policy (DNS record), select Any Availability Zone.
Choose Save changes.

To turn off Availability Zone affinity using the Amazon CLI