Home›DevOps›Elastic Load Balancing: ALB, NLB, and Gateway Load Balancer
Intermediate
5 min · July 12, 2026
Elastic Load Balancing: ALB, NLB, and Gateway Load Balancer
A comprehensive guide to Elastic Load Balancing: ALB, NLB, and Gateway Load Balancer on AWS, covering core concepts, configuration, best practices, and real-world use cases..
N
NarenFounder & Principal Engineer
20+ years shipping production infrastructure and CI/CD at scale. Notes here come from systems that actually shipped.
✓Basic understanding of AWS services and cloud computing concepts.
✦ Definition~90s read
What is Elastic Load Balancing?
Elastic Load Balancing (ELB) distributes incoming traffic across multiple targets—EC2 instances, containers, IP addresses, and Lambda functions—in one or more Availability Zones. It automatically scales your load balancer capacity as traffic changes and integrates with Auto Scaling, AWS Certificate Manager, and AWS WAF.
★
Elastic Load Balancing: ALB, NLB, and Gateway Load Balancer is like having a smart assistant that handles the heavy lifting so you don't have to manage servers yourself.
Use ELB to build fault-tolerant applications that can handle traffic spikes and failover seamlessly. The three types—Application Load Balancer (ALB) for HTTP/HTTPS/gRPC, Network Load Balancer (NLB) for TCP/UDP/TLS with ultra-low latency, and Gateway Load Balancer (GWLB) for third-party virtual appliances—each solve distinct problems.
Plain-English First
Elastic Load Balancing: ALB, NLB, and Gateway Load Balancer is like having a smart assistant that handles the heavy lifting so you don't have to manage servers yourself.
You've built a microservice that handles 10,000 requests per second. Then a single bad deploy causes a 5-second latency spike, and your entire system collapses because every request queues behind the slow one. That's what happens when you don't use a load balancer—or use the wrong one. Elastic Load Balancing isn't just about distributing traffic; it's about isolating failures, scaling without downtime, and enforcing security policies at the edge. Most teams pick ALB by default, but that choice can cost you 50ms of latency or force you to re-architect for gRPC. The real question isn't whether to use a load balancer—it's which type and how to configure it for your specific failure modes. In this post, we'll break down ALB, NLB, and Gateway Load Balancer with production patterns, common pitfalls, and code examples that actually run.
Why Elastic Load Balancing?
In production, you don't serve traffic from a single server. You scale horizontally, and that means you need a single entry point that distributes requests across multiple targets. Elastic Load Balancing (ELB) is that entry point. It handles traffic distribution, health checks, and automatic scaling integration. But not all load balancers are equal. AWS offers three types: Application Load Balancer (ALB) for HTTP/HTTPS, Network Load Balancer (NLB) for TCP/UDP/TLS, and Gateway Load Balancer (GWLB) for third-party appliances. Choosing the wrong one causes latency, dropped connections, or cost overruns. This article breaks down each type, when to use them, and how to avoid common pitfalls.
You pay per hour or partial hour and per LCU (Load Balancer Capacity Unit). ALB and NLB have different LCU dimensions. GWLB charges per Gateway Load Balancer Capacity Unit (GLCU). Always estimate cost based on expected connections and throughput.
📊 Production Insight
In production, we once used an ALB for a real-time gaming UDP workload. The ALB silently dropped packets because it only supports HTTP/HTTPS. We lost 30% of game state updates before catching it. Always verify protocol support.
🎯 Key Takeaway
ELB is the single point of entry for horizontal scaling; choose the right type based on protocol and use case.
thecodeforge.io
Aws Elastic Load Balancing
Application Load Balancer: Layer 7 Routing
ALB operates at Layer 7 (application layer). It understands HTTP/HTTPS, WebSocket, and gRPC. This means it can route based on URL path, host header, query string, or HTTP method. For microservices, ALB is the standard ingress point. You can define listener rules that forward traffic to different target groups. For example, /api/ goes to backend services, /static/ goes to S3. ALB also supports sticky sessions (cookies), SSL termination, and AWS WAF integration. However, ALB adds latency (typically 1-2ms) and cannot handle raw TCP or UDP. Use it when you need content-based routing or when your clients speak HTTP.
Default idle timeout is 60 seconds. For long-lived WebSocket connections, increase it to 3600 seconds. Otherwise, connections drop prematurely. Use the idle_timeout.timeout_seconds attribute.
📊 Production Insight
We had an ALB routing to a Lambda target. Cold starts caused 5-second delays, and ALB's 60-second idle timeout wasn't the issue, but the Lambda's 15-minute timeout was. We added reserved concurrency to avoid cold starts. Always match timeouts between ALB and targets.
🎯 Key Takeaway
ALB is for HTTP/HTTPS workloads needing content-based routing, SSL termination, and WAF integration.
Network Load Balancer: Layer 4 Performance
NLB operates at Layer 4 (transport layer). It handles TCP, UDP, and TLS traffic with ultra-low latency (sub-millisecond). NLB doesn't inspect packets beyond the transport header, so it's fast and can handle millions of requests per second. It preserves the client IP address (no proxy protocol needed) and supports static IPs (Elastic IPs). NLB is ideal for non-HTTP protocols, real-time streaming, or when you need to offload TLS at the load balancer. However, NLB lacks content-based routing and WAF integration. Use it when performance is critical or your application uses custom protocols.
Cross-zone load balancing is disabled by default. Enable it to distribute traffic evenly across all targets in all Availability Zones. Otherwise, traffic may be skewed if targets are uneven.
📊 Production Insight
We ran an NLB for a Kafka cluster. Default cross-zone disabled caused uneven partition leadership. After enabling it, distribution improved but we saw higher latency due to cross-AZ data transfer costs. We then used a separate NLB per AZ to keep traffic local.
🎯 Key Takeaway
NLB is for TCP/UDP/TLS workloads requiring ultra-low latency, static IPs, and client IP preservation.
GWLB is the newest type, designed for third-party virtual appliances like firewalls, IDS/IPS, and deep packet inspection. It operates at Layer 3 (network layer) and uses the GENEVE protocol to encapsulate traffic. GWLB acts as a transparent bump in the wire: it receives traffic, forwards it to a target group of appliances, and then routes the processed traffic back to the original destination. This allows you to insert security appliances without changing routing. GWLB supports automatic scaling of appliances and health checks. However, it adds latency (encapsulation overhead) and requires appliances that support GENEVE. Use it when you need to scale security appliances horizontally.
GENEVE encapsulation adds 50 bytes per packet. For jumbo frames (9001 MTU), ensure your network path supports it. Otherwise, fragmentation may occur, causing performance degradation.
📊 Production Insight
We deployed GWLB with Palo Alto firewalls. Initially, we didn't configure health checks properly, causing the GWLB to send traffic to unhealthy appliances. We saw intermittent drops. Always set health check intervals low (5 seconds) and thresholds high (3 failures) to catch appliance failures quickly.
🎯 Key Takeaway
GWLB transparently inserts third-party appliances into the network path, scaling them horizontally.
Target Groups: Where Traffic Goes
Each load balancer routes traffic to target groups. A target group contains one or more targets (EC2 instances, IP addresses, Lambda functions, or ALBs). You define health checks per target group. ALB target groups can be of type instance, ip, or lambda. NLB target groups can be instance or ip. GWLB target groups are always ip (appliance IPs). Target groups are independent of the load balancer; you can reuse them across multiple listeners. For ALB, you can also register targets by instance ID or private IP. For NLB, using IP targets allows you to route to on-premises servers via AWS Direct Connect. Always configure health checks with realistic intervals and thresholds to avoid routing traffic to unhealthy targets.
Use a dedicated health check endpoint (e.g., /health) that returns 200 only if the application is truly ready. Avoid checking static files. For NLB, use TCP health checks if your app doesn't serve HTTP.
📊 Production Insight
We once set health check interval to 300 seconds to reduce load. A target failed, but it took 5 minutes to detect. During that time, half the traffic hit a dead instance. Set intervals to 10 seconds for critical services.
🎯 Key Takeaway
Target groups define where traffic goes; configure health checks carefully to avoid routing to dead targets.
Sticky Sessions: Keeping Users on the Same Target
Sticky sessions (session affinity) ensure a client's requests are always sent to the same target. ALB supports sticky sessions using cookies (AWSALB or custom). NLB supports sticky sessions using source IP (hash of client IP) or a cookie (AWSELB). GWLB does not support sticky sessions. Sticky sessions are useful for stateful applications like shopping carts or login sessions. However, they can cause uneven load distribution if a few clients generate most traffic. Use them sparingly. For ALB, you can set the cookie duration. For NLB, source IP stickiness works best when clients have stable IPs. Avoid sticky sessions if your application is stateless; instead, use a distributed cache like ElastiCache.
When a target is terminated, its sticky sessions are lost. Clients may experience errors. Use connection draining (deregistration delay) to allow in-flight requests to complete before termination.
📊 Production Insight
We used sticky sessions for a legacy PHP app. During a deployment, we terminated instances without draining connections. Users got 502 errors. We added a 300-second deregistration delay and monitored connection draining before scaling in.
🎯 Key Takeaway
Sticky sessions keep clients on the same target; use only for stateful apps and set appropriate cookie duration.
Connection Draining and Deregistration Delay
When a target is deregistered (e.g., during scaling in or replacement), the load balancer stops sending new requests to it but allows in-flight requests to complete. This is called connection draining for ALB and deregistration delay for NLB and GWLB. The default delay is 300 seconds. You can adjust it based on your application's request duration. For long-lived WebSocket connections, set it higher. For short-lived HTTP requests, set it lower to speed up deployments. If you set it too low, in-flight requests may be interrupted. If too high, deployments take longer. Monitor the Deregistering state in CloudWatch to ensure connections drain properly.
ALB uses 'connection draining' (deregistration_delay.timeout_seconds). NLB and GWLB use 'deregistration delay' (same attribute). Both work similarly but NLB's delay applies to TCP connections.
📊 Production Insight
We had a service with long-running requests (up to 10 minutes). Default 300-second draining was insufficient. We increased to 600 seconds, but deployments became slow. We refactored to use shorter requests and reduced to 120 seconds.
🎯 Key Takeaway
Connection draining allows in-flight requests to complete during target removal; set timeout based on request duration.
Cross-Zone Load Balancing and Availability
Cross-zone load balancing distributes traffic evenly across all targets in all enabled Availability Zones (AZs). Without it, traffic is distributed only within each AZ, which can cause uneven load if targets are not balanced across AZs. ALB has cross-zone enabled by default (no extra cost). NLB has it disabled by default (no extra cost). GWLB has it enabled by default (no extra cost). For NLB, enabling cross-zone can increase cross-AZ data transfer costs. For fault tolerance, always deploy targets in at least two AZs. Use cross-zone to ensure even distribution, but be aware of cost implications for NLB.
Cross-zone traffic for NLB incurs standard inter-AZ data transfer charges. For high-throughput workloads, consider using a separate NLB per AZ to keep traffic local.
📊 Production Insight
We enabled cross-zone on an NLB handling 10 Gbps. The monthly data transfer cost increased by $3,000 due to cross-AZ traffic. We reverted to per-AZ NLBs and saved costs while maintaining availability.
🎯 Key Takeaway
Cross-zone load balancing ensures even distribution; enable for NLB but watch cross-AZ costs.
Security: SSL/TLS and WAF Integration
ALB supports SSL/TLS termination, allowing you to offload encryption from your targets. You can upload certificates via ACM or IAM. ALB also integrates with AWS WAF to block malicious requests. NLB supports TLS termination but not WAF. GWLB does not terminate TLS. For ALB, you can configure security policies to control cipher suites. For NLB, TLS termination is done at the listener level, and you can use mutual TLS (mTLS) for client certificate authentication. Always use ACM for certificate management (auto-renewal). For compliance, enforce TLS 1.2 or higher. Use WAF to filter common attacks like SQL injection and XSS.
NLB TLS termination does not support client certificate authentication by default. Use mTLS with a custom listener rule. Also, NLB does not support WAF; use ALB if you need WAF.
📊 Production Insight
We used a self-signed certificate on an ALB for testing. It expired, causing all HTTPS traffic to fail. We switched to ACM with auto-renewal. Never use self-signed certs in production.
🎯 Key Takeaway
Offload TLS at the load balancer; use ACM for certificates and WAF for application-layer protection.
Monitoring and Troubleshooting
ELB provides CloudWatch metrics like RequestCount, TargetResponseTime, HTTPCode_ELB_5XX, and HealthyHostCount. For ALB, you can also enable access logs (S3) and request tracing (X-Ray). For NLB, enable flow logs (VPC Flow Logs) for connection-level data. For GWLB, monitor GENEVE encapsulation errors. Common issues: unhealthy targets (check health check path), TLS handshake failures (check certificate), and cross-zone misconfiguration. Use CloudWatch alarms to alert on high 5xx rates or low healthy host counts. For deep troubleshooting, enable access logs and analyze with Athena.
Access logs are stored in S3, incurring storage costs. For high-traffic sites, logs can be large. Set lifecycle policies to expire logs after 30 days.
📊 Production Insight
We had a spike in 502 errors due to a misconfigured health check path. The health check was hitting a static page that always returned 200, even when the app was down. We changed it to a dynamic endpoint that verified database connectivity.
🎯 Key Takeaway
Monitor ELB with CloudWatch metrics and access logs; set alarms for 5xx errors and unhealthy hosts.
Cost Optimization and Scaling
ELB costs include hourly charges and LCU/GLCU usage. ALB LCU dimensions: new connections, active connections, processed bytes, and rule evaluations. NLB LCU dimensions: new flows, active flows, and processed bytes. GWLB GLCU dimensions: new flows, active flows, and processed bytes. To optimize, right-size your load balancer type. For low traffic, use ALB with a single target. For high throughput, use NLB. Use target group stickiness to reduce connection churn. Enable connection draining to avoid failed requests. Use Auto Scaling to match capacity. Consider using a single NLB for multiple services with different ports to reduce costs.
ALB LCU pricing is $0.008 per LCU-hour. NLB is $0.006 per LCU-hour. GWLB is $0.008 per GLCU-hour. Check AWS pricing page for current rates.
📊 Production Insight
We had an ALB with many listener rules (200+). Rule evaluations dominated LCU cost. We consolidated rules using host-based routing and reduced rules to 20, cutting LCU cost by 60%.
🎯 Key Takeaway
Optimize ELB cost by choosing the right type, right-sizing, and monitoring LCU usage.
ALB vs NLB vs Gateway Load BalancerKey differences in routing, performance, and use casesALBNLBOSI LayerLayer 7 (HTTP/HTTPS)Layer 4 (TCP/UDP)RoutingPath, host, header-basedIP protocol, port-basedLatencyHigher (processing overhead)Ultra-low (milliseconds)Static IPNo (uses DNS name)Yes (elastic IP per AZ)Use CaseWeb apps, microservicesTCP/UDP apps, gaming, IoTTHECODEFORGE.IO
thecodeforge.io
Aws Elastic Load Balancing
Real-World Architecture: Combining ALB, NLB, and GWLB
In complex architectures, you might use multiple load balancers. For example, an NLB fronting an ALB for TLS termination and static IPs. Or a GWLB inserted between an internet-facing NLB and internal ALB for security inspection. Common pattern: NLB (static IP) -> GWLB (firewall) -> ALB (routing) -> targets. This gives you static IPs, security inspection, and content-based routing. However, each hop adds latency. For latency-sensitive apps, minimize hops. Another pattern: use ALB for public-facing microservices, NLB for internal RPC traffic, and GWLB for network security. Always document the traffic flow and test under load.
Creates three load balancers: NLB (public), GWLB (internal), ALB (internal).
🔥Latency Budget
Each load balancer adds 0.5-2ms latency. In a chain of three, expect 3-6ms added. For sub-millisecond requirements, minimize hops or use NLB only.
📊 Production Insight
We built a three-hop chain for a financial service. Latency increased from 2ms to 8ms, causing SLA breaches. We removed the GWLB and moved security inspection to the ALB using WAF, reducing latency to 3ms.
🎯 Key Takeaway
Combine ALB, NLB, and GWLB for advanced architectures; each hop adds latency, so design carefully.
⚙ Quick Reference
11 commands from this guide
File
Command / Code
Purpose
create-alb.sh
aws elbv2 create-load-balancer \
Why Elastic Load Balancing?
create-alb-listener.sh
aws elbv2 create-listener \
Application Load Balancer
create-nlb.sh
aws elbv2 create-load-balancer \
Network Load Balancer
create-gwlb.sh
aws elbv2 create-load-balancer \
Gateway Load Balancer
create-target-group.sh
aws elbv2 create-target-group \
Target Groups
enable-stickiness.sh
aws elbv2 modify-target-group-attributes \
Sticky Sessions
set-deregistration-delay.sh
aws elbv2 modify-target-group-attributes \
Connection Draining and Deregistration Delay
enable-cross-zone-nlb.sh
aws elbv2 modify-load-balancer-attributes \
Cross-Zone Load Balancing and Availability
associate-waf.sh
aws wafv2 associate-web-acl \
Security
enable-access-logs.sh
aws elbv2 modify-load-balancer-attributes \
Monitoring and Troubleshooting
multi-lb-architecture.yaml
Resources:
Real-World Architecture
Key takeaways
1
Choose the right balancer for your protocol
ALB for HTTP/HTTPS/gRPC, NLB for TCP/UDP/TLS with low latency, GWLB for virtual appliances. Using the wrong type adds latency or limits features.
2
Cross-zone load balancing has trade-offs
ALB enables it by default (good for even distribution), NLB disables it by default (good for zonal isolation). Understand the cost and performance implications.
3
Health checks are your first line of defense
Configure them to match your application's failure modes (e.g., a /health endpoint that checks dependencies). A misconfigured health check can cause cascading failures.
4
Sticky sessions and TLS termination belong at the load balancer
Offload SSL/TLS to ALB or NLB to reduce CPU on targets. Use stickiness only when necessary; it can cause uneven load distribution.
Follow AWS best practices and review documentation thoroughly
×
Ignoring cost implications
Symptom
Unexpected AWS bill at end of month
Fix
Set up billing alerts and use cost explorer to monitor usage
INTERVIEW PREP · PRACTICE MODE
Interview Questions on This Topic
Q01JUNIOR
What is Elastic Load Balancing: ALB, NLB, and Gateway Load Balancer and ...
Q02SENIOR
How do you secure Elastic Load Balancing: ALB, NLB, and Gateway Load Bal...
Q03SENIOR
What are the cost optimization strategies for Elastic Load Balancing: AL...
Q01 of 03JUNIOR
What is Elastic Load Balancing: ALB, NLB, and Gateway Load Balancer and when would you use it?
ANSWER
Elastic Load Balancing: ALB, NLB, and Gateway Load Balancer is an AWS service that helps manage cloud infrastructure efficiently. Use it when you need scalable, reliable cloud solutions.
Q02 of 03SENIOR
How do you secure Elastic Load Balancing: ALB, NLB, and Gateway Load Balancer in production?
ANSWER
Follow the principle of least privilege, enable encryption at rest and in transit, and use AWS IAM roles with appropriate policies.
Q03 of 03SENIOR
What are the cost optimization strategies for Elastic Load Balancing: ALB, NLB, and Gateway Load Balancer?
ANSWER
Use reserved instances for steady-state workloads, auto-scaling for variable demand, and right-size resources based on CloudWatch metrics.
01
What is Elastic Load Balancing: ALB, NLB, and Gateway Load Balancer and when would you use it?
JUNIOR
02
How do you secure Elastic Load Balancing: ALB, NLB, and Gateway Load Balancer in production?
SENIOR
03
What are the cost optimization strategies for Elastic Load Balancing: ALB, NLB, and Gateway Load Balancer?
SENIOR
FAQ · 6 QUESTIONS
Frequently Asked Questions
01
When should I use ALB vs NLB?
Use ALB for HTTP/HTTPS/gRPC traffic when you need path-based routing, host-based routing, or integration with AWS WAF and Lambda. Use NLB for TCP/UDP/TLS traffic requiring ultra-low latency (sub-millisecond), static IP addresses, or handling millions of requests per second. NLB does not inspect application-layer headers, so it cannot do path-based routing.
Was this helpful?
02
Can I use a Network Load Balancer with HTTP traffic?
Yes, NLB can forward TCP traffic on port 80/443, but it will not terminate TLS or inspect HTTP headers. For TLS termination, you must install certificates on the targets or use a TLS listener with a certificate on the NLB. However, you lose features like path-based routing and sticky sessions. In practice, use ALB for HTTP and NLB for non-HTTP protocols.
Was this helpful?
03
What is the difference between cross-zone load balancing on ALB and NLB?
Cross-zone load balancing distributes traffic evenly across all registered targets in all enabled Availability Zones. On ALB, it is enabled by default and cannot be disabled. On NLB, it is disabled by default; enabling it can cause uneven distribution if targets are not equally sized across zones. For NLB, you typically leave it disabled to preserve zonal isolation and reduce cross-zone data transfer costs.
Was this helpful?
04
How does Gateway Load Balancer differ from ALB and NLB?
Gateway Load Balancer (GWLB) operates at Layer 3 (network layer) and is designed to deploy, scale, and manage third-party virtual appliances like firewalls, intrusion detection systems, and deep packet inspection boxes. It uses the GENEVE protocol to encapsulate traffic and transparently forwards packets to appliance targets. Unlike ALB and NLB, GWLB does not terminate connections; it passes traffic through to appliances and then back to the original destination.
Was this helpful?
05
Can I assign an Elastic IP to an ALB?
No, ALB does not support Elastic IPs. ALB always uses a DNS name that resolves to multiple IP addresses. If you need a static IP, use NLB with an Elastic IP per Availability Zone. Alternatively, you can place an NLB in front of an ALB to get static IPs while retaining ALB features.
Was this helpful?
06
What happens when all targets in an Availability Zone are unhealthy?
For ALB and NLB, traffic is routed only to healthy targets in other zones. If cross-zone load balancing is enabled, traffic is distributed across all healthy targets regardless of zone. If all targets across all zones are unhealthy, the load balancer returns a 503 (ALB) or resets connections (NLB). For NLB with cross-zone disabled, traffic to the unhealthy zone is dropped.