Please enable JavaScript.

Coggle requires JavaScript to display documents.

Elastic Load Balancing - Coggle Diagram

- - - - subnets
        
        AZ (at least 2)
        
        Local Zone
        
        cannot use WAF
        
        cannot use Lambda as target
        
        Outpost
        
        cannot use WAF
        
        cannot use Lambda as target
        
        no sticky sessions
        
        no authentication support
        
        no integration with AWS Global Accelerator
      - LB security groups
      - state
        
        provisioning
        
        active
        
        active_impaired
        
        failed
      - attributes
        
        access_logs.s3.enabled (default = false)
        
        access_logs.s3.bucket
        
        access_logs.s3.prefix
        
        deletion_protection.enabled (default = false)
        
        idle_timeout.timeout_seconds (default = 60)
        
        routing.http.desync_mitigation_mode (default = defensive)
        
        monitor
        
        defensive
        
        strictest
        
        = mitigation against HTTP Desync attacks
        
        routing.http.drop_invalid_header_fields.enabled (default = false)
        
        routing.http2.enabled (default = true)
        
        waf.fail_open.enabled (default = false)
      - IP address type
        
        ipv4
        
        dualstack (both IPv4 and IPv6)
    - - allowed protocols and ports; HTTP(S), 1 - 65535
      - native support for WebSockets
      - native support for HTTP/2 with HTTPS listeners
      - each listener has a default rule, additional ones can be specified
        
        priority (evaluated from lowest to highest, default rule last)
        
        one or more actions
        
        authenticate-cognito (HTTPS only)
        
        authenticate-oidc (HTTPS only)
        
        fixed-response
        
        forward (enable stickiness using TargetGroupStickinessConfig)
        
        redirect
        
        one or more conditions
        
        host-header
        
        http-header
        
        http-request-method
        
        path-pattern
        
        query-string
        
        source-ip
    - - target type = instance, ip or lambda (you cannot specify publicly routable IP adresses)
      - registered targets (if by instance id you can use Auto Scaling Group)
      - you can register IP of ALB that is in peered VPC but not if in same VPC
      - attributes (if target = instance or ip)
        
        deregistration_delay.timeout_seconds (default = 300)
        
        load_balancing.algorithm.type (round_robin or least_outstanding_requests, default = round_robin)
        
        slow_start.duration_seconds (default = 0)
        
        stickiness.enabled (default = false)
        
        stickiness.app_cookie.cookie_name
        
        stickiness.app_cookie.duration_seconds (default = 86400 = 1 day)
        
        stickiness.lb_cookie.duration_seconds (default = 86400 = 1 day)
        
        stickiness.type (lb_cookie or app_cookie)
      - attributes (if target = lambda)
        
        lambda.multi_value_headers.enabled (default = false)
      - health checks
- - - - state
        
        provisioning
        
        active
        
        failed
      - attributes
        
        deletion_protection.enabled (default = false)
        
        load_balancing.cross_zone.enabled (default = false)
      - IP address type
        
        ipv4
        
        dualstack (both IPv4 and IPv6)
      - enable one or more AZs for NLB when you create it, can add but not remove AZs later
      - idle timeout value for TCP flows = 350 seconds, cannot be modified, clients use TCP keepalive packets to reset timeout
      - UDP is connectionless but NLB maintains UDP flow state ensuring packets in same flow are sent to same target, idle timeout value for UDP flows = 120 seconds
    - - allowed protocols and ports; TCP, TLS, UDP, TCP_UDP, 1 - 65535
      - native support for WebSockets
      - all network traffic sent to a configured listener is classified as intended traffic
      - traffic that does not match a configured listener is classified as unintended traffic
      - ICMP requests other than Type 3 are also considered unintended traffic
      - NLBs drop unintended traffic without forwarding it to any targets
    - - if target = ip then up to 55000 simultaneous connections to each unique target (if more then increasing chance of port allocation errors)
      - registered targets (if by instance id you can use Auto Scaling Group)
      - attributes
        
        deregistration_delay.timeout_seconds (default = 300)
        
        deregistration_delay.connection_termination.enabled (default = false)
        
        preserve_client_ip.enabled (default = disabled if target group type is ip and protocol is TCP or TLS, otherwise default = enabled, cannot be disabled for UDP and TCP_UDP)
        
        proxy_protocol_v2.enabled (default = false)
        
        stickiness.enabled
        
        stickiness.type (can only be source_ip)
      - target type = instance or ip
      - client IP preservation
        
        if type instance ID then preserved
        
        if ip disabled by default for TCP and TLS
        
        if type ip enabled by default for UDP and TCP_UDP (cannot be disabled)
      - proxy protocol v2
        
        = to send additional connection information such as source and destination
        
        provides a binary encoding of the proxy protocol header
        
        make sure applications expect and can parse the proxy protocol v2 header
      - sticky sessions not supported with TLS listeners and TLS target groups
      - health checks
- - - - target type = instance or ip
      - registered targets
      - single attribute = deregistration_delay.timeout_seconds (default = 300)
      - health checks
    - - state
        
        provisioning
        
        active
        
        failed
      - attributes
        
        deletion_protection.enabled (default = false)
        
        load_balancing.cross_zone.enabled (default = false)