-
-
Notifications
You must be signed in to change notification settings - Fork 65
adding_ALB_guidance #90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,95 @@ | ||||||
| # Application Load Balancer (ALB) | ||||||
|
|
||||||
| An **Application Load Balancer (ALB)** is a fully managed AWS service that intelligently distributes incoming application traffic across multiple targets (such as EC2 instances, containers, or Lambda functions). | ||||||
| It operates at **Layer 7 (Application Layer)** of the OSI model, which means it understands HTTP/HTTPS traffic and can make routing decisions based on content (URLs, headers, methods, cookies, etc). | ||||||
|
|
||||||
| ALBs improve availability, scalability, and security of your applications by ensuring traffic is balanced and fault-tolerant. | ||||||
|
|
||||||
| --- | ||||||
|
|
||||||
| ## Why Do We Need an ALB? | ||||||
| - **High Availability**: Automatically distributes requests across multiple Availability Zones. | ||||||
| - **Scalability**: Handles sudden spikes in traffic by distributing load efficiently. | ||||||
| - **Intelligent Routing**: Routes requests based on content (e.g., `/api/*` goes to microservice A, `/images/*` goes to microservice B). | ||||||
| - **Security Integration**: Works seamlessly with AWS WAF (Web Application Firewall), ACM (SSL/TLS certificates), and IAM. | ||||||
| - **Serverless Support**: Can route traffic not only to EC2 or ECS, but also to AWS Lambda functions. | ||||||
| - **Central Entry Point**: Acts as a single point of access to multiple backend services, simplifying architecture. | ||||||
|
|
||||||
| --- | ||||||
|
|
||||||
| ## Key Components of an ALB | ||||||
|
|
||||||
| ### 1. Listeners | ||||||
| - A listener is a process that checks for connection requests using a configured protocol and port. | ||||||
| - Common protocols: **HTTP (port 80)**, **HTTPS (port 443)**. | ||||||
| - Each listener has one or more **rules** that define how to route requests. | ||||||
|
|
||||||
| ### 2. Rules | ||||||
| - Rules determine how requests are routed. | ||||||
| - Each rule consists of: | ||||||
| - **Conditions**: Criteria to evaluate (e.g., path `/app1/*`, host `api.example.com`, HTTP headers). | ||||||
| - **Actions**: What to do when conditions are met (e.g., forward to a target group, redirect, return fixed response). | ||||||
| - Rules are evaluated in **priority order** (lowest number = highest priority). | ||||||
|
|
||||||
| ### 3. Target Groups | ||||||
| - Logical groups of targets (EC2 instances, ECS tasks, Lambda functions, IPs). | ||||||
| - Requests are routed to the appropriate target group based on rules. | ||||||
| - Health checks are configured at the target group level to ensure only healthy targets receive traffic. | ||||||
|
|
||||||
| ### 4. Health Checks | ||||||
| - ALB continuously monitors registered targets to ensure they are healthy. | ||||||
| - If a target fails health checks, traffic is automatically rerouted to healthy targets. | ||||||
| - Configurable options include path (`/health`), interval, timeout, and thresholds. | ||||||
|
|
||||||
| ### 5. Availability Zones | ||||||
| - ALB can distribute traffic across multiple Availability Zones for resilience. | ||||||
| - Ensures application availability even if one AZ experiences failure. | ||||||
|
|
||||||
| ### 6. Security Features | ||||||
| - Integrated with **Security Groups** (stateful firewalls at instance level). | ||||||
| - Supports **AWS WAF** for protection against common web exploits. | ||||||
| - Works with **AWS ACM** for managed SSL/TLS certificates. | ||||||
|
|
||||||
| --- | ||||||
|
|
||||||
| ## Typical ALB Workflow | ||||||
| 1. **Client** sends a request to the ALB’s DNS name. | ||||||
| 2. **Listener** (e.g., HTTPS:443) receives the request. | ||||||
| 3. **Rule** checks the path/host/headers and decides which **Target Group** to forward to. | ||||||
| 4. **Health Checks** ensure traffic is only sent to healthy targets. | ||||||
| 5. **Targets** (EC2, ECS, Lambda) process the request and send response back to client via ALB. | ||||||
|
|
||||||
| --- | ||||||
|
|
||||||
| ## Example Use Cases | ||||||
| - **Microservices Architecture**: Route `/api/*` to ECS tasks, `/static/*` to S3 via CloudFront. | ||||||
|
||||||
| - **Microservices Architecture**: Route `/api/*` to ECS tasks, `/static/*` to S3 via CloudFront. | |
| - **Microservices Architecture**: Serve `/api/*` via ECS behind the ALB; serve static assets (`/static/*`) directly from S3/CloudFront (bypassing the ALB). |
Copilot
AI
Oct 20, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The table rows start with a double pipe, creating an unintended empty first column in Markdown; remove the leading extra pipe on each line. Also, the ALB Protocols column omits supported HTTP/2 and WebSocket (and gRPC rides over HTTP/2), so updating to "HTTP, HTTPS, HTTP/2, WebSocket, gRPC" would be more accurate.
| | Protocols | HTTP, HTTPS, TCP | TCP, UDP, TLS | HTTP, HTTPS, gRPC | | |
| | Protocols | HTTP, HTTPS, TCP | TCP, UDP, TLS | HTTP, HTTPS, HTTP/2, WebSocket, gRPC | |
Copilot
AI
Oct 19, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Each line starts with a double pipe '||', which creates an unintended empty first column in Markdown tables. Remove the extra leading '|' so the table renders correctly (e.g., start rows with a single '| Feature ...').
Copilot
AI
Oct 20, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For root domains you typically create an Alias A (or AAAA) record in Route 53 pointing to the ALB rather than using its raw DNS name; clarifying "Create a Route 53 Alias record to the ALB" improves operational accuracy.
| 6. Point your **DNS (Route 53)** to the ALB’s DNS name. | |
| 6. For root domains, create a **Route 53 Alias A (or AAAA) record** pointing to the ALB. For subdomains, you can use a CNAME to the ALB’s DNS name. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security groups are attached to ENIs (including the ALB itself), not limited to "instance level"; simplifying to "Integrated with security groups for inbound traffic control" would avoid a misleading scope.