Amazon Virtual Private Cloud (Amazon VPC) lets you define a virtual networking environment in a private, isolated section of the AWS cloud. Within this virtual private cloud, you can launch AWS resources such as load balancers and EC2 instances. If want to load balance your EC2 instances launched in a VPC, you must create your load balancer the same VPC.
This section covers information that is specific to your instances and load balancers in a VPC. For information about instances and load balancers in EC2-Classic, see Load Balancers in EC2-Classic.
To enable communication between the Internet and the load balancer in your subnet, you must create and attach an Internet gateway (IGW) to your VPC. An Internet gateway enables your load balancer within the subnet to connect to the Internet through the Amazon EC2 network edge. Communication between the clients and your load balancer and also between the load balancer and your back-end instances uses Internet Protocol version 4 (IPv4). Internet Protocol version 6 (IPv6) is currently not available for load balancers in a VPC.
Each subnet you create is automatically associated with a route table. The route table controls the routing for the internet. By default, the subnet is associated with a main route table that enables communication within the VPC. You can change the association of the route table for your subnet at any time. To enable a subnet to communicate with the Internet, you must associate the subnet's route table with the Internet gateway.
If a subnet's traffic is routed to an Internet gateway, the subnet is known as a public subnet. If a subnet's traffic is not routed to an Internet gateway, the subnet is known as a private subnet. Use a public subnet for load balancer that must be connected to the Internet, and a private subnet for load balancer that need not be connected to the Internet.
The following figure shows an example of Elastic Load Balancing in a VPC.
In this example, the Availability Zone 1A has load balancer in its own subnet and the EC2 instances in another subnet. The load balancer is in a public subnet. It means that the traffic from the subnet is routed to the Internet gateway which allows the load balancer to communicate with the Internet. The EC2 instances are in a private subnet. It means that the traffic from the subnet is not routed to the Internet gateway. The EC2 instances in the private subnet cannot communicate with the Internet.
In Availability Zone 1B, the load balancer and the EC2 instances are both in the same public subnet. The traffic from the subnet is routed to the Internet gateway. Both the load balancer and EC2 instances can communicate with the Internet. You can configure your VPC architecture either way, depending on your specific security and routing requirements.
If you are planning on creating more than one subnets in your VPC, be sure to configure the security group rules and network ACLs to allow traffic to be routed between the subnets in your VPC. If your rules are not configured correctly, instances in other subnets may not be reachable by load balancer nodes in a different subnet.
A security group acts as a virtual firewall that controls the traffic allowed into an instance. You create security group by adding a set of rules that control the inbound traffic to instances, and a separate set of rules that control the outbound traffic. There is a significant difference between the way the security groups function on Amazon VPC and Amazon EC2. In Amazon EC2, Elastic Load Balancing provides a special Amazon EC2 source security group that you can use to ensure that a back-end Amazon EC2 instance receives traffic only from the ELB load balancers. You cannot modify the source security group. With a VPC, you have control over the security groups assigned to your load balancer. Having control over your load balancer's security groups allows you to choose the ports and protocols to accept. For example, you can open Internet Control Message Protocol (ICMP) connections for the load balancer to respond to ping requests (however, ping requests will not be forwarded to any registered instances). When creating your load balancer if you don't specify a particular security group, your load balancer automatically belongs to the VPC's default security group.