Network Load Balancers
A Network Load Balancer serves as the single point of contact for clients. Clients send requests to the Network Load Balancer, and the Network Load Balancer sends them to targets, such as EC2 instances, in one or more Availability Zones.
To configure your Network Load Balancer, you create target groups, and then register targets with your target groups. Your Network Load Balancer is most effective if you ensure that each enabled Availability Zone has at least one registered target. You also create listeners to check for connection requests from clients and route requests from clients to the targets in your target groups.
Network Load Balancers support connections from clients over VPC peering, AWS managed VPN, AWS Direct Connect, and third-party VPN solutions.
Contents
- Load balancer state
- IP address type
- Connection idle timeout
- Load balancer attributes
- Cross-zone load balancing
- DNS name
- Create a Network Load Balancer
- Update the Availability Zones for your Network Load Balancer
- Update the IP address types for your Network Load Balancer
- Edit attributes for your Network Load Balancer
- Update the security groups for your Network Load Balancer
- Tag a Network Load Balancer
- Delete a Network Load Balancer
- View the Network Load Balancer resource map
- Zonal shift for your Network Load Balancer
Load balancer state
A Network Load Balancer can be in one of the following states:
provisioning
-
The Network Load Balancer is being set up.
active
-
The Network Load Balancer is fully set up and ready to route traffic.
failed
-
The Network Load Balancer couldn't be set up.
IP address type
You can set the types of IP addresses that clients can use with your Network Load Balancer.
Network Load Balancers support the following IP address types:
ipv4
-
Clients must connect to the Network Load Balancer using IPv4 addresses (for example, 192.0.2.1). IPv4 enabled Network Load Balancers (both internet-facing and internal) support TCP, UDP, TCP_UDP, and TLS listeners.
dualstack
-
Clients can connect to the Network Load Balancer using both IPv4 addresses (for example, 192.0.2.1) and IPv6 addresses (for example, 2001:0db8:85a3:0:0:8a2e:0370:7334). Dualstack enabled Network Load Balancers (both internet-facing and internal) support TCP and TLS listeners.
Considerations
-
The Network Load Balancer communicates with targets based on the IP address type of the target group.
-
When you enable dualstack mode for the Network Load Balancer, Elastic Load Balancing provides an AAAA DNS record for the Network Load Balancer. Clients that communicate with the Network Load Balancer using IPv4 addresses resolve the A DNS record. Clients that communicate with the Network Load Balancer using IPv6 addresses resolve the AAAA DNS record.
-
Access to your internal dualstack Network Load Balancer through the internet gateway is blocked to prevent unintended internet access. However, this does not prevent other internet access (for example, through peering, Transit Gateway, AWS Direct Connect, or AWS VPN).
-
For more information about IP address types, see Update the IP address types for your Network Load Balancer.
Connection idle timeout
For each TCP request that a client makes through a Network Load Balancer, the state of that connection is tracked. If no data is sent through the connection by either the client or target for longer than the idle timeout, the connection is closed. If a client or target sends data after the idle timeout period elapses, it receives a TCP RST packet to indicate that the connection is no longer valid.
We set the idle timeout value for TCP flows to 350 seconds. You can't modify this value. Clients or targets can use TCP keepalive packets to reset the idle timeout. Keepalive packets sent to maintain TLS connections can't contain data or payload.
When a TLS listener receives a TCP keepalive packet from either a client or a target, the Network Load Balancer generates TCP keepalive packets and sends them to both the front-end and back-end connections every 20 seconds. You can't modify this behavior.
While UDP is connectionless, the Network Load Balancer maintains UDP flow state based on the source and destination IP addresses and ports. This ensures that packets that belong to the same flow are consistently sent to the same target. After the idle timeout period elapses, the Network Load Balancer considers the incoming UDP packet as a new flow and routes it to a new target. Elastic Load Balancing sets the idle timeout value for UDP flows to 120 seconds.
EC2 instances must respond to a new request within 30 seconds in order to establish a return path.
Load balancer attributes
The following are the load balancer attributes for Network Load Balancers:
access_logs.s3.enabled
-
Indicates whether access logs stored in Amazon S3 are enabled. The default is
false
. access_logs.s3.bucket
-
The name of the Amazon S3 bucket for the access logs. This attribute is required if access logs are enabled. For more information, see Bucket requirements.
access_logs.s3.prefix
-
The prefix for the location in the Amazon S3 bucket.
deletion_protection.enabled
-
Indicates whether deletion protection is enabled. The default is
false
. ipv6.deny_all_igw_traffic
-
Blocks internet gateway (IGW) access to the Network Load Balancer, preventing unintended access to your internal Network Load Balancer through an internet gateway. It is set to
false
for internet-facing Network Load Balancers andtrue
for internal Network Load Balancers. This attribute does not prevent non-IGW internet access (for example, through peering, Transit Gateway, AWS Direct Connect, or AWS VPN). load_balancing.cross_zone.enabled
-
Indicates whether cross-zone load balancing is enabled. The default is
false
. dns_record.client_routing_policy
-
Indicates how traffic is distributed among the Network Load Balancers Availability Zones. The possible values are
availability_zone_affinity
with 100 percent zonal affinity,partial_availability_zone_affinity
with 85 percent zonal affinity, andany_availability_zone
with 0 percent zonal affinity.
Cross-zone load balancing
By default, each Network Load Balancer node distributes traffic across the registered targets in its Availability Zone only. If you turn on cross-zone load balancing, each Network Load Balancer node distributes traffic across the registered targets in all enabled Availability Zones. You can also turn on cross-zone load balancing at the target group level. For more information, see Cross-zone load balancing for target groups and Cross-zone load balancing in the Elastic Load Balancing User Guide.
DNS name
Each Network Load Balancer receives a default Domain Name System (DNS) name with the following syntax:
name
-id
.elb.region
.amazonaws.com.
For example, my-load-balancer-1234567890abcdef.elb.us-east-2.amazonaws.com.
If you'd prefer to use a DNS name that is easier to remember, you can create a custom domain name and associate it with the DNS name for your Network Load Balancer. When a client makes a request using this custom domain name, the DNS server resolves it to the DNS name for your Network Load Balancer.
First, register a domain name with an accredited domain name registrar. Next, use your DNS service, such as your domain registrar, to create a DNS record to route requests to your Network Load Balancer. For more information, see the documentation for your DNS service. For example, if you use Amazon RouteĀ 53 as your DNS service, you create an alias record that points to your Network Load Balancer. For more information, see Routing traffic to an ELB load balancer in the Amazon RouteĀ 53 Developer Guide.
The Network Load Balancer has one IP address per enabled Availability Zone. These are the IP
addresses of the Network Load Balancer nodes. The DNS name of the Network Load Balancer resolves to
these addresses. For example, suppose that the custom domain name for your Network Load Balancer
is example.networkloadbalancer.com
. Use the following
dig or nslookup command to determine the IP
addresses of the Network Load Balancer nodes.
Linux or Mac
$
dig +short
example.networkloadbalancer.com
Windows
C:\>
nslookup
example.networkloadbalancer.com
The Network Load Balancer has DNS records for its nodes. You can use DNS names
with the following syntax to determine the IP addresses of the Network Load Balancer nodes:
az
.name
-id
.elb.region
.amazonaws.com.
Linux or Mac
$
dig +short
us-east-2b.my-load-balancer-1234567890abcdef.elb.us-east-2.amazonaws.com
Windows
C:\>
nslookup
us-east-2b.my-load-balancer-1234567890abcdef.elb.us-east-2.amazonaws.com