Elastic Load Balancing (BP6) - AWS Best Practices for DDoS Resiliency

Elastic Load Balancing (BP6)

Large DDoS attacks can overwhelm the capacity of a single Amazon EC2 instance, so adding load balancing can help your resiliency. There are several options that you can choose from to help mitigate an attack by load balancing excess traffic. With Elastic Load Balancing (ELB), you can reduce the risk of overloading your application by distributing traffic across many backend instances. ELB can scale automatically, allowing you to manage larger volumes when you have unanticipated extra traffic, for example, due to flash crowds or DDoS attacks. For applications built within an Amazon VPC, there are three types of ELBs to consider, depending on your application type: Application Load Balancer (ALB), Classic Load Balancer (CLB) and Network Load Balancer (NLB).

For web applications, you can use ALB to route traffic based on its content and accept only well-formed web requests. This means that many common DDoS attacks, like SYN floods or UDP reflection attacks, will be blocked by ALB, protecting your application from the attack. When ALB detects these types of attacks, it automatically scales to absorb the additional traffic. This scaling activities are transparent for AWS Customers and do not affect your bill.

To learn more about protecting web applications with ALB, see Getting Started with Application Load Balancers.

For TCP-based applications, you can use NLB to route traffic to targets (for example, Amazon EC2 instances) at ultra-low latency. One key consideration with NLB is that any traffic that reaches the load balancer on a valid listener will be routed to your targets, not absorbed. However, customers using AWS Shield Advanced can configure DDoS protection for Elastic IP addresses (EIPs). By assigning an EIP per Avalibility Zone to the NLB, AWS Shield Advanced will apply the relevant DDoS protections for the NLB traffic.

To learn more about protecting TCP applications with NLB, see Getting Started with Network Load Balancers.