My understanding is that a CLB (Classic Load Balancer) is placed in a subnet and so we configure Security Group and NACL for it.
However, when it comes to ALB (Application Load Balancer), we don't configure NACL (Network ACL). Why? Architecturally where is it placed in a VPC?
As extension, how is NLB (Network Load Balancer) placed architecturally in a VPC?
Can you help me visualize the deployment of these components?
ALBs can span all subnets in VPC. They are not bound directly to subnets, but rather to TargetGroups which are themselves then bound (indirectly) to subnets.
So a single ALB could theoretically route to both private and public subnets within a VPC.
Because of this, and because the fact that ALBs span the VPC, they benefit from the default VPC ACL which permits IPV4 between hosts within the VPC. You can configure ACLs on the subnets that will be routed to by the ALB/NLB but in this case you need to remember that custom ACLS are by default closed to all traffic, rather than open within the VPC like the default ACL.
It would normally make sense to segregate your ALBs into public or private zones by security group and target group, but this is configuration rather than architectural placement - there is nothing preventing you from adding a rule to route specific paths or ports to a public subnet from an ALB that has until then been serving private subnets only.