Search code examples
amazon-web-servicesload-balancing

Why you need to specify subnets in Application Load Balancer?


I'll start with describing the architecture of Application Load Balancer:

We have the Application Load Balancer, which contains a list of one or more listeners. Each listener is associated with one specific port and protocol, so that traffic incoming to the load balancer with this port will be handled by this listener. Then, each listener holds a list of rules. A rule specify conditions and actions - basically where to route traffic to. A listener also must have a default action which will be taken if no other condition is met. Usually, this action will be to route traffic to a specific target group.

A target group is a group of either EC2 instances, IP addresses, other Application Load Balancer, or Lambda function.

Furthermore, when you create an Application Load Balancer, it asks you to specify a VPC and list of 2 or more Availability zones, and for each to specify a subnet.

My question now is: Why does AWS asks you to specify this? As far as I understand, the target groups and the registered targets are where you specify the backend of the load balancer, so why do we need to specify the subnets in the ALB configuration?

EDIT

After experimenting, I found that, if I have a EC2 instance running a web server in AZ 3 for example, and now I create a load balancer and selects AZs 1 and 2, then traffic will not reach the web server on AZ 3 until I add another AZ in the load balancer settings.

So if to accurate my question: If this setting of AZs in the load balancer settings means: these are the AZs in which the Load Balancer will send traffic to, in what scenario should I not choose ALL the availability zones there are?


Solution

  • An Application Load Balancer runs on Amazon EC2 infrastructure. Think of it as an Amazon EC2 instance with pre-loaded software, but you don't actually see the EC2 instance in your own account.

    Instead, you will see the Network Interfaces where the Load Balancer connects into the network.

    Traffic will come into your network through an Internet Gateway then route within the VPC to the Load Balancer. The Load Balancer will then determine a target to receive the traffic, and will send the request via the Network Interface to the resource in the VPC.

    When such traffic flows through the VPC, it is subject to normal Security Groups and Network Access Control Lists (NACLs). Private IP addresses will be assigned for each Network Interface used by the Load Balancer.

    The Load Balancer instance runs in multiple AZs. If one AZ has a failure, then the Load Balancer instance in the remaining AZ(s) will continue to run. This is why the Load Balancer wants a connection to the VPC in multiple subnets.

    Bottom line: While you might normally think of the Load Balancer as a "blackbox service", it is still just some software running on a virtualized computer that needs logical connectivity to the VPC, and it obeys all the rules of networking within the VPC.