Q: Can I create a TCP or UDP (Layer 4) listener for my Network Load Balancer?
A: Yes. Network Load Balancers support both TCP, UDP, and TCP+UDP (Layer 4) listeners, as well as TLS listeners.
Q: What are the key features available with the Network Load Balancer?
A: Network Load Balancer provides both TCP and UDP (Layer 4) load balancing. It is architected to handle millions of requests per second and sudden volatile traffic patterns, and provides extremely low latencies. In addition, Network Load Balancer also supports TLS termination, preserves the source IP of the clients, and provides stable IP support and zonal isolation. It also supports long-running connections that are useful for WebSocket type applications.
Q: Can Network Load Balancer process both TCP and UDP protocol traffic on the same port?
A: Yes. To achieve this, you can use a TCP+UDP listener. For example, for a DNS service using both TCP and UDP,
you can create a TCP+UDP listener on port 53, and the load balancer will process traffic for both UDP and TCP requests on that port. You must associate a TCP+UDP listener with a TCP+UDP target group.
Q: How does Network Load Balancer compare to what I get with the TCP listener on a Classic Load Balancer?
A: Network Load Balancer preserves the source IP of the client, which is not preserved in the Classic Load Balancer. Customers can use proxy protocol with Classic Load Balancer to get the source IP. Network Load Balancer automatically provides a static IP per Availability Zone (AZ) to the load balancer and also enables assigning an Elastic IP to the load balancer per AZ. This is not supported with Classic Load Balancer.
Q: Can I migrate to Network Load Balancer from Classic Load Balancer?
A: Yes. You can migrate to Network Load Balancer from Classic Load Balancer using one of the options listed in this document.
Q: Are there limits on the resources for my Network Load Balancer?
A: Yes, please refer to Network Load Balancer limits documentation for more information.
Q: Can I use the AWS Management Console to set up my Network Load Balancer?
A: Yes, you can use the AWS Management Console, AWS CLI, or the API to set up a Network Load Balancer.
Q: Can I use the existing API for Classic Load Balancers for my Network Load Balancers?
A: No. To create a Classic Load Balancer, use the 2012-06-01 API. To create a Network Load Balancer or an Application Load Balancer, use the 2015-12-01 API.
Q: Can I create my Network Load Balancer in a single Availability Zone?
A: Yes, you can create your Network Load Balancer in a single AZ by providing a single subnet when you create the load balancer.
Q: Does Network Load Balancer support DNS regional and zonal fail-over?
A: Yes, you can use Amazon Route 53 health checking and DNS failover features to enhance the availability of the applications running behind Network Load Balancers. Using Route 53 DNS failover, you can run applications in multiple AWS Availability zones and designate alternate load balancers for failover across regions.
In the event that you have your Network Load Balancer configured for multi-AZ, if there are no healthy Amazon EC2 instances registered with the load balancer for that AZ, or if the load balancer nodes in a given zone are unhealthy, then Route 53 will fail away to alternate load balancer nodes in other healthy AZs.
Q: Can I have a Network Load Balancer with a mix of ELB-provided IPs and Elastic IPs or assigned private IPs?
A: No. A Network Load Balancer’s addresses must be completely controlled by you, or completely controlled by ELB. This is to ensure that when using Elastic IPs with a Network Load Balancer, all addresses known to your clients do not change.
Q: Can I assign more than one EIP to my Network Load Balancer in each subnet?
A: No. For each associated subnet a Network Load Balancer is in, the Network Load Balancer can only support a single public/internet facing IP address.
Q: If I remove/delete a Network Load Balancer what will happen to the Elastic IP addresses that were associated with it?
A: The Elastic IP Addresses that were associated with your load balancer will return to your allocated pool and be available for future use.
Q: Does Network Load Balancer support internal load balancers?
A: Network Load Balancer can be set up as an internet-facing load balancer or an internal load balancer, similar to what is possible with Application Load Balancer and Classic Load Balancer.
Q: Can the internal Network Load balancer support more than one private IP in each subnet?
A: No. For each associated subnet that a load balancer is in, the Network Load Balancer can only support a single private IP.
Q: Can I set up Websockets with my Network Load Balancer?
A: Yes, configure TCP listeners that route the traffic to the targets that implement WebSockets protocol (//tools.ietf.org/html/rfc6455 ). Because WebSockets is a layer 7 protocol and Network Load Balancer is operating at layer 4, no special handling exists in Network Load Balancer for WebSockets or other higher level protocols.
Q: Can I load balance to any arbitrary IP address?
A: Yes. You can use any IP address from the load balancer’s VPC CIDR for targets within load balancer’s VPC and any IP address from RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) or RFC 6598 range (100.64.0.0/10) for targets located outside the load balancer’s VPC (EC2-Classic and on-premises locations reachable over AWS Direct Connect). Load balancing to IP address target type is supported for TCP listeners only, and is currently not supported for UDP listeners.
Q: Can I use Network Load Balancer to setup AWS PrivateLink?
A: Yes, Network Load Balancers with TCP and TLS Listeners can be used to setup AWS PrivateLink. You cannot set up PrivateLink with UDP listeners on Network Load Balancers.
Q: What is a UDP flow?
A: While user datagram protocol (UDP) is connectionless, the load balancer maintains UDP flow state based on 5-tuple hash, ensuring that packets sent in the same context are consistently forwarded to the same target. The flow is considered active as long as traffic is flowing and until the idle timeout is reached. Once the timeout threshold is reached, the load balancer will forget the affinity, and the incoming UDP packet will be considered a new flow and load-balanced to a new target.
Q: What is the idle timeout supported by Network Load Balancer?
A: Network Load Balancer idle timeout for TCP connections is 350 seconds. The idle timeout for UDP flows is 120 seconds.
Q: What is the benefit of targeting containers behind a load balancer with IP addresses instead of instance IDs?
A: Each container on an instance can now have its own security group, and does not need to share security rules with other containers. You can attach security groups to an ENI, and each ENI on an instance can have a different security group. You can map a container to the IP address of a particular ENI to associate security group(s) per container. Load balancing using IP addresses also allows multiple containers running on an instance use the same port (say port 80). The ability to use the same port across containers allows containers on an instance to communicate with each other through well-known ports instead of random ports.
Q: How can I load balance applications distributed across a VPC and on-premises location?
A: There are various ways to achieve hybrid load balancing. If an application runs on targets distributed between a VPC and an on-premises location, you can add them to the same target group using their IP addresses. To migrate to AWS without impacting your application, gradually add VPC targets to the target group and remove on-premises targets from the target group. You can also use separate load balancers for VPC and on-premises targets and use DNS weighting to achieve weighted load balancing between VPC and on-premises targets.
Q: How can I load balance to EC2-Classic instances?
A: You cannot load balance to EC2-Classic Instances when registering their Instance IDs as targets. However if you link these EC2-Classic instances to the load balancer's VPC using ClassicLink and use the private IPs of these EC2-Classic instances as targets, then you can load balance to the EC2-Classic instances. If you are using EC2 Classic instances today with a Classic Load Balancer, you can easily migrate to a Network Load Balancer.
Q: How do I enable cross-zone load balancing in Network Load Balancer?
A: You can enable cross-zone loading balancing only after creating your Network Load Balancer. You achieve this by editing the load balancing attributes section and then selecting the cross-zone load balancing support checkbox.
Q: Am I charged for regional AWS data-transfer when I enable cross-zone load balancing in Network Load Balancer?
A: Yes, you will be charged for regional data transfer between Availability Zones with Network Load Balancer when cross-zone load balancing is enabled. Check the charges in the data transfer section of the Amazon EC2 On-Demand Pricing page.
Q: Is there any impact of cross-zone load balancing on Network Load Balancer limits?
A: Yes. Network Load Balancer currently supports 200 targets per Availability Zone. For example, if you are in two AZs, you can have up to 400 targets registered with Network Load Balancer. If cross-zone load balancing is on, then the maximum targets reduce from 200 per AZ to 200 per load balancer. So, in the example above: When cross-zone load balancing is on, even though your load balancer is in two AZs, you are limited to 200 targets that can be registered to the load balancer.
Q: Does Network Load Balancer support TLS termination?
A: Yes, you can terminate TLS connections on the Network Load Balancer. You must install an SSL certificate on your load balancer. The load balancer uses this certificate to terminate the connection and then decrypt requests from clients before sending them to targets.
Q: Is source IP is preserved when terminating TLS on Network Load Balancer?
A: Source IP continues to be preserved even if you terminate TLS on the Network Load Balancer.
Q: What are the steps to get a SSL certificate?
A: You can either use AWS Certificate Manager to provision an SSL/TLS certificate, or you can obtain the certificate from other sources by creating the certificate request, getting the certificate request signed by a certificate authority (CA), and then uploading the certificate either using AWS Certification Manager (ACM) or the AWS Identity and Access Management (IAM) service.
Q: How can I enable Server Name Indication (SNI) for my Network Load Balancer?
A: SNI is automatically enabled when you associate more than one TLS certificate with the same secure listener on a load balancer. Similarly, SNI mode for a secure listener is automatically disabled when you have only one certificate associated to a secure listener.
Q: How does the Network Load Balancer integrate with AWS Certificate Manager (ACM) or Identity Access Manager (IAM)?
A: Network Load Balancer is integrated with AWS Certificate Management (ACM). Integration with ACM makes it very simple to bind a certificate to the load balancer thereby making the entire SSL offload process very easy. Purchasing, uploading, and renewing SSL/TLS certificates is a time-consuming manual and complex process. With ACM integration with Network Load Balancer, this whole process has been shortened to simply requesting a trusted SSL/TLS certificate and selecting the ACM certificate to provision it with the load balancer. Once you create a Network Load balancer, you can now configure a TLS listener followed by an option to select a certificate from either ACM or Identity Access Manager (IAM). This experience is similar to what you have in Application Load Balancer or Classic Load Balancer.
Q: Is back-end server authentication supported with Network Load Balancer?
A: No, only encryption is supported to the back-ends with Network Load Balancer.
Q: What are the certificate types supported by Network Load Balancer?
A: Network Load Balancer only supports RSA certificates with 2K key size. We currently do not support RSA certificate key sizes greater than 2K or ECDSA certificates on the Network Load Balancer.
Q: In which AWS Regions is TLS Termination on Network Load Balancer supported?
A: You can use TLS Termination on Network Load Balancer in US East (N. Virginia), US East (Ohio), US West (Northern California), US West (Oregon), Asia Pacific (Mumbai), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), EU (Frankfurt), EU (Ireland), EU (London), EU (Paris), South America (São Paulo), and GovCloud (US-West) AWS Regions.
Q: How does Network Load Balancer pricing work?
A: You are charged for each hour or partial hour that a Network Load Balancer is running and the number of Load Balancer Capacity Units (LCU) used by Network Load Balancer per hour.
Q: What is a Load Balancer Capacity Unit (LCU)?
A: An LCU is a new metric for determining how you pay for a Network Load Balancer. An LCU defines the maximum resource consumed in any one of the dimensions (new connections/flows, active connections/flows, and bandwidth) the Network Load Balancer processes your traffic.
Q: What are the LCU metrics for TCP traffic on Network Load Balancer?
A: The LCU metrics for the TCP traffic are as follows:
- 800 new TCP connections per second.
- 100,000 active TCP connections (sampled per minute).
- 1 GB per hour for Amazon EC2 instances, containers, and IP addresses as targets.
Q: What are the LCU metrics for UDP traffic on Network Load Balancer?
A: The LCU metrics for the UDP traffic are as follows:
- 400 new flows per second.
- 50,000 active UDP flows (sampled per minute).
- 1 GB per hour for Amazon EC2 instances, containers, and IP addresses as targets.
Q: What are the LCU metrics for TLS traffic on Network Load Balancer?
A: The LCU metrics for the TLS traffic are as follows:
- 50 new TLS connections per second.
- 3,000 active TLS connections (sampled per minute).
- 1 GB per hour for Amazon EC2 instances, containers, and IP addresses as targets.
Q: Will I be billed on all the dimensions (Processed Bytes, New Flows and Active Flows)?
A: No, for each protocol you are charged only on one of the three dimensions (the highest for the hour).
Q: Is new connections/flows per sec same as requests/sec?
A: No. Multiple requests can be sent in a single connection.
Q: Will I be billed on Classic Load Balancers by LCU?
A: No. Classic Load Balancers will continue to be billed for bandwidth and hourly charge.
Q: How do I know the number of LCUs a Network Load Balancer is using?
A: We will expose the usage of all three dimensions that constitutes a LCU via Amazon CloudWatch.
Q: Will I be billed on all the dimensions in an LCU?
A: No. The number of LCUs per hour will be determined based on maximum resource consumed amongst the three dimensions that constitutes a LCU.
Q: Will I be billed on partial LCUs?
A: Yes.
Q: Is a free tier offered on a Network Load Balancer for new AWS accounts?
A: Yes. For new AWS accounts, a free tier for a Network Load Balancer offers 750 hours and 15 LCUs. This free tier offer is only available to new AWS customers, and is available for 12 months following your AWS sign-up date.
Q: Can I use a combination of Network Load Balancer, Application Load Balancer and Classic Load Balancer as part of my free tier?
A: Yes. You can use Application and Network each for 15 LCUs and Classic for 15 GB respectively. The 750 load balancer hours are shared between Application, Network, and Classic Load Balancers.