Load balancers and CDNs are the two key mechanisms for distributing work and data efficiently across global infrastructure. Together they enable scalable, low-latency architectures.
What is a Load Balancer?
A load balancer sits between clients and a pool of servers, distributing incoming requests to ensure no single server is overwhelmed. Benefits:
- High availability: Routes around failed instances
- Scalability: Add or remove instances without changing client configuration
- SSL termination: Decrypt HTTPS at the LB, send plain HTTP to backend instances
- Health checks: Automatically stop routing to unhealthy targets
Layer 4 vs Layer 7 Load Balancing
| Layer 4 (Transport) | Layer 7 (Application) | |
|---|---|---|
| Routes based on | IP, TCP/UDP port | HTTP method, URL, host, headers, cookies |
| Sees content | No | Yes |
| Performance | Extremely fast, low overhead | Slightly higher overhead |
| AWS equivalent | Network Load Balancer (NLB) | Application Load Balancer (ALB) |
| Use case | TCP apps, gaming, IoT, static IP needed | HTTP APIs, microservices routing, WebSockets |
AWS Application Load Balancer (ALB)
ALB operates at Layer 7 and is the standard choice for HTTP/HTTPS workloads:
- Host-based routing:
api.example.com→ API service,app.example.com→ Frontend - Path-based routing:
/api/*→ API service,/static/*→ S3 - Header/query-string routing: Route based on any HTTP attribute
- Target groups: EC2 instances, IP addresses, Lambda functions, or other ALBs
- Sticky sessions: Route the same user to the same target (via cookie)
- WebSocket and gRPC support
- Integrated with AWS WAF and ACM (free TLS certificates)
Listener: HTTPS :443
Rule 1: Host = api.example.com → Target Group: api-tg
Rule 2: Host = app.example.com, Path = /admin/* → Target Group: admin-tg
Default: Forward to → Target Group: frontend-tgAWS Network Load Balancer (NLB)
NLB operates at Layer 4 — ideal when you need:
- Ultra-high performance: Millions of requests per second with low latency
- Static IP / Elastic IP: NLBs have a fixed IP per AZ — useful for whitelisting
- Non-HTTP protocols: TCP, UDP, TLS
- Pass-through TLS: Encrypted traffic reaches your backend (client certificate visible)
Load Balancing Algorithms
- Round Robin: Requests distributed evenly in rotation (ALB default)
- Least Outstanding Requests: Routes to the target with fewest in-flight requests (better for variable request duration)
- Flow Hash: NLB default — same source IP/port combination always routed to same target
- Weighted: Different weights per target group (useful for canary deployments)
Content Delivery Networks (CDNs)
A CDN is a globally distributed network of servers (edge locations) that cache content close to users. Instead of every user request travelling to your origin server, the CDN serves cached responses from the nearest edge:
- Reduced latency (user hits a nearby edge, not a distant origin)
- Reduced origin load (cache hits don't hit your servers)
- DDoS mitigation (absorb attack traffic at the edge)
- HTTPS everywhere (CDNs handle TLS termination)
AWS CloudFront
CloudFront is AWS's CDN with 600+ edge locations globally:
- Origins: S3, ALB, API Gateway, EC2, or any HTTP server
- Caching: Cache based on URL, query strings, headers, cookies — configurable per behaviour
- Cache invalidation: Flush cached objects by path or wildcard
- Lambda@Edge / CloudFront Functions: Run JavaScript at the edge for URL rewrites, auth, A/B testing
- OAC (Origin Access Control): Force S3 access only via CloudFront — S3 bucket not publicly accessible
- Geo-restriction: Block or allow access by country
CloudFront Distribution:
Origin 1: my-bucket.s3.amazonaws.com (S3)
Path pattern: /static/*
Cache: Max-Age 86400 (1 day)
Origin 2: api.example.com (ALB)
Path pattern: /api/*
Cache: No caching (TTL 0)
Default: Forward to Origin 2Next: VPNs and private networking — how to securely connect on-premises networks to the cloud.