CloudWiki
Resource

NLB

Amazon Web Services
Network
Network Load Balancer (NLB) is a feature of Elastic Load Balancing that functions at the transport layer and distributes end-user traffic across multiple cloud resources to ensure low latency and handle unpredictable spikes in traffic to ensure high availability for cloud applications.
Terraform Name
terraform
aws_lb
NLB
attributes:
  • name - (Optional) The name of the LB. This name must be unique within your AWS account, can have a maximum of 32 characters, must contain only alphanumeric characters or hyphens, and must not begin or end with a hyphen. If not specified, Terraform will autogenerate a name beginning with tf-lb.
  • name_prefix - (Optional) Creates a unique name beginning with the specified prefix. Conflicts with name.
  • internal - (Optional) If true, the LB will be internal.
  • load_balancer_type - (Optional) The type of load balancer to create. Possible values are application, gateway, or network. The default value is application.
  • security_groups - (Optional) A list of security group IDs to assign to the LB. Only valid for Load Balancers of type application.
  • drop_invalid_header_fields - (Optional) Indicates whether HTTP headers with header fields that are not valid are removed by the load balancer (true) or routed to targets (false). The default is false. Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens. Only valid for Load Balancers of type application.
  • preserve_host_header - (Optional) Indicates whether the Application Load Balancer should preserve the Host header in the HTTP request and send it to the target without any change. Defaults to false.
  • access_logs - (Optional) An Access Logs block. Access Logs documented below.
  • subnets - (Optional) A list of subnet IDs to attach to the LB. Subnets cannot be updated for Load Balancers of type network. Changing this value for load balancers of type network will force a recreation of the resource.
  • subnet_mapping - (Optional) A subnet mapping block as documented below.
  • idle_timeout - (Optional) The time in seconds that the connection is allowed to be idle. Only valid for Load Balancers of type application. Default: 60.
  • enable_deletion_protection - (Optional) If true, deletion of the load balancer will be disabled via the AWS API. This will prevent Terraform from deleting the load balancer. Defaults to false.
  • enable_cross_zone_load_balancing - (Optional) If true, cross-zone load balancing of the load balancer will be enabled. This is a network load balancer feature. Defaults to false.
  • enable_http2 - (Optional) Indicates whether HTTP/2 is enabled in application load balancers. Defaults to true.
  • enable_waf_fail_open - (Optional) Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. Defaults to false.
  • customer_owned_ipv4_pool - (Optional) The ID of the customer owned ipv4 pool to use for this load balancer.
  • ip_address_type - (Optional) The type of IP addresses used by the subnets for your load balancer. The possible values are ipv4 and dualstack
  • desync_mitigation_mode - (Optional) Determines how the load balancer handles requests that might pose a security risk to an application due to HTTP desync. Valid values are monitor, defensive (default), strictest.
  • tags - (Optional) A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Access Logs (access_logs) support the following:

  • bucket - (Required) The S3 bucket name to store the logs in.
  • prefix - (Optional) The S3 bucket prefix. Logs are stored in the root if not configured.
  • enabled - (Optional) Boolean to enable / disable access_logs. Defaults to false, even when bucket is specified.

Subnet Mapping (subnet_mapping) blocks support the following:

  • subnet_id - (Required) ID of the subnet of which to attach to the load balancer. You can specify only one subnet per Availability Zone.
  • allocation_id - (Optional) The allocation ID of the Elastic IP address.
  • private_ipv4_address - (Optional) A private ipv4 address within the subnet to assign to the internal-facing load balancer.
  • ipv6_address - (Optional) An ipv6 address within the subnet to assign to the internet-facing load balancer.

Associating resources with a
NLB
Resources do not "belong" to a
NLB
Rather, one or more Security Groups are associated to a resource.
Create
NLB
via Terraform:
Syntax:

resource "aws_lb" "test" {
 name               = "test-lb-tf"
 internal           = false
 load_balancer_type = "network"
 subnets            = [for subnet in aws_subnet.public : subnet.id]

 enable_deletion_protection = true

 tags = {
   Environment = "production"
 }
}

Create
NLB
via CLI:
Parameters:

create-load-balancer
--name <value>
[--subnets <value>]
[--subnet-mappings <value>]
[--security-groups <value>]
[--scheme <value>]
[--tags <value>]
[--type <value>]
[--ip-address-type <value>]
[--customer-owned-ipv4-pool <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Example:

aws elbv2 create-load-balancer \
   --name my-network-load-balancer \
   --type network \
   --subnet-mappings SubnetId=subnet-b7d581c0,AllocationId=eipalloc-64d5890a

aws cost
Costs
The cost of using Network Load Balancer (NLB) depends on the number of Load Balancer Capacity Units (LCUs) and the amount of data processed through the load balancer. Basic data transfer costs for NLB start at $0.008 per GB and decrease as the amount of data processed increases, while the LCU cost starts at $0.02 per hour.
Direct Cost

<Region>-LoadBalancerUsage

<Region>-LCUUsage

<Region>-AWS-Out-Bytes

Indirect Cost
No items found.
Best Practices for
NLB

Categorized by Availability, Security & Compliance and Cost

Low
Access allowed from VPN
No items found.
Low
Auto Scaling Group not in use
No items found.
Medium
Connections towards DynamoDB should be via VPC endpoints
No items found.
Medium
Container in CrashLoopBackOff state
No items found.
Low
EC2 with GPU capabilities
No items found.
Medium
EC2 with high privileged policies
No items found.
Medium
ECS cluster delete alarm
No items found.
Critical
ECS task with Admin access (*:*)
Medium
ECS task with high privileged policies
No items found.
Critical
EKS cluster delete alarm
No items found.
Medium
ElastiCache cluster delete alarm
No items found.
Medium
Ensure Container liveness probe is configured
No items found.
Medium
Ensure ECS task definition has memory limit
No items found.
Critical
Ensure EMR cluster master nodes are not publicly accessible
No items found.
More from
Amazon Web Services