← Week 3: Container Orchestration

Day 19: Load Balancing — ALB and NLB

Phase 5 · Aug 30, 2026

← Week 3: Container Orchestration

Agenda (2–3 hours)

  • Read (45 min): ALB documentation — listener rules, target groups, sticky sessions; NLB documentation — TCP/UDP, static IPs, TLS termination
  • Study (45 min): When do you choose NLB over ALB? Design a load balancer strategy for a mixed HTTP/gRPC service
  • Practice (45 min): Create an ALB with path-based routing to two ECS services (/api/* and /admin/*); verify health checks and deregistration delay
  • Challenge (30 min): gRPC requires HTTP/2 with long-lived connections. Why does ALB default round-robin fail for gRPC? How do you fix it?
← Week 3: Container Orchestration

ALB vs NLB

Feature ALB (Layer 7) NLB (Layer 4)
Protocol HTTP/1.1, HTTP/2, WebSocket TCP, UDP, TLS
Routing Path, header, host, method IP, port
gRPC Yes (native HTTP/2) Pass-through
Static IP No (DNS only) Yes (Elastic IP)
Latency ~1ms overhead ~100µs overhead
Price Higher Lower

Choose ALB for HTTP/gRPC/WebSocket. Choose NLB for low-latency TCP or static IP requirements (allowlisting).

← Week 3: Container Orchestration

ALB Listener Rules

Listener: HTTPS :443
└── Rule 1: path-pattern /api/*  → Target Group: api-service  (weight 100)
└── Rule 2: path-pattern /admin/* → Target Group: admin-service
└── Rule 3: header X-Beta: true  → Target Group: api-service-canary (weight 10)
└── Default: fixed-response 404

Target group deregistration delay (default 300s):

  • ALB waits up to 300s for in-flight requests to complete before removing a task
  • Reduce to 30–60s for short-lived HTTP requests; keep high for long-lived connections
← Week 3: Container Orchestration

gRPC and ALB

Problem: gRPC uses HTTP/2 multiplexing — one connection carries many streams.
ALB balances at the connection level → all streams go to one backend.

Fix options:

  1. Client-side load balancing via Envoy sidecar — proxy establishes multiple backends
  2. ALB gRPC target group with round-robin or least-outstanding-requests algorithm
  3. NLB + client-side load balancer (e.g., tonic with multiple endpoints)

For ECS + tonic gRPC: use ALB with protocol-version: GRPC on the target group.
ALB then load-balances individual gRPC streams, not connections.

← Week 3: Container Orchestration

Key Takeaways

  • ALB for HTTP/gRPC/WebSocket (Layer 7); NLB for raw TCP/UDP or static-IP needs
  • Path-based and header-based routing enable canary releases and service splits
  • Deregistration delay lets in-flight requests complete before draining a task
  • gRPC requires ALB GRPC protocol or client-side load balancing to avoid hot backends

Tomorrow: IAM for ECS tasks — task roles, execution roles, and IRSA for EKS.