Working with Application Load Balancer in AWS

Working with Application Load Balancer in AWS

The Application Load Balancer distributes incoming HTTP and HTTPS traffic across multiple targets such as Amazon EC2 instances, microservices, and containers, based on request attributes. When the load balancer receives a connection request, it evaluates the listener rules in priority order to determine which rule to apply, and if applicable, it selects a target from the target group for the rule action.

Inner working of ALB

AWS ALB (Application load balancer ) which is a layer 7 load balancer.

  1. Clients make requests to your application.

  2. We have HTTP, HTTPS, or (Both) listeners.

    The listeners in your load balancer receive requests matching the protocol and port that you configure.

  3. Rules inside each listener (at least one which would be the default action for that listener)

    The receiving listener evaluates the incoming request against the rules you specify, and if applicable, routes the request to the appropriate target group. You can use an HTTPS listener to offload the work of TLS encryption and decryption to your load balancer.

  4. Target Group (Destination ) should be one of the categories from Lamda, IP, or EC2 instances

let's jump into the creation of ALB

How to create an AWS Application Load Balancer

Click on create target group it will open a new tab

Creating a Target Group

Target type

The description is from the AWS console


  • Supports load balancing to instances within a specific VPC.

  • Facilitates the use of Amazon EC2 Auto Scaling to manage and scale your EC2 capacity.

IP addresses

  • Supports load balancing to VPC and on-premises resources.

  • Facilitates routing to multiple IP addresses and network interfaces on the same instance.

  • Offers flexibility with microservice-based architectures, simplifying inter-application communication.

  • Supports IPv6 targets, enabling end-to-end IPv6 communication, and IPv4-to-IPv6 NAT.

Lambda function

  • Facilitates routing to a single Lambda function.

  • Accessible to Application Load Balancers only.

Right now we don't have any instances running just create a target group we will see how to add it later

go back to the load balancer page refresh and select the target group you created

Request to Response in ALB

When a client (e.g., a web browser) makes a request to your ALB, it resolves the DNS name to the associated public IP address using DNS resolution. and it is sending traffic to the target group of ec2 instances,

When we create the ALB the default SG does not allow any traffic (HTTP, HTTPS) from outside into the AWS ALB

Security Groups in AWS ALB

we need to create an SG and attach it to the ALB which will allow traffic from outside (internet)

from the side panel of the EC2 dashboard create an SG

Give the security group a name

Allow HTTP and HTTPS from everywhere

move back to the ALB page and from security TAB and this security group to AWS ALB

Let again access from the DNS record, this time we would be able to get a response from the load balancer, of 503 Service Temporarily Unavailable , because at this time our load balancer is unable to get any response from the Target group as we don't have any EC2 attached to that

503 Service Temporarily Unavailable Error in AWS ALB

I have one EC2 running in the same VPS and a simple node js application is serving Hellow world at Port 3000

let's see how we can get a response from port 3000 running at EC2 machine

move to your load balancer and click on target group

now access your application from the load balancer this time you will get a different error, and that is the expected result

502 Bad Gateway Error in AWS ALB

This time there is service running but it is not able to communicate because we need to do one more additional configuration to allow the load balancer to communicate with our EC2 instance on port 3000, as you can see the health of the target group is unhealthy still

Health Status AWS Target Group

go to the instance security group and allow inbound rule on port 3000 from the load balancer

allow port 3000 from the default security group of the load balancer

Finally, we can see the Hello world

Custom Domain to AWS Application Load Balancer

Navigate to your Domain provider and add a record

adjust the domain name and value according to values, when adding your main domain or subdomain

we have also learned how to add a custom domain to AWS ALB, but we have got one problem, the site is not encrypted with SSL,

SSL in AWS Application Load Balancer

Add HTTP's Listener

Add Certificate to AWS ALB

Search for AWS ACM

Verifying domain for AWS ACM

wait for a few minutes to status to issued if you are having difficulty verifying the domain you can Edit the record with less TTL option and also verify from that the value has been propagated to the DNS

now go back to the listener tab refresh and select the certification

Now we have two listeners HTTP and HTTPS

Rules Inside the Listener

Adding Rules

Rules are evaluated in priority order, from the lowest value to the highest value. The default rule is evaluated last. You can change the priority of a nondefault rule at any time. You cannot change the priority of the default rule.

Add a rule

Select the load balancer to view its details. On the Listeners and Rules tab, do the following

On the Rules tab, choose Add rule.

Some Rules examples

Rule Name

Use case


Path-Based Routing

Routing requests with a path pattern.

Forward all requests matching the path "/different/" to a specific server.

Host-Based Routing

Routing requests based on the host address

Divert traffic from the host to a specific target group.

HTTP Request Method-Based Routing

Routing requests based on the HTTP request method

Divert GET requests to one Target group and POST requests to another.

HTTP Header-Based Routing

Routing requests based on HTTP Headers.

Route requests with a specific HTTP header sndtolamda: true to a target group.

Query String-Based Routing

Routing requests based on query strings

Route requests containing a query string with key "test" and value "secure" to a target group.

Source IP-Based Routing

Routing requests based on the source IP address.

route traffic coming from a particular IP address to a specific target group