1 00:00:06,850 --> 00:00:10,810 - The NLB or Network Load Balancer 2 00:00:10,810 --> 00:00:14,964 is a very different piece of infrastructure than the 3 00:00:14,964 --> 00:00:18,330 ALB or Application Load Balancer. 4 00:00:18,330 --> 00:00:20,910 The first big difference is that it operates 5 00:00:20,910 --> 00:00:24,470 at layer four of the seven layer OSI model. 6 00:00:24,470 --> 00:00:27,640 This is going to include TCP 7 00:00:27,640 --> 00:00:29,090 and UDP, 8 00:00:29,090 --> 00:00:31,020 rather than HTTP 9 00:00:31,020 --> 00:00:32,373 and HTTPS. 10 00:00:33,400 --> 00:00:35,980 It's designed to handle inbound traffic 11 00:00:35,980 --> 00:00:37,930 that is then delivered to applications, 12 00:00:38,830 --> 00:00:42,290 and it can also be internet facing 13 00:00:42,290 --> 00:00:43,533 or internal only. 14 00:00:45,070 --> 00:00:48,690 It only allows one TLS cert if you want to 15 00:00:48,690 --> 00:00:51,310 create an SSL listener 16 00:00:51,310 --> 00:00:52,820 at layer four, 17 00:00:52,820 --> 00:00:55,783 as opposed to the 25 certs that you can apply to an ALB. 18 00:00:57,730 --> 00:01:00,040 And as I mentioned you can only create 19 00:01:00,040 --> 00:01:01,680 TCP and UDP listeners, 20 00:01:01,680 --> 00:01:05,003 but you can also create combo listeners if you like. 21 00:01:05,950 --> 00:01:08,780 And while both of the ALB 22 00:01:08,780 --> 00:01:09,613 and the NLB 23 00:01:09,613 --> 00:01:12,260 can be deployed into a VPC, 24 00:01:12,260 --> 00:01:15,323 and you choose your subnet or subnets, 25 00:01:16,360 --> 00:01:19,230 the ALB supports security groups. 26 00:01:19,230 --> 00:01:21,790 The NLB does not, 27 00:01:21,790 --> 00:01:25,173 as it performs a straight pass through of your traffic. 28 00:01:27,320 --> 00:01:30,690 There are some good use cases for the NLB. 29 00:01:30,690 --> 00:01:34,110 Anytime you have a non-web application, 30 00:01:34,110 --> 00:01:37,320 if you just need a TCP socket, 31 00:01:37,320 --> 00:01:39,720 that might be perfectly appropriate for the NLB. 32 00:01:40,660 --> 00:01:42,520 If you have combo listeners. 33 00:01:42,520 --> 00:01:44,800 So if you've deployed, for example, 34 00:01:44,800 --> 00:01:47,820 your own custom DNS solution 35 00:01:47,820 --> 00:01:49,570 running on port 53 36 00:01:49,570 --> 00:01:51,480 for both TCP and UDP, 37 00:01:51,480 --> 00:01:53,253 the NLB can support that. 38 00:01:54,580 --> 00:01:58,480 It is also designed for anything that requires 39 00:01:58,480 --> 00:02:02,550 very low latency and very high throughput. 40 00:02:02,550 --> 00:02:04,740 Because it operates at layer four, 41 00:02:04,740 --> 00:02:07,060 there's no extra overhead as it 42 00:02:07,060 --> 00:02:10,503 processes or proxies requests. 43 00:02:11,720 --> 00:02:15,440 And so that low latency might be worthwhile 44 00:02:15,440 --> 00:02:18,620 even for web-based applications, 45 00:02:18,620 --> 00:02:23,010 if you don't want to treat any of those requests 46 00:02:23,010 --> 00:02:25,703 as requests at the load balancer tier. 47 00:02:27,670 --> 00:02:30,840 The load balancer has different listener protocols 48 00:02:30,840 --> 00:02:32,460 that you can configure. 49 00:02:32,460 --> 00:02:33,870 And when you do that, 50 00:02:33,870 --> 00:02:38,870 it's going to limit the back end type that you can choose. 51 00:02:39,400 --> 00:02:40,920 So if you go with TCP, 52 00:02:40,920 --> 00:02:44,350 you can only choose EC2 instances or IP addresses 53 00:02:44,350 --> 00:02:46,060 for the back-end. 54 00:02:46,060 --> 00:02:48,173 Same thing with TLS listeners. 55 00:02:49,230 --> 00:02:53,590 But if you go with either a UDP or a combo listener, 56 00:02:53,590 --> 00:02:58,250 your only option is an EC2 instance. 57 00:02:58,250 --> 00:03:00,870 Now, out of all of these choices, 58 00:03:00,870 --> 00:03:02,520 one of them 59 00:03:02,520 --> 00:03:04,650 allows you to implement 60 00:03:04,650 --> 00:03:07,370 true end-to-end encryption. 61 00:03:07,370 --> 00:03:11,600 Where the traffic is encrypted on the client, 62 00:03:11,600 --> 00:03:15,760 and remains encrypted all the way through to the back end, 63 00:03:15,760 --> 00:03:17,770 where it can then be decrypted. 64 00:03:17,770 --> 00:03:19,790 And so that would be your choice if you wanted to 65 00:03:19,790 --> 00:03:22,623 implement that true end-to-end encryption.