81. ELB
ELB = Elastic Load Balancers
Balances load across multiple servers. Load balancers are servers that forward internet traffic to multiple servers (EC2 instances) downstream. ELBs also called back hand EC2 instances. More the users we have , more it will balance the load across multiple instances. Spread load across multiple downstream instances. Expose single point of access (DNS or hostname) for our application. Seamlessly handle failures of downstream instances. We do regular health checks on EC2 instances and if one of them is failing, then the load balancer will not direct traffic to the instance, so we can hide the failure of any instance using a load balancer. Provide SSL termination (https) for your websites. Able to use load balancer across multiple AZs which makes an application highly available.
ELB is a managed load balancer. So we do not need to provision servers, AWS will do it for us and AWS guarantees that it will be working. AWS takes care of upgrades, maintenance and high availability.
Less expensive but setting up own load balancer on EC2 instance will involves lot of effort like maintenance, integration, maintaining and taking care of OS, upgrades etc.
Three types of Load Balancers:
i) Application Load Balancer: They load balance http and https traffic. They operate at layer 7 and are application aware. They are intelligent and can create advanced request routing, sending specified requests to specific web servers.
ii) Network Load Balancer: They load balance TCP, TLS, UDP traffic where extreme performance (ultra high performance) is required. They operate at layer 4 and are capable of handling millions of requests per second, while maintaining ultra-low latencies.
iii) Classic Load Balancer: They are legacy (old) ELB. Simple routing and basic load balancing at the most cost effective rate. We can load balance http/ https applications and use layer 7 specific features such as x-forwarded and sticky sessions. We can also use strict layer 4 load balancing for applications that rely purely on TCP protocol. If application stops responding then classic load balancer responds with a 504 error. This means that the application is having an issue. This could be either at web server or at DB server. Identify where the application is failing and scale it up or out where possible. 504 error means the gateway has timed out. This means that the application not responding within the idle timeout period.
On Nov 10th 2020, AWS released a Gateway Load Balancer
User >> ELB >> Multiple EC2 instances
If we need the IPv4 address of end user then look for X-Forwarded-For header.
Instances monitored by ELB are reported as: InService or OutService.
Load Balancers have their own DNS name. We are never given an IP address.
Load Balancers cannot help with back-end autoscaling. You should use Auto Scaling Groups.
Questions:
i. Select two custom origin servers from the following?
A. S3 bucket
B. S3 object
C. EC2 instance
D. Elastic Load Balancer
E. API gateway
Answer (C,D)
ii. What two features describe an Application Load Balancer (ALB)?
A. dynamic port mapping
B. SSL listener
C. layer 7 load balancer
D. backend server authentication
E. multi-region forwarding
Answer (A,C)
iii. What three features are characteristic of Classic Load Balancer?
A. dynamic port mapping
B. path-based routing
C. SSL listener
D. backend server authentication
E. ECS
F. Layer 4 based load balancer
Answer (C,D,F)
iv. What security feature is only available with Classic Load Balancer?
A. IAM role
B. SAML
C. back-end server authentication
D. security groups
E. LDAP
Answer (C)
v. What is a primary difference between Classic and Network Load Balancer?
A. IP address target
B. Auto-Scaling
C. protocol target
D. cross-zone load balancing
E. listener
Answer (A)
vi. What DNS records can be used for pointing a zone apex to an Elastic Load
Balancer or CloudFront distribution? (Select two)
A. Alias
B. CNAME
C. MX
D. A
E. Name Server
Answer (A,D)
vii. You have an Elastic Load Balancer assigned to a VPC with public
and private subnets. ELB is configured to load balance traffic to a group of EC2
instances assigned to an Auto-Scaling group. What three statements are correct?
A. Elastic Load Balancer is assigned to a public subnet
B. network ACL is assigned to Elastic Load Balancer
C. security group is assigned to Elastic Load Balancer
D. cross-zone load balancing is not supported
E. Elastic Load Balancer forwards traffic to primary private IP address
(eth0 interface) on each instance
Answer (A,C,E)
viii. How is load balancing enabled for multiple tasks to the same container instance?
A. path-based routing
B. reverse proxy
C. NAT
D. dynamic port mapping
E. dynamic listeners
Answer (D)
ix. A solutions architect has created a new Application Load Balancer and has configured a target group with IP address as a target type. Which of the following types of IP addresses are allowed as a valid value for this target type?
Answer: Private IP address
Explanation: When you create a target group, you specify its target type, which can be an Instance, IP or a Lambda function. For IP address target type, you can route traffic using any private IP address from one or more network interfaces.
x. The engineering team at a data analytics company has observed that its flagship application functions at its peak performance when the underlying EC2 instances have a CPU utilization of about 50%. The application is built on a fleet of EC2 instances managed under an Auto Scaling group. The workflow requests are handled by an internal Application Load Balancer that routes the requests to the instances. As a solutions architect, what would you recommend so that the application runs near its peak performance state?
Answer: Configure the ASG to use target tracking policy and set the CPU utilization as the target metric with a target value of 50%
Explanation: With target tracking scaling policies, you select a scaling metric and set a target value. Amazon EC2 Auto Scaling creates and manages the CloudWatch alarms that trigger the scaling policy and calculates the scaling adjustment based on the metric and the target value. The scaling policy adds or removes capacity as required to keep the metric at, or close to, the specified target value. With step scaling and simple scaling, you choose scaling metrics and threshold values for the CloudWatch alarms that trigger the scaling process. Neither step scaling nor simple scaling can be configured to use a target metric for CPU utilization. Also an Auto Scaling group cannot directly use a Cloudwatch alarm as the source for a scale-in or scale-out event
xi. An e-commerce company is looking for a solution with high availability, as it plans to migrate its flagship application to a fleet of Amazon EC2 instances. The solution should allow for content-based routing as part of the architecture. As a Solutions Architect, which of the following will you suggest for the company?
Answer: Use an ALB for distributing traffic to the EC2 instances spread across different AZs. Configure ASG to mask any failure of an instance.
Explanation: The Application Load Balancer (ALB) is best suited for load balancing HTTP and HTTPS traffic and provides advanced request routing targeted at the delivery of modern application architectures, including microservices and containers. Operating at the individual request level (Layer 7), the Application Load Balancer routes traffic to targets within Amazon Virtual Private Cloud (Amazon VPC) based on the content of the request.
This is the correct option since the question has a specific requirement for content-based routing which can be configured via the Application Load Balancer. Different AZs provide high availability to the overall architecture and Auto Scaling group will help mask any instance failures.
Question 1:
You are building a two-tier web application that delivers content while processing transactions on AWS. The data layer utilizes an online transaction processing (OLTP) database. At the WEB layer, it is necessary to create a flexible and scalable architectural configuration.
Choose the best way to meet this requirement.
Options:
A. Set up ELB and Auto Scaling groups on your EC2 instance
B. Set up a multi-AZ configuration for RDS
C. Deploy EC2 instances in multi-AZ to configure failover routing with Route53
D. Launch more EC2 instances than expected capacity
Answer: A
Explanation
Option 1 is the correct answer. This can be achieved by configuring Auto Scaling and ELB on your EC2 instance for flexible and scalable server processing on AWS. ELB distributes traffic to multiple instances for increased redundancy, and Auto Scaling automatically scales under heavy load.
Option 2 is incorrect. Since it is a requirement to create a flexible and scalable architecture configuration in the WEB layer, the setting of the RDS multi-AZ configuration in the database layer is incorrect.
Option 3 is incorrect. Failover routing with Route53 does not meet your requirements. Failover routing improves fault tolerance, but not performance.
Option 4 is incorrect. Placing more EC2 instances than the expected capacity requirement is incorrect because it does not meet the requirements for flexible configuration.
Question 2:
An e-commerce application is hosted in AWS. The last time a new product was launched, the application experienced a performance issue due to an enormous spike in traffic. Management decided that capacity must be doubled this week after the product is launched.
What is the MOST efficient way for management to ensure that capacity requirements are met?
Options:
A. Add a Step Scaling Policy
B. Add a Scheduled Scaling Action
C. Add a Simple Scaling Policy
D. Add Amazon EC2 Spot instances
Answer: B
Explanation
Scaling based on a schedule allows you to set your own scaling schedule for predictable load changes. To configure your Auto Scaling group to scale based on a schedule, you create a scheduled action. This is ideal for situations where you know when and for how long you are going to need the additional capacity.
CORRECT: “Add a Scheduled Scaling action” is the correct answer.
INCORRECT: “Add a Step Scaling policy” is incorrect. Step scaling policies increase or decrease the current capacity of your Auto Scaling group based on a set of scaling adjustments, known as step adjustments. The adjustments vary based on the size of the alarm breach. This is more suitable to situations where the load unpredictable.
INCORRECT: “Add a Simple Scaling policy” is incorrect. AWS recommend using step over simple scaling in most cases. With simple scaling, after a scaling activity is started, the policy must wait for the scaling activity or health check replacement to complete and the cooldown period to expire before responding to additional alarms (in contrast to step scaling). Again, this is more suitable to unpredictable workloads.
INCORRECT: “Add Amazon EC2 Spot instances” is incorrect. Adding spot instances may decrease EC2 costs but you still need to ensure they are available. The main requirement of the question is that the performance issues are resolved rather than the cost being minimized.
Question 3:
A solutions architect has created a new Application Load Balancer and has configured a target group with IP address as a target type.
Which of the following types of IP addresses are allowed as a valid value for this target type?
Options:
A. Elastic IP address
B. Public IP address
C. Dynamic IP address
D. Private IP address
Answer: D
Explanation
Correct option:
Private IP address
When you create a target group, you specify its target type, which can be an Instance, IP or a Lambda function.
For IP address target type, you can route traffic using any private IP address from one or more network interfaces.
Incorrect options:
Public IP address
Elastic IP address
You can’t specify publicly routable IP addresses as values for IP target type, so both these options are incorrect.
Dynamic IP address – There is no such thing as a dynamic IP address. This option has been added as a distractor.
Question 30:
You would like to deploy an application behind an Application Load Balancer, that will have some Auto Scaling capability and efficiently leverage a mix of Spot Instances and On-Demand instances to meet demand.
What do you recommend to manage the instances?
A• Create a Spot Instance Request
B• Create an ASG with a launch template
C• Create a Spot Fleet Request
D• Create an ASG with a launch configuration
Answer: B
Explanation
Correct option:
Create an ASG with a launch template
A launch configuration is an instance configuration template that an Auto Scaling group uses to launch EC2 instances. When you create a launch configuration, you specify information for the instances such as the ID of the Amazon Machine Image (AMI), the instance type, a key pair, one or more security groups, and a block device mapping.
A launch template is similar to a launch configuration, in that it specifies instance configuration information. Included are the ID of the Amazon Machine Image (AMI), the instance type, a key pair, security groups, and the other parameters that you use to launch EC2 instances. However, defining a launch template instead of a launch configuration allows you to have multiple versions of a template.
Launch Templates do support a mix of On-Demand and Spot instances, and thanks to the ASG, we get auto-scaling capabilities. Hence this is the correct option.
Incorrect options:
Create a Spot Instance Request – A Spot Instance is an unused EC2 instance that is available for less than the On-Demand price. Because Spot Instances enable you to request unused EC2 instances at steep discounts, you can lower your Amazon EC2 costs significantly. The hourly price for a Spot Instance is called a Spot price.
Spot Instance Requests only help to launch spot instances so we have to rule that out.
Create a Spot Fleet Request – Spot Fleet requests will help launch a mix of On-Demand and Spot, but won’t have the auto-scaling capability we need. So this option is incorrect.
Create an ASG with a launch configuration – ASG Launch Configurations do not support a mix of On-Demand and Spot instances. So this option is incorrect as well.
Question 34:
The development team at an e-commerce startup has set up multiple microservices running on EC2 instances under an Elastic Load Balancer. The team wants to route traffic to multiple back-end services based on the content of the request.
Which of the following types of load balancers would allow routing based on the content of the request?
A• Classic Load Balancer
B• Both Application Load Balancer and Network Load Balancer
C• Application Load Balancer
D• Network Load Balancer
Answer: C
Explanation
Correct option:
Application Load Balancer
An Application Load Balancer functions at the application layer, the seventh layer of the Open Systems Interconnection (OSI) model. After the load balancer receives a request, it evaluates the listener rules in priority order to determine which rule to apply and then selects a target from the target group for the rule action. You can configure listener rules to route requests to different target groups based on the content of the application traffic. Each target group can be an independent microservice, therefore this option is correct.
Incorrect options:
Network Load Balancer – Network Load Balancer operates at the connection level (Layer 4), routing connections to targets – Amazon EC2 instances, microservices, and containers – within Amazon Virtual Private Cloud (Amazon VPC) based on IP protocol data.
Classic Load Balancer – Classic Load Balancer provides basic load balancing across multiple Amazon EC2 instances and operates at both the request level and connection level. Classic Load Balancer is intended for applications that were built within the EC2-Classic network.
Network Load Balancer or Classic Load Balancer cannot be used to route traffic based on the content of the request. So both these options are incorrect.
Both Application Load Balancer and Network Load Balancer – Network Load Balancer cannot be used to route traffic based on the content of the request. So this option is also incorrect.
Question 55:
An HTTP application is deployed on an Auto Scaling Group, is accessible from an Application Load Balancer that provides HTTPS termination, and accesses a PostgreSQL database managed by RDS.
How should you configure the security groups? (Select three)
A• The security group of the ALB should have an inbound rule from anywhere on port 443
B• The security group of RDS should have an inbound rule from the security group of the EC2 instances in the ASG on port 5432
C• The security group of RDS should have an inbound rule from the security group of the EC2 instances in the ASG on port 80
D• The security group of the ALB should have an inbound rule from anywhere on port 80
E• The security group of the EC2 instances should have an inbound rule from the security group of the RDS database on port 5432
F• The security group of the EC2 instances should have an inbound rule from the security group of the ALB on port 80
Answer: A, B & F
Explanation
Correct options:
The security group of RDS should have an inbound rule from the security group of the EC2 instances in the ASG on port 5432
The security group of the EC2 instances should have an inbound rule from the security group of the ALB on port 80
The security group of the ALB should have an inbound rule from anywhere on port 443
A security group acts as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you can specify one or more security groups; otherwise, we use the default security group. You can add rules to each security group that allows traffic to or from its associated instances. You can modify the rules for a security group at any time; the new rules are automatically applied to all instances that are associated with the security group. When we decide whether to allow traffic to reach an instance, we evaluate all the rules from all the security groups that are associated with the instance. The following are the characteristics of security group rules: By default, security groups allow all outbound traffic. Security group rules are always permissive; you can’t create rules that deny access. Security groups are stateful
PostgreSQL port = 5432 HTTP port = 80 HTTPS port = 443
The traffic goes like this : The client sends an HTTPS request to ALB on port 443. This is handled by the rule – The security group of the ALB should have an inbound rule from anywhere on port 443. The ALB then forwards the request to one of the EC2 instances. This is handled by the rule – The security group of the EC2 instances should have an inbound rule from the security group of the ALB on port 80. The EC2 instance further accesses the PostgreSQL database managed by RDS on port 5432. This is handled by the rule – The security group of RDS should have an inbound rule from the security group of the EC2 instances in the ASG on port 5432.
Incorrect options:
The security group of the ALB should have an inbound rule from anywhere on port 80 – The client sends an HTTPS request to ALB on port 443 and not on port 80, so this is incorrect.
The security group of the EC2 instances should have an inbound rule from the security group of the RDS database on port 5432 – The security group of the EC2 instances should have an inbound rule from the security group of the ALB and not from the security group of the RDS database, so this option is incorrect.
The security group of RDS should have an inbound rule from the security group of the EC2 instances in the ASG on port 80 – The EC2 instance further accesses the PostgreSQL database managed by RDS on port 5432 and not on port 80, so this option is incorrect.
Question 1:
A leading online gaming company is migrating its flagship application to AWS Cloud for delivering its online games to users across the world. The company would like to use a Network Load Balancer (NLB) to handle millions of requests per second. The engineering team has provisioned multiple instances in a public subnet and specified these instance IDs as the targets for the NLB.
As a solutions architect, can you help the engineering team understand the correct routing mechanism for these target instances?
A• Traffic is routed to instances using the primary elastic IP address specified in the primary network interface for the instance
B• Traffic is routed to instances using the primary private IP address specified in the primary network interface for the instance
C• Traffic is routed to instances using the primary public IP address specified in the primary network interface for the instance
D• Traffic is routed to instances using the instance ID specified in the primary network interface for the instance
Answer: B
Explanation
Correct option:
Traffic is routed to instances using the primary private IP address specified in the primary network interface for the instance
A Network Load Balancer functions at the fourth layer of the Open Systems Interconnection (OSI) model. It can handle millions of requests per second. After the load balancer receives a connection request, it selects a target from the target group for the default rule. It attempts to open a TCP connection to the selected target on the port specified in the listener configuration.
Request Routing and IP Addresses –
If you specify targets using an instance ID, traffic is routed to instances using the primary private IP address specified in the primary network interface for the instance. The load balancer rewrites the destination IP address from the data packet before forwarding it to the target instance.
If you specify targets using IP addresses, you can route traffic to an instance using any private IP address from one or more network interfaces. This enables multiple applications on an instance to use the same port. Note that each network interface can have its security group. The load balancer rewrites the destination IP address before forwarding it to the target.
Incorrect options: Traffic is routed to instances using the primary public IP address specified in the primary network interface for the instance – If you specify targets using an instance ID, traffic is routed to instances using the primary private IP address specified in the primary network interface for the instance. So public IP address cannot be used to route the traffic to the instance.
Traffic is routed to instances using the primary elastic IP address specified in the primary network interface for the instance – If you specify targets using an instance ID, traffic is routed to instances using the primary private IP address specified in the primary network interface for the instance. So elastic IP address cannot be used to route the traffic to the instance.
Traffic is routed to instances using the instance ID specified in the primary network interface for the instance – You cannot use instance ID to route traffic to the instance. This option is just added as a distractor.
Traffic is routed to instances using the instance ID specified in the primary network interface for the instance – You cannot use instance ID to route traffic to the instance. This option is just added as a distractor.
Question 23: Correct
An e-commerce company is using an Elastic Load Balancer for its fleet of EC2 instances spread across two Availability Zones, with one instance as a target in Availability Zone A and four instances as targets in Availability Zone B. The company is doing benchmarking for server performance when cross-zone load balancing is enabled compared to the case when cross-zone load balancing is disabled.
As a solutions architect, which of the following traffic distribution outcomes would you identify as correct?
• With cross-zone load balancing enabled, one instance in Availability Zone A receives 20% traffic and four instances in Availability Zone B receive 20% traffic each. With cross-zone load balancing disabled, one instance in Availability Zone A receives no traffic and four instances in Availability Zone B receive 25% traffic each
• With cross-zone load balancing enabled, one instance in Availability Zone A receives 20% traffic and four instances in Availability Zone B receive 20% traffic each. With cross-zone load balancing disabled, one instance in Availability Zone A receives 50% traffic and four instances in Availability Zone B receive 12.5% traffic each
• With cross-zone load balancing enabled, one instance in Availability Zone A receives 50% traffic and four instances in Availability Zone B receive 12.5% traffic each. With cross-zone load balancing disabled, one instance in Availability Zone A receives 20% traffic and four instances in Availability Zone B receive 20% traffic each
• With cross-zone load balancing enabled, one instance in Availability Zone A receives no traffic and four instances in Availability Zone B receive 25% traffic each. With cross-zone load balancing disabled, one instance in Availability Zone A receives 50% traffic and four instances in Availability Zone B receive 12.5% traffic each
Answer: B
Explanation
Correct option:
With cross-zone load balancing enabled, one instance in Availability Zone A receives 20% traffic and four instances in Availability Zone B receive 20% traffic each. With cross-zone load balancing disabled, one instance in Availability Zone A receives 50% traffic and four instances in Availability Zone B receive 12.5% traffic each
The nodes for your load balancer distribute requests from clients to registered targets. When cross-zone load balancing is enabled, each load balancer node distributes traffic across the registered targets in all enabled Availability Zones. Therefore, one instance in Availability Zone A receives 20% traffic and four instances in Availability Zone B receive 20% traffic each. When cross-zone load balancing is disabled, each load balancer node distributes traffic only across the registered targets in its Availability Zone. Therefore, one instance in Availability Zone A receives 50% traffic and four instances in Availability Zone B receive 12.5% traffic each.
Consider the following diagrams (the scenario illustrated in the diagrams involves 10 target instances split across 2 AZs) to understand the effect of cross-zone load balancing.
If cross-zone load balancing is enabled, each of the 10 targets receives 10% of the traffic. This is because each load balancer node can route its 50% of the client traffic to all 10 targets.
If cross-zone load balancing is disabled:
Each of the two targets in Availability Zone A receives 25% of the traffic.
Each of the eight targets in Availability Zone B receives 6.25% of the traffic.
This is because each load balancer node can route its 50% of the client traffic only to targets in its Availability Zone
Incorrect options:
With cross-zone load balancing enabled, one instance in Availability Zone A receives 50% traffic and four instances in Availability Zone B receive 12.5% traffic each. With cross-zone load balancing disabled, one instance in Availability Zone A receives 20% traffic and four instances in Availability Zone B receive 20% traffic each
With cross-zone load balancing enabled, one instance in Availability Zone A receives no traffic and four instances in Availability Zone B receive 25% traffic each. With cross-zone load balancing disabled, one instance in Availability Zone A receives 50% traffic and four instances in Availability Zone B receive 12.5% traffic each
With cross-zone load balancing enabled, one instance in Availability Zone A receives 20% traffic and four instances in Availability Zone B receive 20% traffic each. With cross-zone load balancing disabled, one instance in Availability Zone A receives no traffic and four instances in Availability Zone B receive 25% traffic each
These three options contradict the details provided in the explanation above, so these options are.