For ALB and CLB, you can get client IP with X-Forwarded-For header when using HTTP service ONLY. You need to enable and deploy Proxy Protocol in backend services to get client IP.
To get client IP from X-Forwarded-For header, modify web service. For example in httpd, add %{X-Forwarded-For}i in the httpd.conf file. Source IP will show in apache access log.
When creating target group, you can choose instance ID OR IP. For instance ID, you can only choose instance from AWS. For IP, you can choose IPs from network segment below, which means you can choose database or on-premises resources if connected through Direct Connect or VPN. For IPs, you can’t specify publicly routable IP addresses.
- The subnets of the VPC for the target group
- 10.0.0.0/8 (RFC 1918)
- 100.64.0.0/10 (RFC 6598)
- 172.16.0.0/12 (RFC 1918)
- 192.168.0.0/16 (RFC 1918)
ALB uses round robin routing algorithm.
NLB uses flow hash algorithm. Each individual TCP connection is routed to a single target for the life of the connection.
CLB uses round robin routing algorithm for TCP listeners and the least outstanding requests routing algorithm for HTTP and HTTPS listeners.
If choose Internet facing ELB, public subnet must be chosen.
For NLB:
- Only supports TCP, TLS and UDP and TCP_UDP.
- You must register targets by instance ID so the source IP addresses of the clients are preserved and provided to your applications.
- If the target group protocol is UDP or TCP_UDP, the target type must be instance.
- Do not support the lambda target type, only Application Load Balancers support.
- If you specify targets using an instance ID, traffic is routed to instances using the primary private IP address. Load balancer rewrites the destination IP address from the data packet before forwarding it to the target instance.
- If you specify targets using IP addresses, you can route traffic to an instance using any private IP address from one or more network interfaces. The load balancer rewrites the destination IP address before forwarding it to the target.
- If you specify targets using an instance ID, the source IP addresses of the clients are preserved and provided to your applications. However, if you prefer, you can enable Proxy Protocol and get the client IP addresses from the Proxy Protocol header.
- If you specify targets by IP address, the source IP addresses are the private IP addresses of the load balancer nodes. If you need the IP addresses of the clients, enable Proxy Protocol and get the client IP addresses from the Proxy Protocol header.
- Before you enable Proxy Protocol on a target group, make sure that your applications expect and can parse the Proxy Protocol v2 header, otherwise, they might fail.
For CLB
- Only supports HTTP, HTTPS, TCP and SSL.
- By default, when you use TCP for both front-end and back-end connections, CLB forwards requests to the instances without modifying the request headers. If you enable Proxy Protocol, a human-readable header is added to the request header with connection information such as the source IP address, destination IP address, and port numbers. The header is then sent to the instance as part of the request.
For ALB:
- Only supports HTTP and HTTPS.
- If target group is configured with the HTTPS protocol or uses HTTPS health checks, SSL/TLS connections to the targets use the security settings from the
ELBSecurityPolicy2016-08policy. - It has slow start mode. By default, a target starts to receive its full share of requests as soon as it is registered with a target group and passes an initial health check. Using slow start mode gives targets time to warm up before the load balancer sends them a full share of requests.
ELBs Comparison.
Demo:
Reference:
Target Groups for Your Network Load Balancers
How do I capture client IP addresses in my ELB access logs?
How Elastic Load Balancing Works
Configure Proxy Protocol Support for Your Classic Load Balancer
Target Groups for Your Application Load Balancers
Listeners for Your Classic Load Balancer
Elastic Load Balancing features
