Task Statement 1.3: Design solutions that integrate load balancing to meet high availability, scalability, and security requirements.
📘AWS Certified Advanced Networking – Specialty
In AWS load balancing, a target group defines where a load balancer sends traffic. It contains the targets (servers or resources) that process incoming requests.
Target groups also define the protocol, port, health checks, and target type used by the load balancer.
In AWS, target groups are mainly used with:
- Elastic Load Balancing (ELB)
- Application Load Balancer (ALB)
- Network Load Balancer (NLB)
- Gateway Load Balancer (GWLB)
For the AWS Certified Advanced Networking – Specialty exam, you must understand:
- Target group protocols (TCP, GENEVE)
- Target types (Instance vs IP)
- When each option should be used
- How they affect architecture design
1. What Is a Target Group?
A target group is a logical group of backend resources that receive traffic from a load balancer.
The load balancer performs these tasks:
- Accepts incoming client traffic
- Applies routing rules
- Forwards traffic to a target group
- Selects a healthy target inside the group
Targets inside the group can include:
- EC2 instances
- IP addresses
- Containers
- Appliances
- On-premises servers
Target groups also include health checks, which allow the load balancer to send traffic only to healthy targets.
2. Target Group Protocol Options
Target groups define the protocol used between the load balancer and the backend targets.
Important protocols for the exam include:
- TCP
- GENEVE
Each protocol supports different load balancer types and architectures.
3. TCP Target Groups
What TCP Means
TCP stands for Transmission Control Protocol.
It is a Layer 4 transport protocol that provides:
- Reliable data delivery
- Connection-oriented communication
- Ordered packet transmission
TCP is commonly used for many IT services.
Where TCP Target Groups Are Used
TCP target groups are mainly used with:
- Network Load Balancer
NLB operates at Layer 4 of the OSI model, which means it works with:
- TCP
- UDP
- TLS
The load balancer forwards packets based on:
- IP address
- Port number
It does not inspect HTTP headers or application data.
Example IT Usage
Typical services that use TCP target groups include:
- Web servers running on TCP ports
- Database servers
- Messaging systems
- Custom TCP applications
Example architecture:
Client → Network Load Balancer → Target Group (TCP) → EC2 Instances
Key Characteristics of TCP Target Groups
Important characteristics include:
1. High performance
TCP target groups support:
- Very high throughput
- Millions of requests per second
- Ultra-low latency
This is because Layer 4 load balancing requires less processing than Layer 7.
2. Static IP support
When using NLB with TCP target groups:
- The load balancer can have static IP addresses
- It can also use Elastic IPs
This is useful for architectures that require fixed IPs.
3. Source IP preservation
The client’s original IP address is preserved.
This allows backend servers to:
- Log real client IPs
- Apply security rules
4. TLS pass-through
If TLS is used, NLB can forward encrypted traffic directly to targets.
The targets perform the TLS decryption.
Exam Tip
Choose TCP target groups when:
- You need very high performance
- You need Layer 4 load balancing
- Applications require source IP preservation
- Backend systems handle the application logic
4. GENEVE Target Groups
What GENEVE Means
GENEVE stands for:
Generic Network Virtualization Encapsulation
It is a network tunneling protocol used for encapsulation of packets inside another packet.
GENEVE is commonly used in:
- Network virtualization
- Security appliances
- Traffic inspection architectures
Where GENEVE Target Groups Are Used
GENEVE target groups are used with:
- Gateway Load Balancer
Gateway Load Balancer is designed to integrate third-party virtual appliances, such as:
- Firewalls
- Intrusion detection systems
- Intrusion prevention systems
- Traffic inspection platforms
How GENEVE Works
When a packet enters a Gateway Load Balancer:
- The original packet is encapsulated using GENEVE.
- The encapsulated packet is sent to a security appliance.
- The appliance processes or inspects the traffic.
- The packet is returned to the load balancer.
- The load balancer removes the encapsulation and forwards the packet.
Example IT Usage
A common architecture is:
Client → VPC → Gateway Load Balancer → Security Appliance Fleet → Application Servers
Security appliances may perform:
- Deep packet inspection
- Firewall filtering
- Threat detection
- Traffic analysis
The appliances receive traffic using GENEVE encapsulation.
Key Characteristics of GENEVE Target Groups
1. Used for security appliance integration
GENEVE enables AWS to integrate with:
- Third-party network security vendors
- Virtual appliances deployed on EC2
2. Transparent traffic inspection
Applications do not need to be modified.
Traffic can be inspected before reaching application servers.
3. Centralized security architecture
Multiple VPCs can send traffic through a centralized Gateway Load Balancer security layer.
Exam Tip
Choose GENEVE target groups when:
- Deploying security appliances
- Implementing traffic inspection architectures
- Using Gateway Load Balancer
GENEVE is specifically designed for network function virtualization.
5. Target Types: Instance vs IP
When creating a target group, AWS allows different target types.
Two important types for the exam are:
- Instance
- IP
These determine how the load balancer identifies backend targets.
6. Instance Target Type
What Instance Targets Mean
The instance target type registers targets using EC2 instance IDs.
Example:
Target group includes:
- EC2 Instance A
- EC2 Instance B
- EC2 Instance C
The load balancer forwards traffic to those instances.
How Traffic Is Routed
Traffic is sent to the primary network interface of the instance.
It uses:
- Instance ID
- Port number
Example:
Target group configuration:
Instance ID: i-123456789
Port: 80
Example IT Usage
Typical architectures:
Load Balancer → Target Group (Instance) → EC2 Web Servers
This is commonly used for:
- Traditional EC2-based applications
- Auto Scaling groups
- Standard server deployments
Key Characteristics
1. Simple configuration
Registering instances is straightforward.
AWS automatically tracks the instance network interface.
2. Works with Auto Scaling
Target groups can be attached to:
- Amazon EC2 Auto Scaling groups
Instances automatically register and deregister as scaling events occur.
3. Health check integration
Load balancers perform health checks on instances.
Unhealthy instances are removed from traffic.
Limitations
Instance target type only supports:
- EC2 instances in the same VPC
It cannot directly target:
- On-premises servers
- External systems
- Containers with independent IP addresses
Exam Tip
Choose Instance target type when:
- Using standard EC2 server architectures
- Integrating with Auto Scaling groups
- Backend services run directly on EC2
7. IP Target Type
What IP Target Type Means
The IP target type registers targets using IP addresses instead of instance IDs.
Example:
Target group includes:
- 10.0.1.15
- 10.0.2.10
- 10.0.3.20
The load balancer sends traffic directly to those IP addresses.
Example IT Usage
IP target groups are useful in modern architectures such as:
Container environments using:
- Amazon Elastic Kubernetes Service
- Amazon Elastic Container Service
Each container or pod may have its own IP address.
The load balancer can route traffic directly to those IPs.
Hybrid Architecture Example
IP target groups also support hybrid connectivity.
Example architecture:
Client → Load Balancer → Target Group (IP) → On-premises server
This works when connected through:
- AWS Direct Connect
- AWS Site-to-Site VPN
Key Characteristics
1. Supports non-EC2 targets
IP targets can include:
- On-premises servers
- Containers
- Virtual machines outside AWS
2. Supports container networking
Each container or pod can be registered individually.
This improves traffic distribution and scaling.
3. Flexible architecture
IP targets allow integration with:
- Hybrid environments
- Multi-network systems
- External services
Exam Tip
Choose IP target type when:
- Using containers
- Integrating on-premises resources
- Routing traffic to non-EC2 targets
8. Instance vs IP Target Types (Comparison)
| Feature | Instance Target | IP Target |
|---|---|---|
| Registration method | EC2 instance ID | IP address |
| Supported targets | EC2 instances only | EC2, containers, on-prem systems |
| Auto Scaling integration | Native support | Manual or orchestrator-managed |
| Container support | Limited | Full support |
| Hybrid architecture | Not supported | Supported |
9. Quick Exam Summary
For the AWS Advanced Networking Specialty exam, remember the following:
TCP Target Groups
- Used with Network Load Balancer
- Layer 4 load balancing
- High performance and low latency
- Supports TCP-based applications
GENEVE Target Groups
- Used with Gateway Load Balancer
- Designed for security appliances
- Enables traffic inspection architectures
Instance Target Type
- Targets EC2 instances
- Works with Auto Scaling groups
- Simple traditional architecture
IP Target Type
- Targets IP addresses
- Supports containers and hybrid environments
- Useful for EKS, ECS, and on-prem systems
