Task Statement 1.3: Design solutions that integrate load balancing to meet high
availability, scalability, and security requirements.
📘AWS Certified Advanced Networking – Specialty
This section explains how to design load balancing connectivity patterns in AWS based on different use cases. For the AWS Certified Advanced Networking – Specialty exam, you must clearly understand:
- When to use internal load balancers
- When to use external (internet-facing) load balancers
- How they are deployed inside a VPC
- How they integrate with routing, DNS, hybrid connectivity, and security controls
- How to design for high availability, scalability, and security
1. What Is a Connectivity Pattern?
A connectivity pattern describes how traffic flows:
- From where the traffic originates
- Through which network components it passes
- To which backend resources it is delivered
In AWS, connectivity patterns depend on:
- Whether traffic comes from the internet
- From another VPC
- From an on-premises data center
- From internal application tiers
Load balancers are placed strategically inside a VPC to control this traffic.
AWS provides load balancing using Elastic Load Balancing (ELB), which includes:
- Application Load Balancer (ALB) – Layer 7
- Network Load Balancer (NLB) – Layer 4
- Gateway Load Balancer (GWLB) – Layer 3/4 (security appliances)
2. External (Internet-Facing) Load Balancer Pattern
What Is It?
An internet-facing load balancer receives traffic directly from the internet.
It is deployed in public subnets and has a public IP address.
How It Works
- A client accesses an application using DNS.
- DNS (for example, via Amazon Route 53) resolves to the load balancer’s public endpoint.
- Traffic enters through the internet gateway.
- The load balancer distributes traffic to backend instances in private subnets.
Architecture Components
- VPC
- Public subnets (for the load balancer)
- Private subnets (for EC2, containers, etc.)
- Internet Gateway
- Security Groups
- Target groups
When to Use It
Use an external load balancer when:
- Hosting a public website
- Providing a public API
- Serving mobile or web applications
- Allowing customers to access services over the internet
Example IT Use Case
A company hosts a public web application:
- An Application Load Balancer terminates HTTPS.
- It routes traffic to EC2 instances in private subnets.
- SSL certificates are managed by AWS Certificate Manager.
- A Web Application Firewall such as AWS WAF protects against attacks.
Design Considerations for the Exam
High Availability
- Deploy load balancer across multiple Availability Zones
- Register targets in multiple AZs
- Use health checks
Scalability
- ELB automatically scales
- Backend Auto Scaling groups increase capacity
Security
- Use HTTPS
- Attach WAF
- Use security groups to restrict backend access
- Keep backend instances private
3. Internal Load Balancer Pattern
What Is It?
An internal load balancer:
- Does NOT have a public IP
- Is accessible only inside the VPC or through private connectivity
- Is deployed in private subnets
When to Use It
Use internal load balancers when:
- Building multi-tier applications
- Backend services communicate internally
- Microservices need private communication
- Traffic comes from on-premises via VPN or Direct Connect
- Exposing private APIs to internal teams
Example IT Use Case
A three-tier application:
- Web tier → external ALB
- Application tier → internal ALB
- Database tier → private RDS
The web servers send traffic to the internal ALB, which distributes it across application servers.
No internet access is allowed to application servers.
Hybrid Connectivity Pattern
An internal load balancer can be accessed from:
- On-premises via AWS Direct Connect
- On-premises via AWS Site-to-Site VPN
- Other VPCs via AWS Transit Gateway
This is common when:
- Enterprises migrate workloads gradually
- Internal applications remain on-prem
- Cloud services must integrate with legacy systems
Exam Design Considerations
High Availability
- Deploy internal LB in multiple AZs
- Ensure private subnets exist in multiple AZs
Security
- No public exposure
- Use security groups to restrict source IP ranges
- Control routing via NACLs and route tables
Scalability
- Combine with Auto Scaling
- Use NLB for high throughput internal traffic
4. East-West vs North-South Traffic Pattern
This concept is important for the exam.
North-South Traffic
Traffic between:
- Internet ↔ VPC
- On-prem ↔ AWS
Uses:
- External load balancers
- IGW
- Direct Connect
- VPN
East-West Traffic
Traffic inside:
- VPC to VPC
- Tier to tier
- Microservice to microservice
Uses:
- Internal load balancers
- PrivateLink
- Transit Gateway
5. Load Balancer Placement Patterns
Pattern 1: Public ALB + Private Targets
Most common web architecture:
Internet
→ Public ALB
→ EC2 in private subnets
Benefits:
- Backend servers are protected
- Only load balancer is public
Pattern 2: Internal ALB Between Application Tiers
Web tier
→ Internal ALB
→ App tier
Benefits:
- Controlled internal communication
- Service isolation
Pattern 3: NLB for Hybrid Connectivity
On-prem
→ Direct Connect
→ Internal NLB
→ Backend servers
Use when:
- Static IP required
- High throughput
- Low latency
- Non-HTTP protocols
Pattern 4: Gateway Load Balancer for Security Appliances
Used with:
- Firewalls
- Intrusion detection systems
- Deep packet inspection
Traffic flow:
Internet
→ GWLB
→ Security appliance fleet
→ Application
Used in centralized security VPC designs.
6. VPC and Subnet Design for Load Balancing
You must understand:
Public Subnet
- Route table includes route to Internet Gateway
- Used for internet-facing load balancers
Private Subnet
- No direct internet route
- Used for:
- EC2 targets
- Internal load balancers
7. DNS-Based Connectivity Patterns
Load balancers integrate with DNS using:
- Route 53 Alias records
- Private hosted zones (for internal LBs)
Internal load balancers can be resolved only inside the VPC using private DNS.
8. Security Design Requirements for the Exam
You must know how to:
- Prevent direct access to backend servers
- Use security groups correctly
- Attach WAF to ALB
- Encrypt traffic in transit (TLS)
- Use IAM roles for load balancer logging
- Enable access logs to S3
9. Cross-VPC and Shared Services Patterns
Internal load balancers can be accessed across VPCs via:
- VPC Peering
- Transit Gateway
- PrivateLink (service exposure model)
PrivateLink allows you to expose services securely without full network connectivity.
10. How to Choose Between Internal and External
| Requirement | Use External LB | Use Internal LB |
|---|---|---|
| Public website | ✅ | ❌ |
| Private microservice | ❌ | ✅ |
| On-premises access | ❌ | ✅ |
| Internet clients | ✅ | ❌ |
| Backend tier routing | ❌ | ✅ |
| WAF integration | ✅ | Limited |
11. Key Exam Scenarios
You must be able to answer:
- Where should the load balancer be placed?
- Should it be internal or internet-facing?
- Which subnet type?
- How will hybrid connectivity work?
- How is high availability achieved?
- How is security enforced?
12. Final Exam Tips
For the AWS Advanced Networking exam, always think in this order:
- Where is traffic coming from?
- Who should access the service?
- Should the service be public?
- How will it scale?
- How will it stay highly available?
- How will it be secured?
- Is hybrid connectivity required?
If traffic originates from the internet → use internet-facing load balancer.
If traffic stays private or hybrid → use internal load balancer.
Summary
Connectivity patterns for load balancing are about:
- Correct load balancer type
- Correct subnet placement
- Proper routing
- Secure access
- Multi-AZ deployment
- Hybrid integration
You must understand how internal and external load balancers integrate with:
- VPC architecture
- DNS
- Security controls
- Hybrid connectivity
- Multi-tier applications
Mastering these patterns is essential to pass Task Statement 1.3 of the AWS Certified Advanced Networking – Specialty exam.
