Next-Level AWS Deployments: Leveraging NLB and ALB for Optimal Fargate Service Efficiency

Published in

AWSome Diary

5 min readMar 10, 2024

Deploying a highly available and scalable web application in AWS involves several key AWS services, and leveraging a Network Load Balancer (NLB) in front of an Application Load Balancer (ALB) to front an AWS Fargate service is a sophisticated architecture. This setup can enhance your application's scalability, reliability, and security. Below, I’ll guide you through the rationale, use cases, setup steps, and configuration examples to implement this architecture.

Use Cases

High Availability and Scalability: By using an NLB in front of an ALB, you can achieve high availability and scalability. The NLB efficiently distributes traffic at the TCP level, while the ALB provides advanced request-level routing, ideal for HTTP/HTTPS traffic.
Hybrid Architectures: This setup is beneficial for hybrid architectures that require both internal and external traffic management, providing a seamless bridge between on-premises environments and AWS.
Enhanced Security: It enables you to architect applications with enhanced security requirements. For instance, the NLB can act as the first line of TCP traffic distribution, while the ALB offers SSL/TLS termination, thereby creating a secure entry point into your AWS environment.
Microservices and Containerized Applications: For microservices deployed on AWS Fargate, this setup allows for efficient traffic distribution and advanced request routing, essential for service discovery and inter-service communication.

Architecture Overview

Network Load Balancer (NLB): Acts as the entry point for all incoming traffic, distributing it at the TCP level based on IP protocol data.
Application Load Balancer (ALB): Receives traffic from the NLB and further processes it based on content-level details, such as URL path or hostname. It also handles SSL termination.
AWS Fargate: Hosts your containerized applications without the need to manage servers or clusters, providing a serverless compute experience for containers.

Steps and Configuration

1. Set Up the AWS Fargate Service

First, you need to create a Task Definition and a Fargate service in ECS (Elastic Container Service). Ensure your task definition has the required container image, CPU, and memory configurations.

Example Task Definition:

{
  "family": "my-application",
  "containerDefinitions": [
    {
      "name": "web",
      "image": "my-container-image",
      "essential": true,
      "portMappings": [
        {
          "containerPort": 80,
          "hostPort": 80
        }
      ],
      "memory": 512,
      "cpu": 256
    }
  ],
  "requiresCompatibilities": ["FARGATE"],
  "networkMode": "awsvpc",
  "memory": "1024",
  "cpu": "512"
}

2. Create an Application Load Balancer (ALB)

Configure an ALB to route HTTP/HTTPS traffic to your Fargate services. The ALB needs at least one listener and a target group that routes requests to your Fargate service.

ALB Listener Rule:

Listener: HTTP:80 or HTTPS:443 (with SSL certificate)
Default action: Forward to your target group (Fargate service)

3. Deploy a Network Load Balancer (NLB)

Set up an NLB to distribute incoming traffic at the TCP level to the ALB. The NLB targets the ALB's IP addresses.

NLB Target Group:

Target type: IP
Targets: IP addresses of the ALB (Note: These can change; consider automation or a service like AWS Global Accelerator for a static entry point).

4. Configure Route 53

Use AWS Route 53 to route traffic to the NLB. Create an A record that uses Alias mode pointing to your NLB.

{
  "Type": "A",
  "Name": "your-application.domain.com",
  "AliasTarget": {
    "HostedZoneId": "NLB Hosted Zone ID",
    "DNSName": "NLB DNS Name",
    "EvaluateTargetHealth": false
  }
}

Security Considerations

Implement security groups to restrict access to your NLB and ALB appropriately.
Use AWS WAF with your ALB for advanced request-level inspection and protections.
Ensure encryption in transit by configuring SSL/TLS on your ALB.

Monitoring

Amazon CloudWatch

Metrics: CloudWatch collects metrics from NLB, ALB, and Fargate. For the NLB, you can monitor the number of active connections and the throughput. For the ALB, useful metrics include request count, HTTP codes returned, target response times, and the number of rejected connections due to overloading. For Fargate, monitor CPU and memory utilization, network I/O, and task counts to ensure your containers have sufficient resources.
Alarms: Set CloudWatch alarms on critical metrics. For example, an alarm can notify you when CPU utilization exceeds a threshold, indicating your Fargate service might need scaling. Similarly, an alarm on the ALB’s HTTP 5XX error rates can alert you to application-level issues needing investigation.
Dashboards: Create CloudWatch dashboards to visualize metrics from your NLB, ALB, and Fargate services. This centralized view can help you quickly assess the health of your application and make informed decisions about scaling or troubleshooting.

AWS X-Ray

Tracing: Integrate AWS X-Ray with your application running on Fargate to analyze and debug performance bottlenecks. X-Ray provides insights into how your application and its underlying services are performing, allowing you to trace request paths through your application and identify issues at the service level.

Logging

Access Logs

NLB Access Logs: Enable access logging on the NLB to capture detailed information about the TCP connections to your load balancer. These logs can help you analyze traffic patterns and identify potential security threats.
ALB Access Logs: Similar to NLB logs, ALB access logs provide detailed information about HTTP/HTTPS requests processed by your load balancer. These logs are invaluable for understanding application access patterns, troubleshooting issues, and optimizing application performance.

Amazon CloudWatch Logs

Container Logs: Configure your Fargate services to send container logs to CloudWatch Logs. This setup allows you to store, search, and analyze log data from your application containers. You can use log insights to run queries against your log data, helping you to quickly identify issues or trends.
Log Groups and Streams: Organize your logs with log groups and streams in CloudWatch Logs for better management and access control. You can set retention policies to control the lifecycle of your log data based on compliance requirements or operational needs.

Integration with Third-Party Tools

While AWS-native tools provide comprehensive monitoring and logging capabilities, you might also consider integrating with third-party tools for additional features like advanced analytics, machine learning-based anomaly detection, and more interactive dashboards. Many third-party monitoring and logging platforms offer direct integrations with AWS services, enabling you to extend your observability capabilities.

Best Practices

Regularly review and adjust your monitoring and logging configurations to ensure they meet your evolving operational requirements.
Establish clear alarm actions and incident response procedures to address issues quickly and minimize impact on your application’s availability and performance.
Consider the cost implications of logging and monitoring at scale, and optimize your configuration to balance between granularity of insights and cost-effectiveness.

Implementing a Network Load Balancer in front of an Application Load Balancer for AWS Fargate services is a powerful pattern for building scalable, secure, and highly available applications on AWS. By following the steps outlined above and tailoring the configuration to your specific requirements, you can leverage AWS's managed services to their full potential, focusing more on application development and less on infrastructure management.