CloudNetworking.io
Home / AWS / Load Balancers / AWS Network Load Balancer

AWS Network Load Balancer (NLB) Explained

AWS Network Load Balancer is Amazon’s high-performance Layer 4 load balancer designed for TCP, UDP, and TLS traffic. It is built for workloads that need very low latency, very high throughput, and stable network-level traffic handling.

Unlike Application Load Balancer, NLB does not inspect HTTP paths or headers. Instead, it forwards connections based on IP address and port, making it a better fit for protocol-heavy, performance-sensitive, or non-HTTP workloads.

Layer 4 TCP UDP TLS Static IP Source IP Preservation

Watch this video to understand AWS Network Load Balancer, Layer 4 traffic flow, and real-world use cases.

What is AWS Network Load Balancer?

AWS Network Load Balancer is a managed load balancer that operates at the transport layer, also known as Layer 4 in the OSI model. It is designed to handle very large volumes of network traffic efficiently while keeping latency low.

Instead of making routing decisions based on URLs, hostnames, or HTTP headers, NLB forwards traffic based on network connection information such as protocol and port.

Think of NLB as a fast traffic distributor for raw network connections. It is ideal when speed, protocol support, and stable network behaviour matter more than application-level routing logic.
L4

Operates at the network transport layer

TCP/UDP

Designed for protocol-level traffic handling

Static IP

Supports more stable front-end network access

Why NLB matters in AWS networking

Not all workloads are web applications. Many systems rely on raw TCP or UDP flows, require very fast connection handling, or need backend systems to see the original client IP. This is where NLB becomes highly useful.

Very high performance

NLB is built for workloads that handle large traffic volumes and need minimal latency overhead.

Protocol flexibility

It supports TCP, UDP, and TLS traffic instead of being limited to application-layer HTTP or HTTPS logic.

Source IP preservation

Backends can see the original client IP, which is valuable for auditing, security, and logging.

Static front-end behaviour

NLB is commonly chosen when stable network identity or IP-based integrations are important.

NLB is often the better choice when the application does not need smart Layer 7 routing, but the network path still needs to be reliable, scalable, and fast.

How AWS NLB works

NLB receives traffic from clients on configured listeners and forwards connections to target groups. Those target groups can contain EC2 instances, IP addresses, containers, or other backend destinations depending on the architecture. 

Client
  |
  v
Network Load Balancer
  |
  v
Listener (TCP / UDP / TLS)
  |
  v
Target Group
  |
  v
EC2 / ECS / EKS / IP targets

Step-by-step flow

  1. A client opens a TCP, UDP, or TLS connection.
  2. The connection reaches the NLB listener.
  3. NLB checks the associated target group.
  4. Traffic is sent to a healthy backend target.
  5. The backend responds to the client through the NLB path.
NLB does not understand URL paths such as /api or /admin. That kind of application-aware routing belongs to ALB, not NLB.

Key features of AWS NLB

Layer 4 traffic handling

NLB forwards traffic based on network-level connection details such as protocol and port.

Supports TCP, UDP, and TLS

Useful for workloads that are not simple HTTP or HTTPS applications.

Static IP support

NLB is often preferred when integrations or allowlists expect stable front-end IP behaviour.

Source IP preservation

Backend services can see the real client IP instead of only a translated front-end address.

High throughput

Built for large traffic volumes and workloads that cannot tolerate unnecessary application-layer overhead.

Multi-AZ design

NLB can distribute traffic across healthy targets in multiple Availability Zones.

NLB vs ALB

NLB and ALB solve different problems. Choosing the wrong one can create routing limitations, operational complexity, or performance issues.

Feature NLB ALB
OSI Layer Layer 4 Layer 7
Main protocols TCP, UDP, TLS HTTP, HTTPS
Path-based routing No Yes
Host-based routing No Yes
Source IP preservation Yes Not the same primary design focus
Static IP expectation Common reason to choose NLB Usually not the main reason
Best fit Protocol-heavy or performance-sensitive traffic Web apps and APIs
Choose NLB when you need fast Layer 4 traffic handling. Choose ALB when you need HTTP-aware routing logic such as path-based or host-based rules.

When to use NLB

Use NLB when

  • Your workload uses TCP, UDP, or TLS instead of relying on HTTP routing logic.
  • You need high throughput and low-latency network traffic handling.
  • You want backends to see the original client source IP.
  • You have integrations that care about stable network entry behaviour or IP-based allowlists.
  • Your application is performance-sensitive and does not need Layer 7 features.

Typical use cases

Real-time or gaming systems

Fast connection handling and protocol-level performance matter more than URL-based routing.

Financial or trading applications

Low latency and predictable transport-layer behaviour can be important.

IoT backends

Devices often communicate using raw network protocols rather than browser-style HTTP traffic.

Private service integrations

Some backends need IP visibility, transport-layer handling, or stable access patterns.

Real-world NLB architecture example

A common NLB-based architecture for non-HTTP or performance-sensitive services may look like this: 

Client
  |
  v
Route 53
  |
  v
Network Load Balancer
  |
  v
Target Group
  |
  v
EC2 instances / Container services / IP-based backends

In this design:

  • Route 53 resolves the service name to the NLB endpoint.
  • NLB accepts the connection on a listener such as TCP 443 or UDP 53.
  • NLB sends traffic to healthy backends in the target group.
  • The backend processes the request while preserving network-level visibility.
NLB is also commonly discussed in architectures that need strong transport-layer performance and clean separation from Layer 7 application logic.

Health checks in NLB

Like other load balancers, NLB uses health checks to determine which backend targets are available. If a target becomes unhealthy, NLB stops routing traffic to it.

Why health checks matter

  • They help prevent traffic from going to failed backends.
  • They improve resilience across Availability Zones.
  • They reduce the chance of partial outages being exposed to users.

What to validate

  • Correct health check protocol
  • Correct target port
  • Expected response behaviour from backend
  • Security rules allowing health check traffic
A common operational problem is healthy-looking infrastructure with failing health checks because the wrong port, protocol, or backend listener was configured.

Terraform example for AWS NLB

Below is a simple example that creates a Network Load Balancer and a TCP listener. 

resource "aws_lb" "nlb" {
  name               = "example-nlb"
  internal           = false
  load_balancer_type = "network"
  subnets            = ["subnet-aaa111", "subnet-bbb222"]
}

resource "aws_lb_target_group" "app" {
  name        = "example-nlb-tg"
  port        = 443
  protocol    = "TCP"
  vpc_id      = "vpc-12345678"
  target_type = "instance"

  health_check {
    protocol = "TCP"
    port     = "traffic-port"
  }
}

resource "aws_lb_listener" "tcp_443" {
  load_balancer_arn = aws_lb.nlb.arn
  port              = 443
  protocol          = "TCP"

  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.app.arn
  }
}

What this Terraform does

  • Creates a public Network Load Balancer.
  • Creates a target group listening on TCP 443.
  • Configures TCP health checks.
  • Creates a listener that forwards traffic to the target group.

Common NLB mistakes

Using NLB when ALB is actually needed

Teams sometimes choose NLB and later realise they needed path-based or host-based routing. NLB cannot provide that application-layer intelligence.

Expecting HTTP-aware features

NLB is not designed to inspect URLs, cookies, or HTTP headers. It is a transport-layer load balancer.

Misconfigured health checks

Wrong protocol, wrong port, or blocked security rules can cause healthy backends to appear unhealthy.

Ignoring source IP implications

Source IP preservation can be beneficial, but backend services and logs should be designed to use it properly.

Wrong expectations around architecture choice

Choosing NLB only because it sounds “faster” is not enough. You still need to match the load balancer to the workload’s actual routing needs.

One of the most common mistakes in cloud architecture is choosing a load balancer based on trend or assumption instead of protocol behaviour and application needs.

NLB troubleshooting guide

Problem: Backends show unhealthy

Check health check protocol, target port, target registration, and security rules.

Problem: Traffic reaches NLB but not application

Validate target group attachment, backend listener readiness, and routing to target ports.

Problem: Expected path-based routing does not work

NLB does not support application-layer routing. This is usually an architecture mismatch.

Problem: IP allowlists not behaving as expected

Validate whether your integration expects stable entry behaviour and confirm the correct front-end architecture.

Practical checklist

  • Check listener protocol and port.
  • Confirm the target group protocol matches the backend.
  • Verify registered targets are healthy.
  • Check security groups and network rules around backend ports.
  • Confirm whether NLB is really the right load balancer for the use case.

NLB interview questions

1. What is AWS Network Load Balancer?

It is a Layer 4 load balancer that handles TCP, UDP, and TLS traffic and is designed for high-performance, low-latency traffic distribution.

2. What is the difference between NLB and ALB?

NLB operates at Layer 4 and routes based on network connection details, while ALB operates at Layer 7 and supports application-aware HTTP and HTTPS routing.

3. Does NLB support path-based routing?

No. Path-based routing is an ALB feature, not an NLB feature.

4. Why would a team choose NLB?

Common reasons include TCP or UDP workloads, low latency needs, source IP preservation, and transport-layer performance requirements.

5. Does NLB preserve client source IP?

Yes. This is one of the key reasons some workloads prefer NLB.

Frequently asked questions

What is AWS NLB used for?

AWS NLB is used for distributing Layer 4 traffic for TCP, UDP, and TLS workloads that need high performance, low latency, or source IP visibility.

Can NLB be used for HTTP traffic?

It can carry TCP or TLS traffic that may ultimately support application communication, but it does not provide Layer 7 HTTP routing features like ALB.

When should I not use NLB?

You should avoid NLB when your application needs path-based routing, host-based routing, or other HTTP-aware traffic decisions.

Related cloud networking resources

AWS Load Balancers Hub

Go back to the load balancers overview covering ALB, NLB, and architecture comparisons.

Go to hub

Application Load Balancer

Compare NLB with ALB and understand Layer 7 routing, listeners, and web application traffic patterns.

Go to ALB guide

Amazon Route 53

Learn how DNS works in front of load balancers and how traffic is directed to AWS endpoints.

Go to Route 53

AWS CloudFront

Understand how CloudFront differs from load balancers and where CDN fits into the traffic path.

Go to CloudFront