use by another Network Load Balancer), you can create a new Application Load Balancer target group as shown in Step 2: Create the target group with the Application Load Balancer as the target (p. 59).
8. Add tags (optional), review your configuration, and choose Create load balancer.
Important
You can associate an Application Load Balancer as a target of a maximum of two Network Load Balancers. To do this, the Application Load Balancer must reside in separate target groups, and be assigned to two different Network Load Balancers.
Note that each Application Load Balancer you put behind a Network Load Balancer decreases the maximum number of targets by 50 (if cross-zone load balancing is disabled) or 100 (if cross-zone load balancing is enabled). We recommend keeping cross-zone load balancing disabled to minimize latency and avoid regional data transfer charges. Refer to Quotas for your Network Load Balancers (p. 86) for baseline limits.
To create the Network Load Balancer using the AWS CLI Use the create-load-balancer command.
Step 4 (Optional): Enable VPC endpoint services (AWS PrivateLink)
To use the Network Load Balancer that you set up in the previous step as an endpoint for private
connectivity, you can enable AWS PrivateLink. This establishes a private connection to your load balancer as an endpoint service.
To enable AWS PrivateLink on your Network Load Balancer
1. On the navigation pane, under Load Balancing, choose Load Balancers.
2. On the load balancers list page, select the Network Load Balancer to enable AWS PrivateLink.
3. In the load balancer details section (below the list), choose the Integrated services tab.
4. Scroll down to VPC Endpoint Services (AWS PrivateLink).
5. Choose Create Endpoint Services. For the remaining steps, see Create a VPC endpoint service configuration for interface endpoints in the AWS PrivateLink Guide.
Tags for your target group
Tags help you to categorize your target groups in different ways, for example, by purpose, owner, or environment.
You can add multiple tags to each target group. Tag keys must be unique for each target group. If you add a tag with a key that is already associated with the target group, it updates the value of that tag.
When you are finished with a tag, you can remove it.
Restrictions
• Maximum number of tags per resource—50
• Maximum key length—127 Unicode characters
• Maximum value length—255 Unicode characters
Delete a target group
• Tag keys and values are case sensitive. Allowed characters are letters, spaces, and numbers representable in UTF-8, plus the following special characters: + - = . _ : / @. Do not use leading or trailing spaces.
• Do not use the aws: prefix in your tag names or values because it is reserved for AWS use. You can't edit or delete tag names or values with this prefix. Tags with this prefix do not count against your tags per resource limit.
New console
To update the tags for a target group using the new console
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. On the navigation pane, under LOAD BALANCING, choose Target Groups.
3. Choose the name of the target group to open its details page.
4. On the Tags tab, choose Manage tags and do one or more of the following:
a. To update a tag, enter new values for Key and Value.
b. To add a tag, choose Add tag and enter values for Key and Value.
c. To delete a tag, choose Remove next to the tag.
5. When you have finished updating tags, choose Save changes.
Old console
To update the tags for a target group using the console
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. On the navigation pane, under LOAD BALANCING, choose Target Groups.
3. Select the target group.
4. On the Tags tab, choose Add/Edit Tags, and then do one or more of the following:
a. To update a tag, edit the values of Key and Value.
b. To add a new tag, choose Create Tag and then enter values for Key and Value.
c. To delete a tag, choose the delete icon (X) next to the tag.
5. When you have finished updating tags, choose Save.
To update the tags for a target group using the AWS CLI Use the add-tags and remove-tags commands.
Delete a target group
You can delete a target group if it is not referenced by the forward actions of any listener rules. Deleting a target group does not affect the targets registered with the target group. If you no longer need a registered EC2 instance, you can stop or terminate it.
New console
To delete a target group using the new console
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, under LOAD BALANCING, choose Target Groups.
Delete a target group
3. Select the target group and choose Actions, Delete.
4. When prompted for confirmation, choose Yes, delete.
Old console
To delete a target group using the old console
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, under LOAD BALANCING, choose Target Groups.
3. Select the target group and choose Actions, Delete.
4. When prompted for confirmation, choose Yes.
To delete a target group using the AWS CLI Use the delete-target-group command.
CloudWatch metrics
Monitor your Network Load Balancers
You can use the following features to monitor your load balancers, analyze traffic patterns, and troubleshoot issues with your load balancers and targets.
CloudWatch metrics
You can use Amazon CloudWatch to retrieve statistics about data points for your load balancers and targets as an ordered set of time-series data, known as metrics. You can use these metrics to verify that your system is performing as expected. For more information, see CloudWatch metrics for your Network Load Balancer (p. 64).
VPC Flow Logs
You can use VPC Flow Logs to capture detailed information about the traffic going to and from your Network Load Balancer. For more information, see VPC flow logs in the Amazon VPC User Guide.
Create a flow log for each network interface for your load balancer. There is one network interface per load balancer subnet. To identify the network interfaces for a Network Load Balancer, look for the name of the load balancer in the description field of the network interface.
There are two entries for each connection through your Network Load Balancer, one for the frontend connection between the client and the load balancer and the other for the backend connection between the load balancer and the target. If the target group's client IP preservation attribute is enabled, the connection appears to the instance as a connection from the client. Otherwise, the connection's source IP is the load balancer's private IP address. If the security group of the instance doesn't allow connections from the client but the network ACLs for the load balancer subnet allow them, the logs for the network interface for the load balancer show "ACCEPT OK" for the frontend and backend connections, while the logs for the network interface for the instance show "REJECT OK" for the connection.
Access logs
You can use access logs to capture detailed information about TLS requests made to your load balancer. The log files are stored in Amazon S3. You can use these access logs to analyze traffic patterns and to troubleshoot issues with your targets. For more information, see Access logs for your Network Load Balancer (p. 73).
CloudTrail logs
You can use AWS CloudTrail to capture detailed information about the calls made to the Elastic Load Balancing API and store them as log files in Amazon S3. You can use these CloudTrail logs to determine which calls were made, the source IP address where the call came from, who made the call, when the call was made, and so on. For more information, see Logging API calls for your Network Load Balancer using AWS CloudTrail (p. 79).
CloudWatch metrics for your Network Load Balancer
Elastic Load Balancing publishes data points to Amazon CloudWatch for your load balancers and your targets. CloudWatch enables you to retrieve statistics about those data points as an ordered set of time-series data, known as metrics. Think of a metric as a variable to monitor, and the data points as the values of that variable over time. For example, you can monitor the total number of healthy targets for a
Network Load Balancer metrics
load balancer over a specified time period. Each data point has an associated time stamp and an optional unit of measurement.
You can use metrics to verify that your system is performing as expected. For example, you can create a CloudWatch alarm to monitor a specified metric and initiate an action (such as sending a notification to an email address) if the metric goes outside what you consider an acceptable range.
Elastic Load Balancing reports metrics to CloudWatch only when requests are flowing through the load balancer. If there are requests flowing through the load balancer, Elastic Load Balancing measures and sends its metrics in 60-second intervals. If there are no requests flowing through the load balancer or no data for a metric, the metric is not reported.
For more information, see the Amazon CloudWatch User Guide.
Contents
• Network Load Balancer metrics (p. 65)
• Metric dimensions for Network Load Balancers (p. 71)
• Statistics for Network Load Balancer metrics (p. 72)
• View CloudWatch metrics for your load balancer (p. 72)
Network Load Balancer metrics
The AWS/NetworkELB namespace includes the following metrics.
Metric Description
ActiveFlowCount The total number of concurrent flows (or connections) from clients to targets. This metric includes connections in the SYN_SENT and ESTABLISHED states. TCP connections are not terminated at the load balancer, so a client opening a TCP connection to a target counts as a single flow.
Reporting criteria: Always reported.
Statistics: The most useful statistics are Average, Maximum, and Minimum.
Dimensions
• LoadBalancer
• AvailabilityZone, LoadBalancer
ActiveFlowCount_TCP The total number of concurrent TCP flows (or connections) from clients to targets. This metric includes connections in the SYN_SENT and ESTABLISHED state. TCP connections are not terminated at the load balancer, so a client opening a TCP connection to a target counts as a single flow.
Reporting criteria: There is a nonzero value
Statistics: The most useful statistics are Average, Maximum, and Minimum.
Dimensions
• LoadBalancer
Network Load Balancer metrics
Metric Description
• AvailabilityZone, LoadBalancer
ActiveFlowCount_TLS The total number of concurrent TLS flows (or connections) from clients to targets. This metric includes connections in the SYN_SENT and ESTABLISHED state.
Reporting criteria: There is a nonzero value.
Statistics: The most useful statistics are Average, Maximum, and Minimum.
Dimensions
• LoadBalancer
• AvailabilityZone, LoadBalancer
ActiveFlowCount_UDP The total number of concurrent UDP flows (or connections) from clients to targets.
Reporting criteria: There is a nonzero value.
Statistics: The most useful statistics are Average, Maximum, and Minimum.
Dimensions
• LoadBalancer
• AvailabilityZone, LoadBalancer
ClientTLSNegotiationErrorCountThe total number of TLS handshakes that failed during negotiation between a client and a TLS listener.
Reporting criteria: There is a nonzero value.
Statistics: The most useful statistic is Sum.
Dimensions
• LoadBalancer
• AvailabilityZone, LoadBalancer
ConsumedLCUs The number of load balancer capacity units (LCU) used by your load balancer. You pay for the number of LCUs that you use per hour. For more information, see Elastic Load Balancing Pricing.
Reporting criteria: Always reported.
Statistics: All
Dimensions
• LoadBalancer
Network Load Balancer metrics
Metric Description
ConsumedLCUs_TCP The number of load balancer capacity units (LCU) used by your load balancer for TCP. You pay for the number of LCUs that you use per hour.
For more information, see Elastic Load Balancing Pricing.
Reporting criteria: There is a nonzero value.
Statistics: All
Dimensions
• LoadBalancer
ConsumedLCUs_TLS The number of load balancer capacity units (LCU) used by your load balancer for TLS. You pay for the number of LCUs that you use per hour.
For more information, see Elastic Load Balancing Pricing.
Reporting criteria: There is a nonzero value.
Statistics: All
Dimensions
• LoadBalancer
ConsumedLCUs_UDP The number of load balancer capacity units (LCU) used by your load balancer for UDP. You pay for the number of LCUs that you use per hour.
For more information, see Elastic Load Balancing Pricing.
Reporting criteria: There is a nonzero value.
Statistics: All
Dimensions
• LoadBalancer
HealthyHostCount The number of targets that are considered healthy. This metric does not include any Application Load Balancers registered as targets.
Reporting criteria: Reported if health checks are enabled.
Statistics: The most useful statistics are Maximum and Minimum.
Dimensions
• LoadBalancer, TargetGroup
• AvailabilityZone, LoadBalancer, TargetGroup
Network Load Balancer metrics
Metric Description
NewFlowCount The total number of new flows (or connections) established from clients to targets in the time period.
Reporting criteria: Always reported.
Statistics: The most useful statistic is Sum.
Dimensions
• LoadBalancer
• AvailabilityZone, LoadBalancer
NewFlowCount_TCP The total number of new TCP flows (or connections) established from clients to targets in the time period.
Reporting criteria: There is a nonzero value.
Statistics: The most useful statistic is Sum.
Dimensions
• LoadBalancer
• AvailabilityZone, LoadBalancer
NewFlowCount_TLS The total number of new TLS flows (or connections) established from clients to targets in the time period.
Reporting criteria: There is a nonzero value.
Statistics: The most useful statistic is Sum.
Dimensions
• LoadBalancer
• AvailabilityZone, LoadBalancer
NewFlowCount_UDP The total number of new UDP flows (or connections) established from clients to targets in the time period.
Reporting criteria: There is a nonzero value.
Statistics: The most useful statistic is Sum.
Dimensions
• LoadBalancer
• AvailabilityZone, LoadBalancer
Network Load Balancer metrics
Metric Description
PeakBytesPerSecond Highest average throughput (bytes per second), calculated every 10 seconds during the sampling window. This metric includes health check traffic.
Reporting criteria: There is a nonzero value.
Statistics: The most useful statistic is Maximum.
Dimensions
• LoadBalancer
• AvailabilityZone, LoadBalancer
PeakPacketsPerSecond Highest average packet rate (packets processed per second), calculated every 10 seconds during the sampling window. This metric includes health check traffic.
Reporting criteria: There is a nonzero value.
Statistics: The most useful statistic is Maximum.
Dimensions
• LoadBalancer
• AvailabilityZone, LoadBalancer
ProcessedBytes The total number of bytes processed by the load balancer, including TCP/IP headers. This count includes traffic to and from targets, minus health check traffic.
Reporting criteria: Always reported.
Statistics: The most useful statistic is Sum.
Dimensions
• LoadBalancer
• AvailabilityZone, LoadBalancer
ProcessedBytes_TCP The total number of bytes processed by TCP listeners.
Reporting criteria: There is a nonzero value.
Statistics: The most useful statistic is Sum.
Dimensions
• LoadBalancer
• AvailabilityZone, LoadBalancer
Network Load Balancer metrics
Metric Description
ProcessedBytes_TLS The total number of bytes processed by TLS listeners.
Reporting criteria: There is a nonzero value.
Statistics: The most useful statistic is Sum.
Dimensions
• LoadBalancer
• AvailabilityZone, LoadBalancer
ProcessedBytes_UDP The total number of bytes processed by UDP listeners.
Reporting criteria: There is a nonzero value Statistics: The most useful statistic is Sum.
Dimensions
• LoadBalancer
• AvailabilityZone, LoadBalancer
ProcessedPackets The total number of packets processed by the load balancer. This count includes traffic to and from targets, including health check traffic.
Reporting criteria: There is a nonzero value.
Statistics: The most useful statistic is Sum.
Dimensions
• LoadBalancer
• AvailabilityZone, LoadBalancer
TargetTLSNegotiationErrorCountThe total number of TLS handshakes that failed during negotiation between a TLS listener and a target.
Reporting criteria: There is a nonzero value.
Statistics: The most useful statistic is Sum.
Dimensions
• LoadBalancer
• AvailabilityZone, LoadBalancer
Metric dimensions for Network Load Balancers
Metric Description
TCP_Client_Reset_Count The total number of reset (RST) packets sent from a client to a target.
These resets are generated by the client and forwarded by the load balancer.
Reporting criteria: Always reported.
Statistics: The most useful statistic is Sum.
Dimensions
• LoadBalancer
• AvailabilityZone, LoadBalancer
TCP_ELB_Reset_Count The total number of reset (RST) packets generated by the load balancer.
For more information, see Troubleshooting (p. 83).
Reporting criteria: Always reported.
Statistics: The most useful statistic is Sum.
Dimensions
• LoadBalancer
• AvailabilityZone, LoadBalancer
TCP_Target_Reset_Count The total number of reset (RST) packets sent from a target to a client.
These resets are generated by the target and forwarded by the load balancer.
Reporting criteria: Always reported.
Statistics: The most useful statistic is Sum.
Dimensions
• LoadBalancer
• AvailabilityZone, LoadBalancer
UnHealthyHostCount The number of targets that are considered unhealthy. This metric does not include any Application Load Balancers registered as targets.
Reporting criteria: Reported if health checks are enabled.
Statistics: The most useful statistics are Maximum and Minimum.
Dimensions
• LoadBalancer, TargetGroup
• AvailabilityZone, LoadBalancer, TargetGroup
Metric dimensions for Network Load Balancers
To filter the metrics for your load balancer, use the following dimensions.
Statistics for Network Load Balancer metrics
Dimension Description
AvailabilityZone Filters the metric data by Availability Zone.
LoadBalancer Filters the metric data by load balancer. Specify the load balancer as follows:
net/load-balancer-name/1234567890123456 (the final portion of the load balancer ARN).
TargetGroup Filters the metric data by target group. Specify the target group as follows:
targetgroup/target-group-name/1234567890123456 (the final portion of the target group ARN).
Statistics for Network Load Balancer metrics
CloudWatch provides statistics based on the metric data points published by Elastic Load Balancing.
Statistics are metric data aggregations over specified period of time. When you request statistics, the returned data stream is identified by the metric name and dimension. A dimension is a name/value pair that uniquely identifies a metric. For example, you can request statistics for all the healthy EC2 instances behind a load balancer launched in a specific Availability Zone.
The Minimum and Maximum statistics reflect the minimum and maximum values of the data points reported by the individual load balancer nodes in each sampling window. Increases in the maximum of HealthyHostCount correspond to decreases in the minimum of UnHealthyHostCount.
Therefore, we recommend that you monitor your Network Load Balancer using either the maximum of HealthyHostCount or the minimum of UnHealthyHostCount.
The Sum statistic is the aggregate value across all load balancer nodes. Because metrics include multiple reports per period, Sum is only applicable to metrics that are aggregated across all load balancer nodes.
The SampleCount statistic is the number of samples measured. Because metrics are gathered based on sampling intervals and events, this statistic is typically not useful. For example, with
HealthyHostCount, SampleCount is based on the number of samples that each load balancer node reports, not the number of healthy hosts.
View CloudWatch metrics for your load balancer
You can view the CloudWatch metrics for your load balancers using the Amazon EC2 console. These metrics are displayed as monitoring graphs. The monitoring graphs show data points if the load balancer is active and receiving requests.
Alternatively, you can view metrics for your load balancer using the CloudWatch console.
To view metrics using the Amazon EC2 console
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. To view metrics filtered by target group, do the following:
a. In the navigation pane, choose Target Groups.
b. Select your target group and choose Monitoring.
c. (Optional) To filter the results by time, select a time range from Showing data for.
d. To get a larger view of a single metric, select its graph.
3. To view metrics filtered by load balancer, do the following:
a. In the navigation pane, choose Load Balancers.
Access logs
b. Select your load balancer and choose Monitoring.
c. (Optional) To filter the results by time, select a time range from Showing data for.
d. To get a larger view of a single metric, select its graph.
To view metrics using the CloudWatch console
1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.
2. In the navigation pane, choose Metrics.
3. Select the NetworkELB namespace.
4. (Optional) To view a metric across all dimensions, type its name in the search field.
To view metrics using the AWS CLI
Use the following list-metrics command to list the available metrics:
aws cloudwatch list-metrics --namespace AWS/NetworkELB
To get the statistics for a metric using the AWS CLI
Use the following get-metric-statistics command get statistics for the specified metric and dimension.
Note that CloudWatch treats each unique combination of dimensions as a separate metric. You can't
Note that CloudWatch treats each unique combination of dimensions as a separate metric. You can't